Help desk tickets flooded in: "My browser homepage changed," "weird toolbar I didn't install," "popups keep appearing." 30 machines infected with OneStart.ai - a PUP that hijacks browsers, injects ads, and reinstalls via scheduled tasks. Standard antivirus wasn't flagging it.

OneStart markets itself as a "productivity browser" but behaves like classic adware. Gets bundled with free software downloads and installs without clear consent.

The "uninstaller" only removes the visible app - leaves behind scheduled tasks, registry entries, and hidden folders that let it come back.

Users tried removing it. IT tried Control Panel uninstall. It kept coming back within hours.

Needed a script that kills all processes first, then removes scheduled tasks, then cleans files, then purges registry - in that exact order.

Comprehensive removal script using NirSoft UninstallView for initial uninstall, then manual cleanup of everything the uninstaller misses. Registry keys backed up before removal.

Safety: Registry keys backed up to C:\limehawk\registry_backup before deletion.

After script runs, browsers need manual reset:

Prevention measures implemented:

Dealing with PUPs or adware? We clean up infections and implement prevention.