Follow:

 

Adware:Win32/ClickPotato


Adware:Win32/ClickPotato is a program that displays pop-up and notification-style advertisements based on the user's browsing habits.


What to do now

To detect and remove this program and other unwanted software that may be installed in your computer, run a full-system scan with an up-to-date antispyware product such as the following:
 

Threat behavior

Adware:Win32/ClickPotato is a program that displays pop-up and notification-style advertisements based on the user's browsing habits.
 
ClickPotato offers a free tool that allows users to access and search free streaming videos of popular films and TV shows.  The tool is a multi-component adware program designed to monitor a user’s online browsing behavior to deliver targeted advertising. It may also install components related to Win32/Hotbar and Win32/ShopperReport.
Installation
Adware:Win32/ClickPotato makes the following changes to the registry:
 
Adds subkey: HKLM\SOFTWARE\ClickPotatoLite
Adds subkey: HKLM\SOFTWARE\Classes\MenuButtonIE.ButtonIE
Adds subkey: HKLM\SOFTWARE\Classes\MenuButtonIE.ButtonIE.1
Adds subkey: HKLM\SOFTWARE\Classes\AppID\MenuButtonIE.DLL
Adds subkey: HKLM\SOFTWARE\Classes\CLSID\{7A3D6D17-9DD5-4C60-8076-D1784DABAF8C}
Adds subkey: HKLM\SOFTWARE\Classes\AppID\{11C27351-716B-4052-9361-E3B0A3F8221C}
Adds subkey: HKLM\SOFTWARE\Classes\TypeLib\{814BAA91-DC22-4350-87D6-0C86E93F7F08}
Adds subkey: HKLM\SOFTWARE\Classes\ClickPotatoLiteAX.Info
Adds subkey: HKLM\SOFTWARE\Classes\ClickPotatoLiteAX.Info.1
Adds subkey: HKLM\SOFTWARE\Classes\ClickPotatoLiteAX.UserProfiles
Adds subkey: HKLM\SOFTWARE\Classes\ClickPotatoLiteAX.UserProfiles.1
Adds subkey: HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B58926D6-CFB0-45d2-9C28-4B5A0F0368AE}
 
Adds value: "ButtonText"
With data: "ClickPotato"
Adds value: "CLSID"
With data: "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"
Adds value: "ClsidExtension"
With data: "{7A3D6D17-9DD5-4C60-8076-D1784DABAF8C}"
Adds value: "Default Visible"
With data: "Yes"
Adds value: "HotIcon"
With data: "C:\Program Files\ClickPotatoLite\bin\10.0.511.0\ClickPotatoLiteSABHO.dll,201"
Adds value: "Icon"
With data: "C:\Program Files\ClickPotatoLite\bin\10.0.511.0\ClickPotatoLiteSABHO.dll,201"
To subkey: HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B58926D6-CFB0-45d2-9C28-4B5A0F0368AE}
 
Adds value: "ClickPotatoLiteSA"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
Adds value: "ClickPotatoLiteSA"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
 
Adware:Win32/ClickPotato makes the following system changes to the users computer:
 
  • Creates directory:
    %programfiles%\ClickPotatoLite\bin\10.0.%varies%.0\

    Where %programfiles% represents the user's program folder and %varies% is a three digit number indicating the release number.
 
  • Creates the following files in this directory:
    ClickPotatoLiteSA.exe        
    ClickPotatoLiteSAAX.dll      
    ClickPotatoLiteSABHO.dll      
    ClickPotatoLiteSAHook.dll    
    ClickPotatoLiteUninstaller.exe
 
  • Creates directory:
    %programfiles%\ClickPotatoLite\bin\10.0.%varies%.0\firefox\extensions\

    Where %programfiles% represents the users program folder and %varies% is a three digit number indicating the release number.
 
  • Creates the following files in this directory:
    chrome.manifest  
    install.rdf
 
  • Creates directory:
    %programfiles%\ClickPotatoLite\bin\10.0.%varies%.0\firefox\extensions\plugins\

    Where %programfiles% represents the users program folder and %varies% is a three digit number indicating the release number.
 
  • Creates the following file in this directory:
    npclntax_ClickPotatoLiteSA.dll
 
  • Creates directory:
    <start menu>\ClickPotato\

    Note: <start menu> refers to a variable location that is determined by the malware by querying the Operating System. The default location for the 'Start Menu' folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu'.
 
  • Creates the following files in this directory:
    About Us.lnk                          
    ClickPotato Customer Support.lnk      
    ClickPotato Uninstall Instructions.lnk
  • Creates directory:
    %programdata%\ClickPotatoLiteSA\

    Where %programdata% represents the users programdata folder, that is, C:\ProgramData
 
  • Creates the following files in this directory:
    ClickPotatoLiteSA.dat
    ClickPotatoLiteSAAbout.mht
    ClickPotatoLiteSAau.dat
    ClickPotatoLiteSAEULA.mht
    ClickPotatoLiteSA_hpk.dat
    ClickPotatoLiteSA_kyf.dat
 
Program behavior
Creates shortcuts
 
Once installed, Adware:Win32/ClickPotato can be seen as a shortcut on an Internet Explorer toolbar, as seen in the image below:
 
 
The adware's presence can also be see in the 'Manage Add-ons' window, as seen in the image below:
 
 
Adware:Win32/ClickPotato may also display an icon on a user's desktop, as seen in the image below:
 
 
Bundles with other programs
 
Adware:Win32/ClickPotato may be distributed bundled with known free download software such as: 
  • FLVBlaster
  • VLC 
  • Xvid 
  • Easy Video 
  • OpenOffice 
  • Lime Wire
  • eMule 
  • ARES 2010 Version 
  • Audacity
  • 7zip

The installer may also include other adware programs such as Adware:Win32/HotBar, Adware:Win32/ShopperReport and BrowserModifier:Win32/Zwangi.

Displays in multiple browsers
 
In the wild, we have observed Win32/CLickPotato running in the following browsers:
  • Internet Explorer 6
  • Internet Explorer 7
  • Internet Explorer 8
  • Firefox 3.6
  • Firefox 4.0 
Analysis by Michael Johnson & Methusela Ferrer

Symptoms

System Changes
The following system changes may indicate the presence of Adware:Win32/ClickPotato:
  • The presence of the following directories:
  • %programfiles%\ClickPotatoLite\bin\10.0.%varies%.0\
    %programfiles%\ClickPotatoLite\bin\10.0.%varies%.0\firefox\extensions\
    %programfiles%\ClickPotatoLite\bin\10.0.%varies%.0\firefox\extensions\plugins\
    <start menu>\ClickPotato\
    %programdata%\ClickPotatoLiteSA\
  • The presence of the following files:

    ClickPotatoLiteSA.exe        
    ClickPotatoLiteSAAX.dll      
    ClickPotatoLiteSABHO.dll      
    ClickPotatoLiteSAHook.dll    
    ClickPotatoLiteUninstaller.exe
    chrome.manifest  
    install.rdf
  • npclntax_ClickPotatoLiteSA.dll
    About Us.lnk                          
    ClickPotato Customer Support.lnk      
    ClickPotato Uninstall Instructions.lnk
    ClickPotatoLiteSA.dat
    ClickPotatoLiteSAAbout.mht
    ClickPotatoLiteSAau.dat
    ClickPotatoLiteSAEULA.mht
    ClickPotatoLiteSA_hpk.dat
    ClickPotatoLiteSA_kyf.dat

  • The presence of the following registry subkeys and modifications:
  • Adds subkey: HKLM\SOFTWARE\ClickPotatoLite
    Adds subkey: HKLM\SOFTWARE\Classes\MenuButtonIE.ButtonIE
    Adds subkey: HKLM\SOFTWARE\Classes\MenuButtonIE.ButtonIE.1
    Adds subkey: HKLM\SOFTWARE\Classes\AppID\MenuButtonIE.DLL
    Adds subkey: HKLM\SOFTWARE\Classes\CLSID\{7A3D6D17-9DD5-4C60-8076-D1784DABAF8C}
    Adds subkey: HKLM\SOFTWARE\Classes\AppID\{11C27351-716B-4052-9361-E3B0A3F8221C}
    Adds subkey: HKLM\SOFTWARE\Classes\TypeLib\{814BAA91-DC22-4350-87D6-0C86E93F7F08}
    Adds subkey: HKLM\SOFTWARE\Classes\ClickPotatoLiteAX.Info
    Adds subkey: HKLM\SOFTWARE\Classes\ClickPotatoLiteAX.Info.1
    Adds subkey: HKLM\SOFTWARE\Classes\ClickPotatoLiteAX.UserProfiles
    Adds subkey: HKLM\SOFTWARE\Classes\ClickPotatoLiteAX.UserProfiles.1
    Adds subkey: HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B58926D6-CFB0-45d2-9C28-4B5A0F0368AE}
     
    Adds value: "ButtonText"
    With data: "ClickPotato"
    Adds value: "CLSID"
    With data: "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"
    Adds value: "ClsidExtension"
    With data: "{7A3D6D17-9DD5-4C60-8076-D1784DABAF8C}"
    Adds value: "Default Visible"
    With data: "Yes"
    Adds value: "HotIcon"
    With data: "C:\Program Files\ClickPotatoLite\bin\10.0.511.0\ClickPotatoLiteSABHO.dll,201"
    Adds value: "Icon"
    With data: "C:\Program Files\ClickPotatoLite\bin\10.0.511.0\ClickPotatoLiteSABHO.dll,201"
    To subkey: HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B58926D6-CFB0-45d2-9C28-4B5A0F0368AE}
     
    Adds value: "ClickPotatoLiteSA"
    To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
     
    Adds value: "ClickPotatoLiteSA"
    To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
  • The display of the following images:




Prevention


Alert level: High
First detected by definition: 1.87.1201.0
Latest detected by definition: 1.185.3495.0 and higher
First detected on: Aug 04, 2010
This entry was first published on: Aug 23, 2010
This entry was updated on: May 02, 2011

This threat is also detected as:
  • ADSPY/AdSpy.Gen2 (Avira)
  • AdWare.AdSpy (Ikarus)
  • Pinball (Sunbelt Software)