BHO/Clientman

description-logoAnalysis

BHO/Clientman when installed updates the Browser Settings by modifying registry entries for
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
The registry updates enhance the Browser capabilities however this BHO sends and receives information to a particular HTTP site. This BHO creates a registry entry for its own program under
HKEY_CURRENT_USER\Software\CliMan
Most files bear the file property description of "climan." One of the detected files with the name "mcskin.exe" is a memory-resident program. Once executed, it connects to "odysseusmarketing.com" to send system information and to receive updates and additional data. Another memory-resident program with the name "mscman.exe", connects to "omi-update.net." This particular file is auto-executed at Windows startup by creating a registry entry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ClientMan1 = C:\Program Files\ClientMan\mscman.exe
The two sites mentioned are related since they are from the same subnet. BHO/iPend is another detected BHO that connects to the same subnet.

recommended-action-logoRecommended Action

Check the web interface for your Fortigate unit to ensure the latest AV/NIDS definitions have been downloaded and installed on your system - if required, enable the "Allow Push Update" option

Telemetry logoTelemetry