Jump to content

Welcome to Geeks to Go
Geeks to Go Welcome
Create Account Login to Account
Photo

Removal instructions for OneClickDownloader

- - - - -

  • Please log in to reply
No replies to this topic

#1
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 32,141 posts
Content is republished with permission from Malwarebytes.

What is OneClickDownloader?

The Malwarebytes research team has determined that OneClickDownloader is a bundler. These so-called "bundlers" download and install other software on your system, often other PUPs and adware.

How do I know if my computer is affected by OneClickDownloader?

You may see this entry in your list of installed software:

warning4.png

and these warnings during install:

main.png

warning1.png

warning2.png

How did OneClickDownloader get on my computer?

Browser hijackers use different methods for distributing themselves. This particular one was offered as a download manager.

How do I remove OneClickDownloader?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.
  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-{version}.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to:
    Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
  • If an update is available, it will be implemented before the rest of the scanning procedure.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
Is there anything else I need to do to get rid of OneClickDownloader?
  • No, Malwarebytes' Anti-Malware removes OneClickDownloader completely.
How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the OneClickDownloader hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.


protection1.png


Technical details for experts

Possible signs in FRST logs:


 CHR HKLM-x32\...\Chrome\Extension: [jplinpmadfkdgipabgcdchbdikologlh] - C:\Program Files (x86)\1ClickDownload\1click11.crx 
 C:\Program Files (x86)\1ClickDownload

1ClickDownloader (HKLM-x32\...\1ClickDownloader) (Version: 2.1 Build 26473 - 1ClickDownload) <==== ATTENTION
Alterations made by the installer:
 
File system details [View: All details] (Selection)
---------------------------------------------------
    Adds the folder C:\Downloads
       Adds the file Download magnetxt=urnbtihNHXA37QNI4LETIDMQPEOPAKJGTS5Z76E.lnk"="7/7/2016 9:00 AM, 1659 bytes, A
    Adds the folder C:\Program Files (x86)\1ClickDownload
       Adds the file magnetxt=urnbtihNHXA37QNI4LETIDMQPEOPAKJGTS5Z76E.magnet"="7/7/2016 8:58 AM, 575 bytes, A
       Adds the file uninstall.exe"="7/7/2016 9:00 AM, 47474 bytes, A

Registry details [View: All details] (Selection)
------------------------------------------------
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46df-B041-1E593282C7D0}\Instl\Data]
       "afltId"="REG_SZ", "11111111"
       "hrdId"="REG_SZ", "11111111"
       "prtnrId"="REG_SZ", "11111111"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\Instl\Data]
       "afltId"="REG_SZ", "11111111"
       "hrdId"="REG_SZ", "11111111"
       "prtnrId"="REG_SZ", "11111111"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data]
       "afltId"="REG_SZ", "11111111"
       "hrdId"="REG_SZ", "11111111"
       "prtnrId"="REG_SZ", "11111111"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4BD8E034-E0F4-4509-A753-467A8E854CD8}]
       "InstallDate"="REG_SZ", "20160503"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
       "InstallDate"="REG_SZ", "20160504"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A76AA284-E52D-47E6-9E4F-B85DBF8E35C3}]
       "InstallDate"="REG_SZ", "20160503"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IMBoosterARP]
       "InstallDate"="REG_SZ", "20160503"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchTheWebARP]
       "InstallDate"="REG_SZ", "20160503"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jplinpmadfkdgipabgcdchbdikologlh]
       "path"="REG_SZ", "C:\Program Files (x86)\1ClickDownload\1click11.crx"
       "version"="REG_SZ", "1.1"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4BD8E034-E0F4-4509-A753-467A8E854CD8}]
       "InstallDate"="REG_SZ", "20160503"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
       "InstallDate"="REG_SZ", "20160504"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A76AA284-E52D-47E6-9E4F-B85DBF8E35C3}]
       "InstallDate"="REG_SZ", "20160503"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\1ClickDownloader]
       "DisplayName"="REG_SZ", "1ClickDownloader"
       "DisplayVersion"="REG_SZ", "2.1 Build 26473"
       "Publisher"="REG_SZ", "1ClickDownload"
       "UninstallString"="REG_SZ", "C:\Program Files (x86)\1ClickDownload\uninstall.exe"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IMBoosterARP]
       "InstallDate"="REG_SZ", "20160503"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SearchTheWebARP]
       "InstallDate"="REG_SZ", "20160503"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SweetIM]
       "simapp_id"="REG_SZ", "11111111"
    [HKEY_CURRENT_USER\Software\1ClickDownload]
       "LastInstall"="REG_SZ", "30529582"
       "LastInstall2"="REG_SZ", "30529582"
       "UID"="REG_SZ", "255245968"
    [HKEY_CURRENT_USER\Software\IncrediMail]
       "ApplicationPath"="REG_SZ", "11111111"
    [HKEY_CURRENT_USER\Software\SweetIM]
       "simapp_id"="REG_SZ", "11111111"

Malwarebytes Anti-Malware log:
 
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 7/7/2016
Scan Time: 9:09 AM
Logfile: mbam1ClickDownloader.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.07.07.01
Rootkit Database: v2016.05.27.01
License: Premium
Malware Protection: Disabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {username}

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 314381
Time Elapsed: 8 min, 47 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 11
Adware.1ClickDownload, HKLM\SOFTWARE\CLASSES\APPID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}, Quarantined, [71bc5ec3d6c4e74fc6eeeea932d035cb], 
Adware.1ClickDownload, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}, Quarantined, [71bc5ec3d6c4e74fc6eeeea932d035cb], 
Adware.1ClickDownload, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}, Quarantined, [71bc5ec3d6c4e74fc6eeeea932d035cb], 
PUP.Optional.Iminent, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IMBoosterARP, Quarantined, [b07dfb260e8c1224e434693ee61d748c], 
PUP.Optional.Yontoo, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}, Quarantined, [c469f32ee6b45bdb50af805eb350bd43], 
PUP.Optional.SweetIM, HKLM\SOFTWARE\WOW6432NODE\SweetIM, Quarantined, [5bd2f1307c1ee74f52af3a7ece35d12f], 
PUP.Optional.1ClickDownload, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\jplinpmadfkdgipabgcdchbdikologlh, Quarantined, [ec41ea375842cc6a3ea040aeea19db25], 
PUP.Optional.Iminent, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IMBoosterARP, Quarantined, [4de09c858e0c0e28ce4a386f53b009f7], 
PUP.Optional.Yontoo, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}, Quarantined, [2706f62bb2e881b5906f4b93748fae52], 
PUP.Optional.1ClickDownload, HKCU\SOFTWARE\1ClickDownload, Quarantined, [9a93d0515e3c2c0a106aff97bf44d22e], 
PUP.Optional.SweetIM, HKCU\SOFTWARE\SweetIM, Quarantined, [280560c12674df5725d871465fa4a65a], 

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
  • 0

Advertisements





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured
Malware Removal How to Guides Windows 7 System Building Download Files Register welcome

Never used a forum? Learn how.