PUP.Optional.Coupoon is the detection name for a potentially unwanted program (PUP), specifically a type of adware.
Once installed, PUP.Optional.Coupoon targets the browser and modifies settings by either changing the start/search page, redirecting the browser, and/or forcing an excessive amount of pop-up advertisements.PUP.Optional.Coupoon comes bundled with other software that is downloaded from third-party websites.
Malwarebytes can detect and remove PUP.Optional.Coupoon without further user interaction.
A Malwarebytes log of removal will look similar to this:Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 4/10/2015Scan Time: 3:15:02 PMLogfile: mbamCoupoon.txtAdministrator: YesVersion: 2.01.0.1004Malware Database: v2015.04.10.04Rootkit Database: v2015.03.31.01License: FreeMalware Protection: DisabledMalicious Website Protection: DisabledSelf-protection: DisabledOS: Windows 7 Service Pack 1CPU: x86File System: NTFSUser: MalwarebytesScan Type: Threat ScanResult: CompletedObjects Scanned: 290100Time Elapsed: 7 min, 19 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: DisabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 3PUP.Optional.Coupoon.A, C:\Program Files\015\tpydklloou32.exe, 3224, Delete-on-Reboot, [46a62a40b2d8c76fce1c142542c4a060]PUP.Optional.Coupoon.A, C:\Program Files\015\tpydklloou32.exe, 3404, Delete-on-Reboot, [46a62a40b2d8c76fce1c142542c4a060]PUP.Optional.Coupoon.A, C:\Program Files\coupoon\iiwjljrnpc.exe, 2908, Delete-on-Reboot, [7a726505b3d7999dd416c77262a40000]Modules: 4PUP.Optional.Coupoon.A, C:\Program Files\coupoon\libeay32.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85],PUP.Optional.Coupoon.A, C:\Program Files\coupoon\nfapi.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85],PUP.Optional.Coupoon.A, C:\Program Files\coupoon\ProtocolFilters.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85],PUP.Optional.Coupoon.A, C:\Program Files\coupoon\ssleay32.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85],Registry Keys: 5PUP.Optional.Coupoon.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\tpydklloou32, Quarantined, [46a62a40b2d8c76fce1c142542c4a060],PUP.Optional.Coupoon.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\CoupoonService, Quarantined, [7a726505b3d7999dd416c77262a40000],PUP.Optional.Coupoon.A, HKLM\SOFTWARE\coupoon, Quarantined, [bc30bab0ccbe979f9163fd55d23334cc],PUP.Optional.Coupoon.A, HKU\S-1-5-18\SOFTWARE\APPDATALOW\SOFTWARE\coupoon, Quarantined, [a5475119abdf3ff726cc193949bcb050],PUP.Optional.GlobalUpdate.C, HKCU\SOFTWARE\GLOBALUPDATE\UPDATE\PROXY, Quarantined, [ffedd7934d3dbd7974fb02ba7291ad53],Registry Values: 3PUP.Optional.GlobalUpdate.C, HKLM\SOFTWARE\GLOBALUPDATE\UPDATEDEV|AuCheckPeriodMs, 21600000, Quarantined, [27c534366327082ee6f025961ae9ff01]PUP.Optional.AdPeak.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\tpydklloou32|ImagePath, C:\Program Files\015\tpydklloou32.exe run options=10001010150000000000000000000000 source=10 stdout=reg:HKEY_LOCAL_MACHINE,Software\\MIA,MIA_ERROR , Quarantined, [e20a5614028841f55b9272e033d241bf]PUP.Optional.GlobalUpdate.C, HKCU\SOFTWARE\GLOBALUPDATE\UPDATE\PROXY|source, IE, Quarantined, [ffedd7934d3dbd7974fb02ba7291ad53]Registry Data: 0(No malicious items detected)Folders: 2PUP.Optional.Coupoon.A, C:\Program Files\coupoon, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85],PUP.Optional.Coupoon.A, C:\Program Files\coupoon\SSL, Quarantined, [af3dda9054364cea238c5a6022e17b85],Files: 10PUP.Optional.Coupoon.A, C:\Program Files\015\tpydklloou32.exe, Delete-on-Reboot, [46a62a40b2d8c76fce1c142542c4a060],PUP.Optional.Coupoon.A, C:\Program Files\coupoon\iiwjljrnpc.exe, Delete-on-Reboot, [7a726505b3d7999dd416c77262a40000],PUP.Optional.Coupoon.A, C:\Users\{username}\Desktop\Coupoon.exe, Quarantined, [806c44267b0f5ed845a51920fd09b848],PUP.Optional.Coupoon.A, C:\Program Files\10\uninstaller.exe, Quarantined, [7a722545305a59dd45a53affbe4840c0],PUP.Optional.Coupoon.A, C:\Program Files\coupoon\64.ico, Quarantined, [af3dda9054364cea238c5a6022e17b85],PUP.Optional.Coupoon.A, C:\Program Files\coupoon\libeay32.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85],PUP.Optional.Coupoon.A, C:\Program Files\coupoon\nfapi.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85],PUP.Optional.Coupoon.A, C:\Program Files\coupoon\nfregdrv.exe, Quarantined, [af3dda9054364cea238c5a6022e17b85],PUP.Optional.Coupoon.A, C:\Program Files\coupoon\ProtocolFilters.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85],PUP.Optional.Coupoon.A, C:\Program Files\coupoon\ssleay32.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85],Physical Sectors: 0(No malicious items detected)(end)
Should users wish to keep this program and exclude it from being detected in future scans, they can add the program to the exclusions list. Here’s how to do it.
You may see these entries in FRST logs:
R1 netfilter;C:\Windows\System32\drivers\netfilter.sys [317442015-04-03](NetFilterSDK.com)[Filenotsigned]()C:\end()C:\Program Files\coupoon()C:\Program Files\coupoon\ProtocolFilters.dll
Select your language