Jump to content



Photo
chrome

  • Please log in to reply
14 replies to this topic

#1 Steven P.

Steven P.

    aka Neobond

  • Tech Issues Solved: 64
  • Joined: 09-July 01
  • Location: Neowin HQ

Posted 26 May 2014 - 08:29

So every morning for the past few days or so I keep getting a warning for pup.optional.qvo6.a in the stored preferences of Chrome pointing to my user account data folders in Windows 8.1

 

Each time I've quarantined it and even tried the Junkware Removal Tool yesterday (which completely removed HotSpot Shield VPN!) and it comes back every day.

 

Searching online shows that it is a browser hijacking tool which could set my homepage and search differently etc, and there's a couple of examples on how to remove it. Unfortunately the MalwareBytes option no longer allows you to "remove" from the results of the scan since I have a newer version, the default option is actually "ignore once" or Quarantine. But as I say, despite doing this it is back every morning.

 

Does anyone else have this or know what it could be? 




#2 Haggis

Haggis

    Neowinian Senior

  • Tech Issues Solved: 10
  • Joined: 13-June 07
  • Location: Near Stirling, Scotland
  • OS: Debian 7
  • Phone: Samsung Galaxy S3 LTE (i9305)

Posted 26 May 2014 - 08:32

here is the manual process

 

 

 

1. How to stop PUP.Optional.Qvo6.A processes:

 

1. Click the Start menu, select Run.
2. Type taskmgr.exe into the the Run command box, and click “OK.” You can also launch the Task Manager by pressing keys CTRL + Shift + ESC.
3. Click Processes tab, and find PUP.Optional.Qvo6.A related processes.
4. Once you’ve found the PUP.Optional.Qvo6.A related processes, right-click them and select “End Process” to kill PUP.Optional.Qvo6.A related process.

 

 

2. With all programs closed, click the Start Menu and go to the Control Panel.

2. Locate the Add/Remove Programs icon and double click it.
3. Locate PUP.Optional.Qvo6.A in the list of programs. If you find it, select it and remove it.

 

 

3. Detect and delete PUP.Optional.Qvo6.A associated files listed below:

 

%UserProfile%\Application Data\Microsoft\[random].exe
%System Root%\Samples
%User Profile%\Local Settings\Temp
%Documents and Settings%\All Users\Start Menu\Programs\PUP.Optional.Qvo6.A
%Documents and Settings%\All Users\Application Data\PUP.Optional.Qvo6.A
doguzeri.dll
3948550101.exe
3948550101.cfg
%Program Files%\PUP.Optional.Qvo6.A
%Program Files%\PUP.Optional.Qvo6.A
C:\ProgramData\[random numbers]\

 

4. How to delete PUP.Optional.Qvo6.A files in Windows

1. Click your Windows Start menu, then click “Search.”
2. A pop up will ask, “What do you want to search for?” Click “All files and folders.”
3. Type a PUP.Optional.Qvo6.A file in the search box, and select “Local Hard Drives.”
4. Click “Search.” Once the PUP.Optional.Qvo6.A file is found, delete it.

 

5. Open the Registry Editor, search and delete these PUP.Optional.Qvo6.A Registry Entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe “Debugger” = ‘svchost.exe’

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PUP.Optional.Qvo6.A
HKEY_LOCAL_MACHINE\SOFTWARE\PUP.Optional.Qvo6.A
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = ’0′
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = ’0′
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore “DisableSR ” = ’1′
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe “Debugger” = ‘svchost.exe’

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “3948550101″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “xas”
HKEY_CURRENT_USER\Software\PUP.Optional.Qvo6.A



#3 OP Steven P.

Steven P.

    aka Neobond

  • Tech Issues Solved: 64
  • Joined: 09-July 01
  • Location: Neowin HQ

Posted 26 May 2014 - 08:40

Cheers, will do this in a bit and post results (after rebooting etc) (Y)

 

Edit: But what is it, and why has it just recently started showing up?



#4 Hum

Hum

    totally wAcKed

  • Tech Issues Solved: 5
  • Joined: 05-October 03
  • Location: Odder Space
  • OS: Windows XP, 7

Posted 26 May 2014 - 08:54

Maybe something helpful here:

 

The PUP.Optional.OptChrome.A threat is classified as PUP a Potentially Unwanted Program by MalwareBytes Anti-Malware because it inflicts and acts as a malicious threat into your computer system. PUP.Optional.OptChrome.A is not a virus but it does act like one. PUP.Optional.OptChrome.A is adware which is bundled using custom installers and dropped on your computer during the installation process. Most users have no idea how this PUP.Optional.OptChrome.A threat is installed on there computer and what it is, until MalwareBytes Anti-Malware detects it as a malicious threat or virus.

