Sophos

ClickSpring

Category
Type
What to do
  • If you've received an alert for a blocked PUA or adware and decide that the application is not suitable for your workplace, then follow the instructions for removing PUAs.

Summary

 
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Included in our products from October 2008 (4.34)
Protection available since 3 November 2006 14:18:06 (GMT)
Last updated 2 September 2008 09:09:19 (GMT)
Detected by Sophos Anti-Virus for Windows, versions 6 and 7 and PureMessage for Microsoft Exchange.

More Information

ClickSpring is an adware application.

ClickSpring is often installed as part of the installation for adware supported software such as PurityScan and MediaTickets.

ClickSpring usually consists of an executable component and a DLL component.

The DLL component is usually installed to the Windows system folder as ndrv.dll or using a variable filename with an extension of "DLL". When the ClickSpring executable is first run it typically copies itself to the <User>\Application Data folder using a preconfigured or randomly generated filename with the hidden, system and read-only attributes set, however some versions of the ClickSpring executable copy themselves to the Windows folder, the system folder or a new sub-folder of the Program Files folder. Known preconfigured filenames include opar.exe, mnee.exe, uko?.exe and ru.exe. When ClickSpring is installed one or more of the following files may be created:

<User>\Application Data\mnee.exe
<User>\Application Data\opar.exe
<User>\Application Data\uko?.exe
<User>\Application Data\ru.exe
<User>\Application Data\<variable>.exe
<User>\Application Data\hpai
<Windows>\mnee.exe
<Windows>\opar.exe
<Windows>\uko?.exe
<Windows>\ru.exe
<Windows>\<variable>.exe
<System>\mnee.exe
<System>\opar.exe
<System>\uko?.exe
<System>\ru.exe
<System>\<variable>.exe
<System>\ndrv.dll
<System>\<variable>.dll
<System>\hpai\
<Program Files>\<variable>\mnee.exe
<Program Files>\<variable>\opar.exe
<Program Files>\<variable>\uko?.exe
<Program Files>\<variable>\ru.exe
<Program Files>\<variable>\<variable>.exe

The following registry entry is created to run the ClickSpring executable on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<variable>
<User>\Application Data\<variable>.exe

(where <variable> is a variable text string). For example:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Aaep
<User>\Application Data\opar.exe

The DLL component is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer. Registry entries may be created under:

HKCR\CLSID\(1889F5B3-160A-1B8A-2978-3EB60D15F190)
HKCR\CLSID\(C1F6E029-5696-5711-B321-2B172767269D)
HKCR\CLSID\(A20653EB-B45D-BED3-7A4D-9DECD8E81A9E)
HKCR\CLSID\(A25B56EB-B202-BAD7-7A4D-9DECD8E81A9E)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\(A20653EB-B45D-BED3-7A4D-9DECD8E81A9E)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\(A25B56EB-B202-BAD7-7A4D-9DECD8E81A9E)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\(C1F6E029-5696-5711-B321-2B172767269D)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\(1889F5B3-160A-1B8A-2978-3EB60D15F190)
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
(1889F5B3-160A-1B8A-2978-3EB60D15F190)
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
(C1F6E029-5696-5711-B321-2B172767269D)
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
(A20653EB-B45D-BED3-7A4D-9DECD8E81A9E)
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
(A25B56EB-B202-BAD7-7A4D-9DECD8E81A9E)
HKLM\SOFTWARE\clickspring\
HKCU\Software\Eden\
HKCU\Software\Sabs\

RSS|Atom
Get reports about the latest adware and potentially unwanted applications (PUAs) delivered to your computer