PUP.Optional.Coupoon

detection icon

Short bio

PUP.Optional.Coupoon is the detection name for a potentially unwanted program (PUP), specifically a type of adware.

Type and source of infection

Once installed, PUP.Optional.Coupoon targets the browser and modifies settings by either changing the start/search page, redirecting the browser, and/or forcing an excessive amount of pop-up advertisements.PUP.Optional.Coupoon comes bundled with other software that is downloaded from third-party websites.

Protection

block PUP.Optional.Coupoon

Malwarebytes blocks PUP.Optional.Coupoon

Remediation

Malwarebytes can detect and remove PUP.Optional.Coupoon without further user interaction.

  1. Please download Malwarebytesto your desktop.
  2. Double-click MBSetup.exeand follow the prompts to install the program.
  3. When your Malwarebytes for Windowsinstallation completes, the program opens to the Welcome to Malwarebytes screen.
  4. Click on the Get started button.
  5. Click Scan to start a Threat Scan.
  6. Click Quarantineto remove the found threats.
  7. Reboot the system if prompted to complete the removal process.

Malwarebytes removal log

A Malwarebytes log of removal will look similar to this:

Malwarebytes Anti-Malwarewww.malwarebytes.orgScan 

Date: 4/10/2015Scan 
Time: 3:15:02 PM
Logfile: mbamCoupoon.txt
Administrator: 
YesVersion: 2.01.0.1004Malware 
Database: v2015.04.10.04Rootkit 
Database: v2015.03.31.01
License: FreeMalware 
Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
OS: Windows 7 
Service Pack 1CPU: x86File 
System: NTFS
User: MalwarebytesScan 
Type: Threat 
ScanResult: Completed
Objects Scanned: 290100
Time Elapsed: 7 min, 19 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 3PUP.Optional.Coupoon.A, 
C:\Program Files\015\tpydklloou32.exe, 3224, Delete-on-Reboot, [46a62a40b2d8c76fce1c142542c4a060]PUP.Optional.Coupoon.A, 
C:\Program Files\015\tpydklloou32.exe, 3404, Delete-on-Reboot, [46a62a40b2d8c76fce1c142542c4a060]PUP.Optional.Coupoon.A, 
C:\Program Files\coupoon\iiwjljrnpc.exe, 2908, Delete-on-Reboot, [7a726505b3d7999dd416c77262a40000] Modules: 4PUP.Optional.Coupoon.A,
C:\Program Files\coupoon\libeay32.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85],PUP.Optional.Coupoon.A, 
C:\Program Files\coupoon\nfapi.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85],PUP.Optional.Coupoon.A, 
C:\Program Files\coupoon\ProtocolFilters.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85],PUP.Optional.Coupoon.A, 
C:\Program Files\coupoon\ssleay32.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85],Registry Keys: 5PUP.Optional.Coupoon.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\tpydklloou32, Quarantined, [46a62a40b2d8c76fce1c142542c4a060],PUP.Optional.Coupoon.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\CoupoonService, Quarantined, [7a726505b3d7999dd416c77262a40000],PUP.Optional.Coupoon.A, HKLM\SOFTWARE\coupoon, Quarantined, [bc30bab0ccbe979f9163fd55d23334cc],PUP.Optional.Coupoon.A, HKU\S-1-5-18\SOFTWARE\APPDATALOW\SOFTWARE\coupoon, Quarantined, [a5475119abdf3ff726cc193949bcb050],PUP.Optional.GlobalUpdate.C, HKCU\SOFTWARE\GLOBALUPDATE\UPDATE\PROXY, Quarantined, [ffedd7934d3dbd7974fb02ba7291ad53],Registry Values: 3PUP.Optional.GlobalUpdate.C, HKLM\SOFTWARE\GLOBALUPDATE\UPDATEDEV|AuCheckPeriodMs, 21600000, Quarantined, [27c534366327082ee6f025961ae9ff01]PUP.Optional.AdPeak.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\tpydklloou32|ImagePath, 
C:\Program Files\015\tpydklloou32.exe run options=10001010150000000000000000000000 source=10 stdout=reg:HKEY_LOCAL_MACHINE,Software\\MIA,MIA_ERROR , Quarantined, [e20a5614028841f55b9272e033d241bf]PUP.Optional.GlobalUpdate.C, HKCU\SOFTWARE\GLOBALUPDATE\UPDATE\PROXY|source, IE, Quarantined, [ffedd7934d3dbd7974fb02ba7291ad53]Registry Data: 0(No malicious items detected)Folders: 2PUP.Optional.Coupoon.A, 
C:\Program Files\coupoon, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85],PUP.Optional.Coupoon.A, 
C:\Program Files\coupoon\SSL, Quarantined, [af3dda9054364cea238c5a6022e17b85],Files: 10PUP.Optional.Coupoon.A, 
C:\Program Files\015\tpydklloou32.exe, Delete-on-Reboot, [46a62a40b2d8c76fce1c142542c4a060],PUP.Optional.Coupoon.A, 
C:\Program Files\coupoon\iiwjljrnpc.exe, Delete-on-Reboot, [7a726505b3d7999dd416c77262a40000],PUP.Optional.Coupoon.A, 
C:\Users\{username}\Desktop\Coupoon.exe, Quarantined, [806c44267b0f5ed845a51920fd09b848],PUP.Optional.Coupoon.A, 
C:\Program Files\10\uninstaller.exe, Quarantined, [7a722545305a59dd45a53affbe4840c0],PUP.Optional.Coupoon.A, 
C:\Program Files\coupoon\64.ico, Quarantined, [af3dda9054364cea238c5a6022e17b85],PUP.Optional.Coupoon.A, 
C:\Program Files\coupoon\libeay32.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85],PUP.Optional.Coupoon.A, 
C:\Program Files\coupoon\nfapi.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85],PUP.Optional.Coupoon.A, 
C:\Program Files\coupoon\nfregdrv.exe, Quarantined, [af3dda9054364cea238c5a6022e17b85],PUP.Optional.Coupoon.A, 
C:\Program Files\coupoon\ProtocolFilters.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85],PUP.Optional.Coupoon.A, 
C:\Program Files\coupoon\ssleay32.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85],

Physical Sectors: 0(No malicious items detected)

(end)

Add an exclusion

Should users wish to keep this program and exclude it from being detected in future scans, they can add the program to the exclusions list. Here’s how to do it.

  • Open Malwarebytes for Windows.
  • Click the Detection History
  • Click the Allow List
  • To add an item to the Allow List, click Add.
  • Select the exclusion type Allow a file or folderand use the Select a folderbutton to select the main folder for the software that you wish to keep.
  • Repeat this for any secondary files or folder(s) that belong to the software.

If you want to allow the program to connect to the Internet, for example to fetch updates, also add an exclusion of the type Allow an application to connect to the internet and use theBrowse button to select the file you wish to grant access.

Traces/IOCs

You may see these entries in FRST logs:

R1 netfilter;C:\Windows\System32\drivers\netfilter.sys [317442015-04-03](NetFilterSDK.com)[Filenotsigned]()C:\end()C:\Program Files\coupoon()C:\Program Files\coupoon\ProtocolFilters.dll
detection icon

Related blog content

Contributors icon

Contributors

Threat Center icon

Threat Center

Podcasts icon

Podcast

Glossary icon

Glossary

Scams icon

Scams