Jump to content

Removal instructions for Coupoon


Recommended Posts

  • Staff

What is Coupoon?

The Malwarebytes research team has determined that Coupoon is adware. These adware applications display advertisements not originating from the sites you are browsing.

How do I know if my computer is affected by Coupoon?

You may see this entry in your list of installed programs:

warning4.png

How did Coupoon get on my computer?

Adware applications use different methods for distributing themselves. This particular one was bundled with other software.

How do I remove Coupoon?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.

Please use their own uninstaller first, but I would advise to follow the steps below anyway.

  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-version.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:
    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
Is there anything else I need to do to get rid of Coupoon?
  • No, together with the uninstaller, Malwarebytes' Anti-Malware removes Coupoon completely.
How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Coupoon adware. �It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.

protection1.png

Technical details for experts

You will see these signs in a HijackThis log:

O23 - Service: CoupoonService - Unknown owner - C:\Program Files\coupoon\iiwjljrnpc.exeO23 - Service: tpydklloou32 - Unknown owner - C:\Program Files\015\tpydklloou32.exe
Possible signs in FRST logs:

 () C:\Program Files\015\tpydklloou32.exe () C:\Program Files\coupoon\iiwjljrnpc.exe R2 CoupoonService; C:\Program Files\coupoon\iiwjljrnpc.exe [151864 2015-04-03] () R2 tpydklloou32; C:\Program Files\015\tpydklloou32.exe [622392 2015-04-08] () R1 netfilter; C:\Windows\System32\drivers\netfilter.sys [31744 2015-04-03] (NetFilterSDK.com) [File not signed] () C:\end () C:\Program Files\coupoon () C:\Program Files\10 () C:\Program Files\015 (NetFilterSDK.com) C:\Windows\system32\Drivers\netfilter.syscoupoon (HKLM\...\10) (Version: 2.0.1 - coupoon) <==== ATTENTION() C:\Program Files\015\tpydklloou32.exe() C:\Program Files\coupoon\iiwjljrnpc.exe() C:\Program Files\coupoon\nfapi.dll() C:\Program Files\coupoon\ProtocolFilters.dll
Alterations made by the installer:

File system details [View: All details] (Selection)---------------------------------------------------    Adds the folder C:\Program Files\015       Adds the file tpydklloou32.exe"="4/8/2015 9:05 AM, 622392 bytes, A    Adds the folder C:\Program Files\10       Adds the file uninstaller.exe"="4/8/2015 9:05 AM, 107776 bytes, ARegistry details [View: All details] (Selection)------------------------------------------------    [HKEY_LOCAL_MACHINE\SOFTWARE\coupoon]       "source"="REG_SZ", "10"    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\10]       "DisplayIcon"="REG_SZ", "C:\Program Files\10\uninstaller.exe"       "DisplayName"="REG_SZ", "coupoon"       "DisplayVersion"="REG_SZ", "2.0.1"       "EstimatedSize"="REG_DWORD", 1024       "Publisher"="REG_SZ", "coupoon"       "UninstallString"="REG_SZ", "C:\Program Files\10\uninstaller.exe -source="10" -clean="1" "       "URLInfoAbout"="REG_SZ", "${application_url}"    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tpydklloou32]       "DisplayName"="REG_SZ", "tpydklloou32"       "ErrorControl"="REG_DWORD", 1       "FailureActions"="REG_BINARY, .....................6       "ImagePath"="REG_EXPAND_SZ, "C:\Program Files\015\tpydklloou32.exe run options=10001010150000000000000000000000 source=10 stdout=reg:HKEY_LOCAL_MACHINE,Software\\MIA,MIA_ERROR "       "ObjectName"="REG_SZ", "LocalSystem"       "Start"="REG_DWORD", 2       "Type"="REG_DWORD", 16
Malwarebytes Anti-Malware log:

Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 4/10/2015Scan Time: 3:15:02 PMLogfile: mbamCoupoon.txtAdministrator: YesVersion: 2.01.0.1004Malware Database: v2015.04.10.04Rootkit Database: v2015.03.31.01License: FreeMalware Protection: DisabledMalicious Website Protection: DisabledSelf-protection: DisabledOS: Windows 7 Service Pack 1CPU: x86File System: NTFSUser: MalwarebytesScan Type: Threat ScanResult: CompletedObjects Scanned: 290100Time Elapsed: 7 min, 19 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: DisabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 3PUP.Optional.Coupoon.A, C:\Program Files\015\tpydklloou32.exe, 3224, Delete-on-Reboot, [46a62a40b2d8c76fce1c142542c4a060]PUP.Optional.Coupoon.A, C:\Program Files\015\tpydklloou32.exe, 3404, Delete-on-Reboot, [46a62a40b2d8c76fce1c142542c4a060]PUP.Optional.Coupoon.A, C:\Program Files\coupoon\iiwjljrnpc.exe, 2908, Delete-on-Reboot, [7a726505b3d7999dd416c77262a40000]Modules: 4PUP.Optional.Coupoon.A, C:\Program Files\coupoon\libeay32.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85], PUP.Optional.Coupoon.A, C:\Program Files\coupoon\nfapi.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85], PUP.Optional.Coupoon.A, C:\Program Files\coupoon\ProtocolFilters.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85], PUP.Optional.Coupoon.A, C:\Program Files\coupoon\ssleay32.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85], Registry Keys: 5PUP.Optional.Coupoon.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\tpydklloou32, Quarantined, [46a62a40b2d8c76fce1c142542c4a060], PUP.Optional.Coupoon.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\CoupoonService, Quarantined, [7a726505b3d7999dd416c77262a40000], PUP.Optional.Coupoon.A, HKLM\SOFTWARE\coupoon, Quarantined, [bc30bab0ccbe979f9163fd55d23334cc], PUP.Optional.Coupoon.A, HKU\S-1-5-18\SOFTWARE\APPDATALOW\SOFTWARE\coupoon, Quarantined, [a5475119abdf3ff726cc193949bcb050], PUP.Optional.GlobalUpdate.C, HKCU\SOFTWARE\GLOBALUPDATE\UPDATE\PROXY, Quarantined, [ffedd7934d3dbd7974fb02ba7291ad53], Registry Values: 3PUP.Optional.GlobalUpdate.C, HKLM\SOFTWARE\GLOBALUPDATE\UPDATEDEV|AuCheckPeriodMs, 21600000, Quarantined, [27c534366327082ee6f025961ae9ff01]PUP.Optional.AdPeak.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\tpydklloou32|ImagePath, C:\Program Files\015\tpydklloou32.exe run options=10001010150000000000000000000000 source=10 stdout=reg:HKEY_LOCAL_MACHINE,Software\\MIA,MIA_ERROR , Quarantined, [e20a5614028841f55b9272e033d241bf]PUP.Optional.GlobalUpdate.C, HKCU\SOFTWARE\GLOBALUPDATE\UPDATE\PROXY|source, IE, Quarantined, [ffedd7934d3dbd7974fb02ba7291ad53]Registry Data: 0(No malicious items detected)Folders: 2PUP.Optional.Coupoon.A, C:\Program Files\coupoon, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85], PUP.Optional.Coupoon.A, C:\Program Files\coupoon\SSL, Quarantined, [af3dda9054364cea238c5a6022e17b85], Files: 10PUP.Optional.Coupoon.A, C:\Program Files\015\tpydklloou32.exe, Delete-on-Reboot, [46a62a40b2d8c76fce1c142542c4a060], PUP.Optional.Coupoon.A, C:\Program Files\coupoon\iiwjljrnpc.exe, Delete-on-Reboot, [7a726505b3d7999dd416c77262a40000], PUP.Optional.Coupoon.A, C:\Users\{username}\Desktop\Coupoon.exe, Quarantined, [806c44267b0f5ed845a51920fd09b848], PUP.Optional.Coupoon.A, C:\Program Files\10\uninstaller.exe, Quarantined, [7a722545305a59dd45a53affbe4840c0], PUP.Optional.Coupoon.A, C:\Program Files\coupoon\64.ico, Quarantined, [af3dda9054364cea238c5a6022e17b85], PUP.Optional.Coupoon.A, C:\Program Files\coupoon\libeay32.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85], PUP.Optional.Coupoon.A, C:\Program Files\coupoon\nfapi.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85], PUP.Optional.Coupoon.A, C:\Program Files\coupoon\nfregdrv.exe, Quarantined, [af3dda9054364cea238c5a6022e17b85], PUP.Optional.Coupoon.A, C:\Program Files\coupoon\ProtocolFilters.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85], PUP.Optional.Coupoon.A, C:\Program Files\coupoon\ssleay32.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85], Physical Sectors: 0(No malicious items detected)(end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.