 

http://www.fixyourbr...ptchrome-virus/



#5 OP Steven P.

Steven P.

    aka Neobond

  • Tech Issues Solved: 64
  • Joined: 09-July 01
  • Location: Neowin HQ

Posted 26 May 2014 - 09:15

Yeah I saw that, and looked through my installed programs and couldn't find anything.



#6 rfirth

rfirth

    Software Engineer

  • Tech Issues Solved: 2
  • Joined: 11-September 09
  • Location: Baton Rouge, Louisiana
  • OS: Windows 8
  • Phone: Nokia Lumia 620

Posted 26 May 2014 - 09:18

Yeah I saw that, and looked through my installed programs and couldn't find anything.

 

Sort by date and look at the most recent?



#7 Hum

Hum

    totally wAcKed

  • Tech Issues Solved: 5
  • Joined: 05-October 03
  • Location: Odder Space
  • OS: Windows XP, 7

Posted 26 May 2014 - 09:20

I downloaded and installed AdwCleaner v3.211.

 

https://toolslib.net...ish/1/get/pHCO/

 

Automatically finds and fixes PUP problems and gives you a report.

 

I find this to be useful.



#8 OP Steven P.

Steven P.

    aka Neobond

  • Tech Issues Solved: 64
  • Joined: 09-July 01
  • Location: Neowin HQ

Posted 26 May 2014 - 09:42

Most recents are:

 

SNAG-0000.png :s



#9 Barney T.

Barney T.

    Debian Linux: I'm Loving It!

  • Tech Issues Solved: 3
  • Joined: 30-August 03
  • Location: Williamsburg, Virginia

Posted 26 May 2014 - 10:19

I had this before too and couldn't get if off, even after using malwarebytes, super anti-spyware, Adaware, and Spybot S&D. I ended up reformatting since it was my kids computer :p. I will be interested to see how you get this one off your system, Steve!



#10 OP Steven P.

Steven P.

    aka Neobond

  • Tech Issues Solved: 64
  • Joined: 09-July 01
  • Location: Neowin HQ

Posted 26 May 2014 - 11:25

I will have to do some more research into this, because although MalwareBytes and AdwCleaner cleans/removes it, after reboot the moment Chrome is started it is back again :/ So weird because I don't have any new/weird extensions either that could cause this :/

 

Haggis, not seeing any PUP programs either so the manual method isn't too helpful (without knowing which program is supposedly installed).



#11 Brian M.

Brian M.

    Neowinian Senior

  • Tech Issues Solved: 10
  • Joined: 07-January 05
  • Location: London, UK

Posted 26 May 2014 - 11:33

Steve, what extensions do you have installed in Chrome?

Not on Windows, but I've seen extensions "piggy pack" other extensions in the past on OS X - they took over the flash player plugin.

Also - just did some digging - do you have this registry entry? HKLM\SOFTWARE\Google\Chrome\Extensions\ifohbjbgfchkkfhphahclmkpgejiplfo

Otherwise, if you post a Hijackthis log, we'd be able to look into it in more detail :).

#12 Hum

Hum

    totally wAcKed

  • Tech Issues Solved: 5
  • Joined: 05-October 03
  • Location: Odder Space
  • OS: Windows XP, 7

Posted 26 May 2014 - 20:02

^ AdwCleaner found and removed that sort of reg entry for Google/Chrome.

And I don't even have Chrome installed on my laptop. :ermm:

#13 +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 26 May 2014 - 20:30

Try this directory c:\users(username)\appdata\Local\Google\Chrome\User Data\Default\Extensions

 

For fun rename that extensions folder to something else and restart chrome



#14 John.D

John.D

    Neowinian

  • Tech Issues Solved: 2
  • Joined: 10-November 09

Posted 26 May 2014 - 21:06

Try trojan remover. It can or should remove trojans / nasties. But I'm pretty sure it can remove pups as well. Its only a trial but if you get it update it then click on scan. Then reset everything under one of the menus. See if that fixes it

 

If it does find anything it should give you the option to remove / rename it. from the hdd or the registry

 

I would also use something like ccleaner to remove the temp files etc



#15 sinetheo

sinetheo

    Neowinian

  • Tech Issues Solved: 1
  • Joined: 09-January 14

Posted 26 May 2014 - 21:18

Re-image

 

I always re-image when in doubt. My systems and have critical data backed to another drive and on my skydrive. I would advise the same as you never know what these trojans could have done to your system. They could have replaced .dll files with rootkit versions and even removing the trojan won't restore the default .dlls. Many also put in backdoors which put in more things in the background doing lord knows what in addition to the piece of software removed.