What is Coupoon?
The Malwarebytes research team has determined that Coupoon is adware. These adware applications display advertisements not originating from the sites you are browsing.
How do I know if my computer is affected by Coupoon?
You may see this entry in your list of installed programs:
How did Coupoon get on my computer?
Adware applications use different methods for distributing themselves. This particular one was bundled with other software.
How do I remove Coupoon?
Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.
Please use their own uninstaller first, but I would advise to follow the steps below anyway.
- Please download Malwarebytes Anti-Malware to your desktop.
- Double-click mbam-setup-version.exe and follow the prompts to install the program.
- At the end, be sure a check-mark is placed next to the following:
- Enable free trial of Malwarebytes Anti-Malware Premium
- Launch Malwarebytes Anti-Malware
- Then click Finish.
- If an update is found, you will be prompted to download and install the latest version.
- Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
- When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
- Restart your computer when prompted to do so.
- No, together with the uninstaller, Malwarebytes' Anti-Malware removes Coupoon completely.
We hope our application and this guide have helped you eradicate this hijacker.
As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Coupoon adware. �It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.
Technical details for experts
You will see these signs in a HijackThis log:
O23 - Service: CoupoonService - Unknown owner - C:\Program Files\coupoon\iiwjljrnpc.exe O23 - Service: tpydklloou32 - Unknown owner - C:\Program Files\015\tpydklloou32.exePossible signs in FRST logs:
() C:\Program Files\015\tpydklloou32.exe () C:\Program Files\coupoon\iiwjljrnpc.exe R2 CoupoonService; C:\Program Files\coupoon\iiwjljrnpc.exe [151864 2015-04-03] () R2 tpydklloou32; C:\Program Files\015\tpydklloou32.exe [622392 2015-04-08] () R1 netfilter; C:\Windows\System32\drivers\netfilter.sys [31744 2015-04-03] (NetFilterSDK.com) [File not signed] () C:\end () C:\Program Files\coupoon () C:\Program Files\10 () C:\Program Files\015 (NetFilterSDK.com) C:\Windows\system32\Drivers\netfilter.sys coupoon (HKLM\...\10) (Version: 2.0.1 - coupoon) <==== ATTENTION () C:\Program Files\015\tpydklloou32.exe () C:\Program Files\coupoon\iiwjljrnpc.exe () C:\Program Files\coupoon\nfapi.dll () C:\Program Files\coupoon\ProtocolFilters.dllAlterations made by the installer:
File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\015 Adds the file tpydklloou32.exe"="4/8/2015 9:05 AM, 622392 bytes, A Adds the folder C:\Program Files\10 Adds the file uninstaller.exe"="4/8/2015 9:05 AM, 107776 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\coupoon] "source"="REG_SZ", "10" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\10] "DisplayIcon"="REG_SZ", "C:\Program Files\10\uninstaller.exe" "DisplayName"="REG_SZ", "coupoon" "DisplayVersion"="REG_SZ", "2.0.1" "EstimatedSize"="REG_DWORD", 1024 "Publisher"="REG_SZ", "coupoon" "UninstallString"="REG_SZ", "C:\Program Files\10\uninstaller.exe -source="10" -clean="1" " "URLInfoAbout"="REG_SZ", "${application_url}" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tpydklloou32] "DisplayName"="REG_SZ", "tpydklloou32" "ErrorControl"="REG_DWORD", 1 "FailureActions"="REG_BINARY, .....................6 "ImagePath"="REG_EXPAND_SZ, "C:\Program Files\015\tpydklloou32.exe run options=10001010150000000000000000000000 source=10 stdout=reg:HKEY_LOCAL_MACHINE,Software\\MIA,MIA_ERROR " "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16Malwarebytes Anti-Malware log:
Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 4/10/2015 Scan Time: 3:15:02 PM Logfile: mbamCoupoon.txt Administrator: Yes Version: 2.01.0.1004 Malware Database: v2015.04.10.04 Rootkit Database: v2015.03.31.01 License: Free Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x86 File System: NTFS User: Malwarebytes Scan Type: Threat Scan Result: Completed Objects Scanned: 290100 Time Elapsed: 7 min, 19 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 3 PUP.Optional.Coupoon.A, C:\Program Files\015\tpydklloou32.exe, 3224, Delete-on-Reboot, [46a62a40b2d8c76fce1c142542c4a060] PUP.Optional.Coupoon.A, C:\Program Files\015\tpydklloou32.exe, 3404, Delete-on-Reboot, [46a62a40b2d8c76fce1c142542c4a060] PUP.Optional.Coupoon.A, C:\Program Files\coupoon\iiwjljrnpc.exe, 2908, Delete-on-Reboot, [7a726505b3d7999dd416c77262a40000] Modules: 4 PUP.Optional.Coupoon.A, C:\Program Files\coupoon\libeay32.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85], PUP.Optional.Coupoon.A, C:\Program Files\coupoon\nfapi.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85], PUP.Optional.Coupoon.A, C:\Program Files\coupoon\ProtocolFilters.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85], PUP.Optional.Coupoon.A, C:\Program Files\coupoon\ssleay32.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85], Registry Keys: 5 PUP.Optional.Coupoon.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\tpydklloou32, Quarantined, [46a62a40b2d8c76fce1c142542c4a060], PUP.Optional.Coupoon.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\CoupoonService, Quarantined, [7a726505b3d7999dd416c77262a40000], PUP.Optional.Coupoon.A, HKLM\SOFTWARE\coupoon, Quarantined, [bc30bab0ccbe979f9163fd55d23334cc], PUP.Optional.Coupoon.A, HKU\S-1-5-18\SOFTWARE\APPDATALOW\SOFTWARE\coupoon, Quarantined, [a5475119abdf3ff726cc193949bcb050], PUP.Optional.GlobalUpdate.C, HKCU\SOFTWARE\GLOBALUPDATE\UPDATE\PROXY, Quarantined, [ffedd7934d3dbd7974fb02ba7291ad53], Registry Values: 3 PUP.Optional.GlobalUpdate.C, HKLM\SOFTWARE\GLOBALUPDATE\UPDATEDEV|AuCheckPeriodMs, 21600000, Quarantined, [27c534366327082ee6f025961ae9ff01] PUP.Optional.AdPeak.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\tpydklloou32|ImagePath, C:\Program Files\015\tpydklloou32.exe run options=10001010150000000000000000000000 source=10 stdout=reg:HKEY_LOCAL_MACHINE,Software\\MIA,MIA_ERROR , Quarantined, [e20a5614028841f55b9272e033d241bf] PUP.Optional.GlobalUpdate.C, HKCU\SOFTWARE\GLOBALUPDATE\UPDATE\PROXY|source, IE, Quarantined, [ffedd7934d3dbd7974fb02ba7291ad53] Registry Data: 0 (No malicious items detected) Folders: 2 PUP.Optional.Coupoon.A, C:\Program Files\coupoon, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85], PUP.Optional.Coupoon.A, C:\Program Files\coupoon\SSL, Quarantined, [af3dda9054364cea238c5a6022e17b85], Files: 10 PUP.Optional.Coupoon.A, C:\Program Files\015\tpydklloou32.exe, Delete-on-Reboot, [46a62a40b2d8c76fce1c142542c4a060], PUP.Optional.Coupoon.A, C:\Program Files\coupoon\iiwjljrnpc.exe, Delete-on-Reboot, [7a726505b3d7999dd416c77262a40000], PUP.Optional.Coupoon.A, C:\Users\{username}\Desktop\Coupoon.exe, Quarantined, [806c44267b0f5ed845a51920fd09b848], PUP.Optional.Coupoon.A, C:\Program Files\10\uninstaller.exe, Quarantined, [7a722545305a59dd45a53affbe4840c0], PUP.Optional.Coupoon.A, C:\Program Files\coupoon\64.ico, Quarantined, [af3dda9054364cea238c5a6022e17b85], PUP.Optional.Coupoon.A, C:\Program Files\coupoon\libeay32.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85], PUP.Optional.Coupoon.A, C:\Program Files\coupoon\nfapi.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85], PUP.Optional.Coupoon.A, C:\Program Files\coupoon\nfregdrv.exe, Quarantined, [af3dda9054364cea238c5a6022e17b85], PUP.Optional.Coupoon.A, C:\Program Files\coupoon\ProtocolFilters.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85], PUP.Optional.Coupoon.A, C:\Program Files\coupoon\ssleay32.dll, Delete-on-Reboot, [af3dda9054364cea238c5a6022e17b85], Physical Sectors: 0 (No malicious items detected) (end)As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention