Chrome 36 MalwareBytes warning pup.optional.qvo6.a can't be removed


Recommended Posts

So every morning for the past few days or so I keep getting a warning for pup.optional.qvo6.a in the stored preferences of Chrome pointing to my user account data folders in Windows 8.1

 

Each time I've quarantined it and even tried the Junkware Removal Tool yesterday (which completely removed HotSpot Shield VPN!) and it comes back every day.

 

Searching online shows that it is a browser hijacking tool which could set my homepage and search differently etc, and there's a couple of examples on how to remove it. Unfortunately the MalwareBytes option no longer allows you to "remove" from the results of the scan since I have a newer version, the default option is actually "ignore once" or Quarantine. But as I say, despite doing this it is back every morning.

 

Does anyone else have this or know what it could be? 

Link to comment
Share on other sites

here is the manual process

 

 

 

1. How to stop PUP.Optional.Qvo6.A processes:

 

1. Click the Start menu, select Run.
2. Type taskmgr.exe into the the Run command box, and click ?OK.? You can also launch the Task Manager by pressing keys CTRL + Shift + ESC.
3. Click Processes tab, and find PUP.Optional.Qvo6.A related processes.
4. Once you?ve found the PUP.Optional.Qvo6.A related processes, right-click them and select ?End Process? to kill PUP.Optional.Qvo6.A related process.

 

 

2. With all programs closed, click the Start Menu and go to the Control Panel.

2. Locate the Add/Remove Programs icon and double click it.
3. Locate PUP.Optional.Qvo6.A in the list of programs. If you find it, select it and remove it.

 

 

3. Detect and delete PUP.Optional.Qvo6.A associated files listed below:

 

%UserProfile%\Application Data\Microsoft\[random].exe
%System Root%\Samples
%User Profile%\Local Settings\Temp
%Documents and Settings%\All Users\Start Menu\Programs\PUP.Optional.Qvo6.A
%Documents and Settings%\All Users\Application Data\PUP.Optional.Qvo6.A
doguzeri.dll
3948550101.exe
3948550101.cfg
%Program Files%\PUP.Optional.Qvo6.A
%Program Files%\PUP.Optional.Qvo6.A
C:\ProgramData\[random numbers]\

 

4. How to delete PUP.Optional.Qvo6.A files in Windows

1. Click your Windows Start menu, then click ?Search.?
2. A pop up will ask, ?What do you want to search for?? Click ?All files and folders.?
3. Type a PUP.Optional.Qvo6.A file in the search box, and select ?Local Hard Drives.?
4. Click ?Search.? Once the PUP.Optional.Qvo6.A file is found, delete it.

 

5. Open the Registry Editor, search and delete these PUP.Optional.Qvo6.A Registry Entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe ?Debugger? = ?svchost.exe?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe ?Debugger? = ?svchost.exe?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PUP.Optional.Qvo6.A
HKEY_LOCAL_MACHINE\SOFTWARE\PUP.Optional.Qvo6.A
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings ?WarnOnHTTPSToHTTPRedirect? = ?0?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ?WarnOnHTTPSToHTTPRedirect? = ?0?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore ?DisableSR ? = ?1?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe ?Debugger? = ?svchost.exe?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe ?Debugger? = ?svchost.exe?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ?3948550101?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ?xas?
HKEY_CURRENT_USER\Software\PUP.Optional.Qvo6.A

Link to comment
Share on other sites

Cheers, will do this in a bit and post results (after rebooting etc) (Y)

 

Edit: But what is it, and why has it just recently started showing up?

Link to comment
Share on other sites

Maybe something helpful here:

 

The PUP.Optional.OptChrome.A threat is classified as PUP a Potentially Unwanted Program by MalwareBytes Anti-Malware because it inflicts and acts as a malicious threat into your computer system. PUP.Optional.OptChrome.A is not a virus but it does act like one. PUP.Optional.OptChrome.A is adware which is bundled using custom installers and dropped on your computer during the installation process. Most users have no idea how this PUP.Optional.OptChrome.A threat is installed on there computer and what it is, until MalwareBytes Anti-Malware detects it as a malicious threat or virus.

 

http://www.fixyourbrowser.com/removal-instructions/remove-pup-optional-optchrome-virus/

  • Like 2
Link to comment
Share on other sites

Yeah I saw that, and looked through my installed programs and couldn't find anything.

 

Sort by date and look at the most recent?

Link to comment
Share on other sites

I had this before too and couldn't get if off, even after using malwarebytes, super anti-spyware, Adaware, and Spybot S&D. I ended up reformatting since it was my kids computer :p. I will be interested to see how you get this one off your system, Steve!

Link to comment
Share on other sites

I will have to do some more research into this, because although MalwareBytes and AdwCleaner cleans/removes it, after reboot the moment Chrome is started it is back again :/ So weird because I don't have any new/weird extensions either that could cause this :/

 

Haggis, not seeing any PUP programs either so the manual method isn't too helpful (without knowing which program is supposedly installed).

Link to comment
Share on other sites

Steve, what extensions do you have installed in Chrome?

Not on Windows, but I've seen extensions "piggy pack" other extensions in the past on OS X - they took over the flash player plugin.

Also - just did some digging - do you have this registry entry? HKLM\SOFTWARE\Google\Chrome\Extensions\ifohbjbgfchkkfhphahclmkpgejiplfo

Otherwise, if you post a Hijackthis log, we'd be able to look into it in more detail :).

Link to comment
Share on other sites

^ AdwCleaner found and removed that sort of reg entry for Google/Chrome.

And I don't even have Chrome installed on my laptop. :ermm:

Link to comment
Share on other sites

Try this directory c:\users(username)\appdata\Local\Google\Chrome\User Data\Default\Extensions

 

For fun rename that extensions folder to something else and restart chrome

Link to comment
Share on other sites

Try trojan remover. It can or should remove trojans / nasties. But I'm pretty sure it can remove pups as well. Its only a trial but if you get it update it then click on scan. Then reset everything under one of the menus. See if that fixes it

 

If it does find anything it should give you the option to remove / rename it. from the hdd or the registry

 

I would also use something like ccleaner to remove the temp files etc

Link to comment
Share on other sites

Re-image

 

I always re-image when in doubt. My systems and have critical data backed to another drive and on my skydrive. I would advise the same as you never know what these trojans could have done to your system. They could have replaced .dll files with rootkit versions and even removing the trojan won't restore the default .dlls. Many also put in backdoors which put in more things in the background doing lord knows what in addition to the piece of software removed.

Link to comment
Share on other sites

This topic is now closed to further replies.