What is clicup?
The Malwarebytes research team has determined that clicup is adware. These adware applications display advertisements not originating from the sites you are browsing.
How do I know if my computer is affected by clicup?
You may see this entry in your list of installed programs:
How did clicup get on my computer?
Adware applications use different methods for distributing themselves. This particular one was bundled with other software.
How do I remove clicup?
Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.
- Please download Malwarebytes Anti-Malware to your desktop.
- Double-click mbam-setup-version.exe and follow the prompts to install the program.
- At the end, be sure a check-mark is placed next to the following:
- Enable free trial of Malwarebytes Anti-Malware Premium
- Launch Malwarebytes Anti-Malware
- Then click Finish.
- If an update is found, you will be prompted to download and install the latest version.
- Once the program has loaded, select Scan now. Or select the Threat Scan from the Scan menu.
- When the scan is complete , make sure that everything is set to "Quarantine", and click Apply Actions.
- Reboot your computer if prompted.
- No, Malwarebytes' Anti-Malware removes clicup completely.
We hope our application and this guide have helped you eradicate this hijacker.
As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the clicup adware. �It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.
Technical details for experts
You will see these signs in a HijackThis log:
O4 - HKCU\..\Run: [clicup] C:\Users\{username}\AppData\Local\clicup\chrmndr.exeYou may see these signs in a FRST log:
(clicup) C:\Users\Malwarebytes\AppData\Local\clicup\chrmndr.exe HKCU\...\Run: [clicup] => C:\Users\Malwarebytes\AppData\Local\clicup\chrmndr.exe [512496 2014-12-18] (clicup) () C:\Users\Malwarebytes\AppData\Local\clicupAlterations made by the installer:
File system details --------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\clicup Adds the file chrmndr.exe"="12/18/2014 1:12 PM, 512496 bytes, A Adds the file toast.exe"="12/18/2014 1:21 PM, 1992120 bytes, A Adds the file Uninstaller.exe"="1/19/2015 6:57 PM, 74422 bytes, A Adds the file Update.bat"="12/9/2014 6:34 PM, 369 bytes, A Registry details ------------------------------------------ [HKEY_CURRENT_USER\Software\clicup] "Version"="REG_SZ", "NTMwNQ==" [HKEY_CURRENT_USER\Software\clicup\Agent] "ad"="REG_SZ", "aHR0cDovL3BlcmYtbWFya2V0LWV4dC5uZXR8aHR0cDovL3R1bmVtYXJrZXQubmV0fGh0dHA6Ly9iZXN0Mm1hcmtldC5uZXR8aHR0cDovL3Byb2R1Y3QtcGVyZi5uZXQ=" "BaseDomain"="REG_SZ", "aHR0cDovL21hcmtldC1leHQubmV0" "ConfigFrequency"="REG_SZ", "MTgw" "Configuration"="REG_SZ", "Mg==" "HID"="REG_SZ", "MDgtMDAtMjctM2QtN2QtZDc=" "Host"="REG_SZ", "aHR0cDovL21hcmtldC1leHQubmV0" "InstallDate"="REG_SZ", "MTQyMTY5MDI2Mw==" "InstallWaitTime"="REG_SZ", "MA==" "Partner"="REG_SZ", "MjAwNDU=" "PingFrequency"="REG_SZ", "MTgw" "Platform"="REG_SZ", "MQ==" "TestParam"="REG_SZ", "MA==" "TokenID"="REG_SZ", "MGQ0NWY2OWNjZDkwZjE3MDE3YjQzMjI1N2E0ZjdjZWE=" "Type"="REG_SZ", "RA==" "UrlForFile"="REG_SZ", "" "UrlForUpdate"="REG_SZ", "" "UserID"="REG_SZ", "MTIwNzcxMDI0" "Version"="REG_SZ", "NTMwNQ==" "VersionToUpdate"="REG_SZ", "" [HKEY_CURRENT_USER\Software\clicup\Agent\SystemInfo] "ChromeVersion"="REG_SZ", "MzkuMC4yMTcxLjk1" "ComputersUp"="REG_SZ", "MA==" "CountryCode"="REG_SZ", "MQ==" "FirefoxVersion"="REG_SZ", "MjUuMCAoZW4tVVMp" "IEVersion"="REG_SZ", "MTEuMC45NjAwLjE3NTAx" "Language"="REG_SZ", "MTAzMw==" "MacAddress"="REG_SZ", "MDgtMDAtMjctM2QtN2QtZDc=" "OsName"="REG_SZ", "TWljcm9zb2Z0IFdpbmRvd3MgNyBVbHRpbWF0ZSBOIA==" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "clicup"="REG_SZ", "C:\Users\{username}\AppData\Local\clicup\chrmndr.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\clicup] "DisplayIcon"="REG_SZ", "C:\Users\{username}\AppData\Local\clicup\chrmndr.exe" "DisplayName"="REG_SZ", "clicup" "DisplayVersion"="REG_SZ", "1.0" "InstallDate"="REG_SZ", "20141214" "Publisher"="REG_SZ", "Ad business Crown Solutions" "UninstallString"="REG_SZ", "C:\Users\{username}\AppData\Local\clicup\Uninstaller.exe" [HKEY_CURRENT_USER\Software\SystemInfo] "ID"="REG_SZ", "17686" [HKEY_CURRENT_USER\Software\zcln] "ProductVersion"="REG_SZ", "1.0"Malwarebytes Anti-Malware log:
Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 1/19/2015 Scan Time: 7:04:47 PM Logfile: mbamClicup.txt Administrator: Yes Version: 2.00.4.1028 Malware Database: v2015.01.19.10 Rootkit Database: v2015.01.14.01 License: Free Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x86 File System: NTFS User: Malwarebytes Scan Type: Threat Scan Result: Completed Objects Scanned: 289030 Time Elapsed: 4 min, 9 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 1 PUP.Optional.Solus, C:\Users\{username}\AppData\Local\clicup\chrmndr.exe, 1300, Delete-on-Reboot, [4ef88871107990a601157ee9d8282fd1] Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 1 PUP.Optional.Solus, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|clicup, C:\Users\{username}\AppData\Local\clicup\chrmndr.exe, Quarantined, [4ef88871107990a601157ee9d8282fd1] Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 3 PUP.Optional.Solus, C:\Users\{username}\AppData\Local\clicup\chrmndr.exe, Delete-on-Reboot, [4ef88871107990a601157ee9d8282fd1], PUP.Optional.Salus, C:\Users\{username}\Desktop\clicup_08_01.exe, Quarantined, [4df98b6e0f7abf777d30c24c9072c33d], PUP.Optional.Solus, C:\Users\{username}\AppData\Local\clicup\toast.exe, Quarantined, [4600bd3c622778be62b6df27b74e4eb2], Physical Sectors: 0 (No malicious items detected) (end)As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention