Steven P. Administrators Posted May 26, 2014 Administrators Share Posted May 26, 2014 So every morning for the past few days or so I keep getting a warning for pup.optional.qvo6.a in the stored preferences of Chrome pointing to my user account data folders in Windows 8.1 Each time I've quarantined it and even tried the Junkware Removal Tool yesterday (which completely removed HotSpot Shield VPN!) and it comes back every day. Searching online shows that it is a browser hijacking tool which could set my homepage and search differently etc, and there's a couple of examples on how to remove it. Unfortunately the MalwareBytes option no longer allows you to "remove" from the results of the scan since I have a newer version, the default option is actually "ignore once" or Quarantine. But as I say, despite doing this it is back every morning. Does anyone else have this or know what it could be? Link to comment Share on other sites More sharing options...
Haggis Veteran Posted May 26, 2014 Veteran Share Posted May 26, 2014 here is the manual process 1. How to stop PUP.Optional.Qvo6.A processes: 1. Click the Start menu, select Run.2. Type taskmgr.exe into the the Run command box, and click ?OK.? You can also launch the Task Manager by pressing keys CTRL + Shift + ESC.3. Click Processes tab, and find PUP.Optional.Qvo6.A related processes.4. Once you?ve found the PUP.Optional.Qvo6.A related processes, right-click them and select ?End Process? to kill PUP.Optional.Qvo6.A related process. 2. With all programs closed, click the Start Menu and go to the Control Panel. 2. Locate the Add/Remove Programs icon and double click it.3. Locate PUP.Optional.Qvo6.A in the list of programs. If you find it, select it and remove it. 3. Detect and delete PUP.Optional.Qvo6.A associated files listed below: %UserProfile%\Application Data\Microsoft\[random].exe%System Root%\Samples%User Profile%\Local Settings\Temp%Documents and Settings%\All Users\Start Menu\Programs\PUP.Optional.Qvo6.A%Documents and Settings%\All Users\Application Data\PUP.Optional.Qvo6.Adoguzeri.dll3948550101.exe3948550101.cfg%Program Files%\PUP.Optional.Qvo6.A%Program Files%\PUP.Optional.Qvo6.AC:\ProgramData\[random numbers]\ 4. How to delete PUP.Optional.Qvo6.A files in Windows 1. Click your Windows Start menu, then click ?Search.?2. A pop up will ask, ?What do you want to search for?? Click ?All files and folders.?3. Type a PUP.Optional.Qvo6.A file in the search box, and select ?Local Hard Drives.?4. Click ?Search.? Once the PUP.Optional.Qvo6.A file is found, delete it. 5. Open the Registry Editor, search and delete these PUP.Optional.Qvo6.A Registry Entries: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe ?Debugger? = ?svchost.exe?HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe ?Debugger? = ?svchost.exe? HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PUP.Optional.Qvo6.AHKEY_LOCAL_MACHINE\SOFTWARE\PUP.Optional.Qvo6.AHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings ?WarnOnHTTPSToHTTPRedirect? = ?0?HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ?WarnOnHTTPSToHTTPRedirect? = ?0?HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore ?DisableSR ? = ?1?HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe ?Debugger? = ?svchost.exe?HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe ?Debugger? = ?svchost.exe? HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ?3948550101?HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ?xas?HKEY_CURRENT_USER\Software\PUP.Optional.Qvo6.A Shaun N., Steven P., xrobwx71 and 1 other 4 Share Link to comment Share on other sites More sharing options...
Steven P. Administrators Posted May 26, 2014 Author Administrators Share Posted May 26, 2014 Cheers, will do this in a bit and post results (after rebooting etc) (Y) Edit: But what is it, and why has it just recently started showing up? Link to comment Share on other sites More sharing options...
