Removing OneLauncher Malware – Automated Script
Welcome!
Thanks for visiting our blog! If you have reached this page, you are probably looking to remove the OneLauncher Malware/PUP from one or more machines. This blog post contains a PowerShell script that will remove OneLauncher from your machine. This script is provided as-is, we strongly suggest you review the code and understand it prior to running it on your systems. We are not responsible for any unattended outcomes from code or scripts shared here.
OneLauncher Removal Steps
To remove the OneLauncher software, there are several steps that need to be taken. Completing these steps via a script is the most efficient way to complete the task. The steps that this script will take are:
- 1. Stop all required processes (onelaunch, onelaunchtray, chromium, chromiumstartupproxy, onelaunch – package track*)
- 2. Obtain a list of all user profiles to iterate through
- 3. Iterate through the list of user profiles and remove the OneLauncher installers
- 4. Iterate through the list of user profiles and remove the OneLauncher application .lnk files
- 5. Iterate through the list of user profiles and remove the OneLauncher directory from the users AppData folder
- 6. List all user registry hives in HKEY_USERS and remove the OneLauncher registry paths from user registry hives
All checks will be logged to the console via write-output commands indicating the files and registry keys that were review. These outputs will either be SUCCESS, FAILURE, or NOTFOUND depending on the status of the files and keys in the user profile
Remove-OneLauncher.ps1
Here is the script. Save this to your machine and run it as administrator. You can also run this script via various RMM and management platforms.
<#
.SYNOPSIS
Removes OneLaunch Malware/PUP from all user profiles
.DESCRIPTION
This script will cycle through all user profiles and remove the OneLaunch directories, executables and registry keys from all user profiles. This must be run as administrator.
.EXAMPLE
PS> .\Remove-OneLauncher.ps1
.INPUTS
None. You cannot pipe objects to this script.
.OUTPUTS
Console outputs indicating steps taken. This is utilized for easy understanding of outcomes in RMM systems
.LINK
Developed by DBT Support (https://www.dbtsupport.com)
.VERSION
Version 1.0, last modified November 16th, 2024
#>
# Define common paths as variables
$StartupPath = "AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
$DesktopPath = "Desktop"
$LocalAppDataPath = "AppData\Local"
$TaskPath = "C:\windows\system32\tasks"
$RegistryUninstallPath = "Software\Microsoft\Windows\CurrentVersion\Uninstall"
$RegistryRunPath = "Software\Microsoft\Windows\CurrentVersion\Run"
$RegistryClassesPath = "SOFTWARE\Classes"
$RegistryRegisteredApplicationsPath = "SOFTWARE\RegisteredApplications"
# Function to log outcomes
function Log-Outcome {
param (
[string]$Message,
[string]$Status
)
switch ($Status) {
"SUCCESS" { Write-Output "[SUCCESS] $Message" }
"NOT FOUND" { Write-Output "[NOT FOUND] $Message" }
"ERROR" { Write-Output "[ERROR] $Message" }
}
}
# Terminate Processes
$processes = @("onelaunch", "onelaunchtray", "chromium", "ChromiumStartupProxy", "OneLaunch - Package Track*")
foreach ($process in $processes) {
try {
# Check if the process exists
$runningProcess = Get-Process $process -ErrorAction SilentlyContinue
if ($runningProcess) {
# If the process exists, attempt to stop it
Write-Output "Attempting to stop process: $process"
$runningProcess | Stop-Process -Force
Log-Outcome "Process $process stopped." "SUCCESS"
} else {
# If the process does not exist, log as not found
Log-Outcome "Process $process is not running; skipping." "NOT FOUND"
}
} catch {
Log-Outcome "Error stopping process $process" "ERROR"
}
}
Start-Sleep -Seconds 2
# Iterate through user directories
$user_list = Get-Item C:\Users\* | Select-Object Name -ExpandProperty Name
foreach ($user in $user_list) {
# Define user-specific paths
$userStartupPath = "C:\Users\$user\$StartupPath"
$userDesktopPath = "C:\Users\$user\$DesktopPath"
$userLocalAppDataPath = "C:\Users\$user\$LocalAppDataPath\OneLaunch"
# Remove installer executables
try {
Write-Output "Step 1 - Searching for OneLaunch installer executables for user $user"
