ClickSpring

Categoria: Adware e PUA Opzioni di protezione ora disponibili:24 gen 2006 00:00:00 (GMT)
Tipo: Adware Ultimo aggiornamento:21 giu 2013 01:21:06 (GMT)

Download Scaricate il nostro Virus Removal Tool: è gratis! - Scoprite le minacce che sono sfuggite al vostro antivirus

ClickSpring is an adware application.

ClickSpring is often installed as part of the installation for adware supported software such as PurityScan and MediaTickets.

ClickSpring usually consists of an executable component and a DLL component.

The DLL component is usually installed to the Windows system folder as ndrv.dll or using a variable filename with an extension of "DLL". When the ClickSpring executable is first run it typically copies itself to the <User>\Application Data folder using a preconfigured or randomly generated filename with the hidden, system and read-only attributes set, however some versions of the ClickSpring executable copy themselves to the Windows folder, the system folder or a new sub-folder of the Program Files folder. Known preconfigured filenames include opar.exe, mnee.exe, uko?.exe and ru.exe. When ClickSpring is installed one or more of the following files may be created:

<User>\Application Data\mnee.exe
<User>\Application Data\opar.exe
<User>\Application Data\uko?.exe
<User>\Application Data\ru.exe
<User>\Application Data\<variable>.exe
<User>\Application Data\hpai
<Windows>\mnee.exe
<Windows>\opar.exe
<Windows>\uko?.exe
<Windows>\ru.exe
<Windows>\<variable>.exe
<System>\mnee.exe
<System>\opar.exe
<System>\uko?.exe
<System>\ru.exe
<System>\<variable>.exe
<System>\ndrv.dll
<System>\<variable>.dll
<System>\hpai\
<Program Files>\<variable>\mnee.exe
<Program Files>\<variable>\opar.exe
<Program Files>\<variable>\uko?.exe
<Program Files>\<variable>\ru.exe
<Program Files>\<variable>\<variable>.exe

The following registry entry is created to run the ClickSpring executable on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<variable>
<User>\Application Data\<variable>.exe

(where <variable> is a variable text string). For example:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Aaep
<User>\Application Data\opar.exe

The DLL component is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer. Registry entries may be created under:

HKCR\CLSID\(1889F5B3-160A-1B8A-2978-3EB60D15F190)
HKCR\CLSID\(C1F6E029-5696-5711-B321-2B172767269D)
HKCR\CLSID\(A20653EB-B45D-BED3-7A4D-9DECD8E81A9E)
HKCR\CLSID\(A25B56EB-B202-BAD7-7A4D-9DECD8E81A9E)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\(A20653EB-B45D-BED3-7A4D-9DECD8E81A9E)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\(A25B56EB-B202-BAD7-7A4D-9DECD8E81A9E)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\(C1F6E029-5696-5711-B321-2B172767269D)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\(1889F5B3-160A-1B8A-2978-3EB60D15F190)
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
(1889F5B3-160A-1B8A-2978-3EB60D15F190)
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
(C1F6E029-5696-5711-B321-2B172767269D)
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
(A20653EB-B45D-BED3-7A4D-9DECD8E81A9E)
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
(A25B56EB-B202-BAD7-7A4D-9DECD8E81A9E)
HKLM\SOFTWARE\clickspring\
HKCU\Software\Eden\
HKCU\Software\Sabs\

scarica Prova gratuita dei prodotti Sophos
Scarica subito