Hum Posted May 26, 2014 Share Posted May 26, 2014 Maybe something helpful here: The PUP.Optional.OptChrome.A threat is classified as PUP a Potentially Unwanted Program by MalwareBytes Anti-Malware because it inflicts and acts as a malicious threat into your computer system. PUP.Optional.OptChrome.A is not a virus but it does act like one. PUP.Optional.OptChrome.A is adware which is bundled using custom installers and dropped on your computer during the installation process. Most users have no idea how this PUP.Optional.OptChrome.A threat is installed on there computer and what it is, until MalwareBytes Anti-Malware detects it as a malicious threat or virus. http://www.fixyourbrowser.com/removal-instructions/remove-pup-optional-optchrome-virus/ Steven P. and xrobwx71 2 Share Link to comment Share on other sites More sharing options...
Steven P. Administrators Posted May 26, 2014 Author Administrators Share Posted May 26, 2014 Yeah I saw that, and looked through my installed programs and couldn't find anything. Link to comment Share on other sites More sharing options...
rfirth Posted May 26, 2014 Share Posted May 26, 2014 Yeah I saw that, and looked through my installed programs and couldn't find anything. Sort by date and look at the most recent? Link to comment Share on other sites More sharing options...
Hum Posted May 26, 2014 Share Posted May 26, 2014 I downloaded and installed AdwCleaner v3.211. https://toolslib.net/downloads/finish/1/get/pHCO/ Automatically finds and fixes PUP problems and gives you a report. I find this to be useful. Link to comment Share on other sites More sharing options...
Steven P. Administrators Posted May 26, 2014 Author Administrators Share Posted May 26, 2014 Most recents are: :s Link to comment Share on other sites More sharing options...
Barney T. Administrators Posted May 26, 2014 Administrators Share Posted May 26, 2014 I had this before too and couldn't get if off, even after using malwarebytes, super anti-spyware, Adaware, and Spybot S&D. I ended up reformatting since it was my kids computer :p. I will be interested to see how you get this one off your system, Steve! Shaun N. 1 Share Link to comment Share on other sites More sharing options...
Steven P. Administrators Posted May 26, 2014 Author Administrators Share Posted May 26, 2014 I will have to do some more research into this, because although MalwareBytes and AdwCleaner cleans/removes it, after reboot the moment Chrome is started it is back again :/ So weird because I don't have any new/weird extensions either that could cause this :/ Haggis, not seeing any PUP programs either so the manual method isn't too helpful (without knowing which program is supposedly installed). Link to comment Share on other sites More sharing options...
Brian M. Veteran Posted May 26, 2014 Veteran Share Posted May 26, 2014 Steve, what extensions do you have installed in Chrome? Not on Windows, but I've seen extensions "piggy pack" other extensions in the past on OS X - they took over the flash player plugin. Also - just did some digging - do you have this registry entry? HKLM\SOFTWARE\Google\Chrome\Extensions\ifohbjbgfchkkfhphahclmkpgejiplfo Otherwise, if you post a Hijackthis log, we'd be able to look into it in more detail :). Link to comment Share on other sites More sharing options...
Hum Posted May 26, 2014 Share Posted May 26, 2014 ^ AdwCleaner found and removed that sort of reg entry for Google/Chrome. And I don't even have Chrome installed on my laptop. :ermm: Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted May 26, 2014 MVC Share Posted May 26, 2014 Try this directory c:\users(username)\appdata\Local\Google\Chrome\User Data\Default\Extensions For fun rename that extensions folder to something else and restart chrome Link to comment Share on other sites More sharing options...
John.D Posted May 26, 2014 Share Posted May 26, 2014 Try trojan remover. It can or should remove trojans / nasties. But I'm pretty sure it can remove pups as well. Its only a trial but if you get it update it then click on scan. Then reset everything under one of the menus. See if that fixes it If it does find anything it should give you the option to remove / rename it. from the hdd or the registry I would also use something like ccleaner to remove the temp files etc Link to comment Share on other sites More sharing options...
sinetheo Posted May 26, 2014 Share Posted May 26, 2014 Re-image I always re-image when in doubt. My systems and have critical data backed to another drive and on my skydrive. I would advise the same as you never know what these trojans could have done to your system. They could have replaced .dll files with rootkit versions and even removing the trojan won't restore the default .dlls. Many also put in backdoors which put in more things in the background doing lord knows what in addition to the piece of software removed. goretsky 1 Share Link to comment Share on other sites More sharing options...
Recommended Posts