$installers = @(Get-ChildItem "C:\Users\$user" -Recurse -Filter "OneLaunch*.exe" -ErrorAction SilentlyContinue | ForEach-Object { $_.FullName })
foreach ($install in $installers) {
if (Test-Path $install) {
try {
Write-Output "Step 1 - Attempting to remove installer: $install"
Remove-Item $install -ErrorAction Stop
Log-Outcome "Step 1 - Installer $install removed." "SUCCESS"
} catch {
Log-Outcome "Step 1 - Error removing installer $install" "ERROR"
}
} else {
Log-Outcome "Step 1 - Installer $install not found; skipping." "NOT FOUND"
}
}
} catch {
Log-Outcome "Step 1 - Error searching for installers for user $user" "ERROR"
}
# Remove startup shortcuts and other OneLaunch-related files
$pathsToRemove = @(
"$userStartupPath\OneLaunch.lnk",
"$userStartupPath\OneLaunchChromium.lnk",
"$userStartupPath\OneLaunchUpdater.lnk",
"$userDesktopPath\OneLaunch.lnk",
"C:\Users\$user\OneDrive\$DesktopPath\OneLaunch.lnk"
)
foreach ($path in $pathsToRemove) {
if (Test-Path $path) {
try {
Write-Output "Step 2 - Attempting to remove: $path"
Remove-Item $path -ErrorAction Stop
Log-Outcome "Step 2 - Path $path removed." "SUCCESS"
} catch {
Log-Outcome "Step 2 - Error removing $path" "ERROR"
}
} else {
Log-Outcome "Step 2 - Path $path not found; skipping." "NOT FOUND"
}
}
# Remove OneLaunch directory
if (Test-Path $userLocalAppDataPath) {
try {
Write-Output "Step 3 - Attempting to remove OneLaunch directory: $userLocalAppDataPath"
Remove-Item $userLocalAppDataPath -Recurse -Force -ErrorAction Stop
Log-Outcome "Step 3 - Directory $userLocalAppDataPath removed." "SUCCESS"
} catch {
Log-Outcome "Step 3 - Error removing OneLaunch directory $userLocalAppDataPath" "ERROR"
}
} else {
Log-Outcome "Step 3 - OneLaunch directory $userLocalAppDataPath not found; skipping." "NOT FOUND"
}
}
# Registry cleanup
$sid_list = Get-Item -Path "Registry::HKU\*" | Select-String -Pattern "S-\d-(?:\d+-){5,14}\d+"
foreach ($sid in $sid_list) {
if ($sid -notlike "*_Classes*") {
# Registry keys to remove
$registryPathsToRemove = @(
"Registry::$sid\$RegistryUninstallPath\{4947c51a-26a9-4ed0-9a7b-c21e5ae0e71a}_is1",
"Registry::$sid\Software\OneLaunch",
"Registry::$sid\$RegistryClassesPath\OneLaunchHTML"
)
foreach ($regPath in $registryPathsToRemove) {
if (Test-Path $regPath) {
try {
Write-Output "Step 4 - Attempting to remove registry path: $regPath"
Remove-Item $regPath -Recurse -ErrorAction Stop
Log-Outcome "Step 4 - Registry path $regPath removed." "SUCCESS"
} catch {
Log-Outcome "Step 4 - Error removing registry path $regPath" "ERROR"
}
} else {
Log-Outcome "Step 4 - Registry path $regPath not found; skipping." "NOT FOUND"
}
}
# Remove startup entries
$registryRunKeys = @("OneLaunch", "OneLaunchChromium")
foreach ($key in $registryRunKeys) {
if ((Get-ItemProperty -Path "Registry::$sid\$RegistryRunPath" -ErrorAction SilentlyContinue).PSObject.Properties.Name -contains $key) {
try {
Write-Output "Step 5 - Attempting to remove registry key: $key under $RegistryRunPath"
Remove-ItemProperty -Path "Registry::$sid\$RegistryRunPath" -Name $key -ErrorAction Stop
Log-Outcome "Step 5 - Registry key $key removed." "SUCCESS"
} catch {
Log-Outcome "Step 5 - Error removing registry key $key" "ERROR"
}
} else {
Log-Outcome "Step 5 - Registry key $key not found; skipping." "NOT FOUND"
}
}
}
}
That’s All Folks
Thanks for visiting our blog! We hope you found this script useful. Feel free to CONTACT US if you have any questions or would like to learn more about our SERVICES. If you are a business looking to reduce your helpdesk call volume, increase end-user satisfaction and increase security, please reach out to us. We help businesses every day with these common problems by implementing passwordless multi-factor authentication from Secret Double Octopus. Interested to learn more? Take a look at the below links and blog posts to learn more about Secret Double Octopus and passwordless MFA.
Passwordless MFA: Enhancing Security without Complexity with Secret Double Octopus
Blog Post: Domain Joined Windows Machines with Secret Double Octopus Passwordless MFA
Blog Post: Securing Shared User Accounts with Secret Double Octopus Passwordless MFA