What is OneClickDownloader?
The Malwarebytes research team has determined that OneClickDownloader is a bundler. These so-called "bundlers" download and install other software on your system, often other PUPs and adware.
How do I know if my computer is affected by OneClickDownloader?
You may see this entry in your list of installed software:
and these warnings during install:
How did OneClickDownloader get on my computer?
Browser hijackers use different methods for distributing themselves. This particular one was offered as a download manager.
How do I remove OneClickDownloader?
Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.
- Please download Malwarebytes Anti-Malware to your desktop.
- Double-click mbam-setup-{version}.exe and follow the prompts to install the program.
- At the end, be sure a check-mark is placed next to:
Launch Malwarebytes Anti-Malware - Then click Finish.
- Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
- If an update is available, it will be implemented before the rest of the scanning procedure.
- When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
- Restart your computer when prompted to do so.
- No, Malwarebytes' Anti-Malware removes OneClickDownloader completely.
We hope our application and this guide have helped you eradicate this hijacker.
As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the OneClickDownloader hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.
Technical details for experts
Possible signs in FRST logs:
CHR HKLM-x32\...\Chrome\Extension: [jplinpmadfkdgipabgcdchbdikologlh] - C:\Program Files (x86)\1ClickDownload\1click11.crx C:\Program Files (x86)\1ClickDownload 1ClickDownloader (HKLM-x32\...\1ClickDownloader) (Version: 2.1 Build 26473 - 1ClickDownload) <==== ATTENTIONAlterations made by the installer:
File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Downloads Adds the file Download magnetxt=urnbtihNHXA37QNI4LETIDMQPEOPAKJGTS5Z76E.lnk"="7/7/2016 9:00 AM, 1659 bytes, A Adds the folder C:\Program Files (x86)\1ClickDownload Adds the file magnetxt=urnbtihNHXA37QNI4LETIDMQPEOPAKJGTS5Z76E.magnet"="7/7/2016 8:58 AM, 575 bytes, A Adds the file uninstall.exe"="7/7/2016 9:00 AM, 47474 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46df-B041-1E593282C7D0}\Instl\Data] "afltId"="REG_SZ", "11111111" "hrdId"="REG_SZ", "11111111" "prtnrId"="REG_SZ", "11111111" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data] "afltId"="REG_SZ", "11111111" "hrdId"="REG_SZ", "11111111" "prtnrId"="REG_SZ", "11111111" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data] "afltId"="REG_SZ", "11111111" "hrdId"="REG_SZ", "11111111" "prtnrId"="REG_SZ", "11111111" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4BD8E034-E0F4-4509-A753-467A8E854CD8}] "InstallDate"="REG_SZ", "20160503" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}] "InstallDate"="REG_SZ", "20160504" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A76AA284-E52D-47E6-9E4F-B85DBF8E35C3}] "InstallDate"="REG_SZ", "20160503" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IMBoosterARP] "InstallDate"="REG_SZ", "20160503" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchTheWebARP] "InstallDate"="REG_SZ", "20160503" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jplinpmadfkdgipabgcdchbdikologlh] "path"="REG_SZ", "C:\Program Files (x86)\1ClickDownload\1click11.crx" "version"="REG_SZ", "1.1" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4BD8E034-E0F4-4509-A753-467A8E854CD8}] "InstallDate"="REG_SZ", "20160503" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}] "InstallDate"="REG_SZ", "20160504" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A76AA284-E52D-47E6-9E4F-B85DBF8E35C3}] "InstallDate"="REG_SZ", "20160503" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\1ClickDownloader] "DisplayName"="REG_SZ", "1ClickDownloader" "DisplayVersion"="REG_SZ", "2.1 Build 26473" "Publisher"="REG_SZ", "1ClickDownload" "UninstallString"="REG_SZ", "C:\Program Files (x86)\1ClickDownload\uninstall.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IMBoosterARP] "InstallDate"="REG_SZ", "20160503" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SearchTheWebARP] "InstallDate"="REG_SZ", "20160503" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SweetIM] "simapp_id"="REG_SZ", "11111111" [HKEY_CURRENT_USER\Software\1ClickDownload] "LastInstall"="REG_SZ", "30529582" "LastInstall2"="REG_SZ", "30529582" "UID"="REG_SZ", "255245968" [HKEY_CURRENT_USER\Software\IncrediMail] "ApplicationPath"="REG_SZ", "11111111" [HKEY_CURRENT_USER\Software\SweetIM] "simapp_id"="REG_SZ", "11111111"Malwarebytes Anti-Malware log:
Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 7/7/2016 Scan Time: 9:09 AM Logfile: mbam1ClickDownloader.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.07.07.01 Rootkit Database: v2016.05.27.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 314381 Time Elapsed: 8 min, 47 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 11 Adware.1ClickDownload, HKLM\SOFTWARE\CLASSES\APPID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}, Quarantined, [71bc5ec3d6c4e74fc6eeeea932d035cb], Adware.1ClickDownload, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}, Quarantined, [71bc5ec3d6c4e74fc6eeeea932d035cb], Adware.1ClickDownload, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}, Quarantined, [71bc5ec3d6c4e74fc6eeeea932d035cb], PUP.Optional.Iminent, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IMBoosterARP, Quarantined, [b07dfb260e8c1224e434693ee61d748c], PUP.Optional.Yontoo, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}, Quarantined, [c469f32ee6b45bdb50af805eb350bd43], PUP.Optional.SweetIM, HKLM\SOFTWARE\WOW6432NODE\SweetIM, Quarantined, [5bd2f1307c1ee74f52af3a7ece35d12f], PUP.Optional.1ClickDownload, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\jplinpmadfkdgipabgcdchbdikologlh, Quarantined, [ec41ea375842cc6a3ea040aeea19db25], PUP.Optional.Iminent, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IMBoosterARP, Quarantined, [4de09c858e0c0e28ce4a386f53b009f7], PUP.Optional.Yontoo, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}, Quarantined, [2706f62bb2e881b5906f4b93748fae52], PUP.Optional.1ClickDownload, HKCU\SOFTWARE\1ClickDownload, Quarantined, [9a93d0515e3c2c0a106aff97bf44d22e], PUP.Optional.SweetIM, HKCU\SOFTWARE\SweetIM, Quarantined, [280560c12674df5725d871465fa4a65a], Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end)As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention