Jump to content

Removal instructions for BookSource

Recommended Posts

  • Staff
What is Book Source?

The Malwarebytes research team has determined that Book Source is a Tech Support Scam. These scammers try to convince you to dial their number, so they can steal your data or get you to pay for their "services", which are ususlly not necessary or overly expensive.
This one uses a fake Windows Activation warning to lure you into calling them.


How do I know if my computer is affected by Book Source?

During install you may see this warning:


and afterwards you may this entry in your list of installed programs:


and these icons in your taskbar and on your desktop:


How did Book Source get on my computer?

Tech Support Scammers use different methods for distributing themselves. This particular one was offered as an eBook download utility.

How do I remove Book Source?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application.
  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-version.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:
    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
Is there anything else I need to do to get rid of Book Source?
  • No, Malwarebytes' Anti-Malware removes Book Source completely.
How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this potentially unwanted application.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Book Source scammer. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.



Technical details for experts

You may see these entries in FRST logs:

 () C:\Windows\Book Source\Book Source\Book Source.exe
 HKCU\...\Run: [Book Source] => C:\Windows\Book Source\Book Source\Book Source.exe [526848 2016-03-21] ()
 C:\Windows\Book Source

Book Source (HKLM-x32\...\Book Source (Version: - Book Source)
Alterations made by the installer:
File system details [View: All details] (Selection)
    In the existing folder C:\Users\{username}\Desktop
       Adds the file Book Source.lnk"="3/23/2016 8:37 AM, 1961 bytes, A
    Adds the folder C:\Windows\Book Source\Book Source
       Adds the file Book Source.exe"="3/21/2016 2:19 PM, 526848 bytes, A
       Adds the file Uninstall.exe"="3/23/2016 8:37 AM, 264754 bytes, A
       Adds the file Uninstall.ini"="3/23/2016 8:37 AM, 2822 bytes, A

Registry details [View: All details] (Selection)
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Book Source]
       "DisplayIcon"="REG_SZ", "C:\Windows\Book Source\Book Source\Uninstall.exe"
       "DisplayName"="REG_SZ", "Book Source"
       "DisplayVersion"="REG_SZ", ""
       "EstimatedSize"="REG_DWORD", 773
       "HelpLink"="REG_SZ", "support@booksource.info"
       "InstallDate"="REG_SZ", "20160323"
       "InstallLocation"="REG_SZ", "C:\Windows\Book Source\Book Source\"
       "InstallSource"="REG_SZ", "C:\Users\{username}1\AppData\Local\Temp\is-ET0P8.tmp\"
       "Language"="REG_DWORD", 1033
       "NoModify"="REG_DWORD", 1
       "NoRepair"="REG_DWORD", 1
       "Publisher"="REG_SZ", "Book Source"
       "UninstallString"="REG_SZ", "C:\Windows\Book Source\Book Source\Uninstall.exe"
       "URLInfoAbout"="REG_SZ", "www.booksource.info"
       "VersionMajor"="REG_DWORD", 1
       "VersionMinor"="REG_DWORD", 1
       "Book Source"="REG_SZ", "C:\Windows\Book Source\Book Source\Book Source.exe"
Malwarebytes Anti-Malware log:
Malwarebytes Anti-Malware

Scan Date: 3/23/2016
Scan Time: 9:06 AM
Logfile: mbamBookSource.txt
Administrator: Yes

Malware Database: v2016.03.23.02
Rootkit Database: v2016.03.12.01
License: Premium
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {username}

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 371624
Time Elapsed: 5 min, 8 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 1
PUP.Optional.BookSource, C:\Windows\Book Source\Book Source\Book Source.exe, 1516, Delete-on-Reboot, [af7f7d0e36630531964f5b39a16321df]

Modules: 0
(No malicious items detected)

Registry Keys: 1
PUP.Optional.BookSource, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Book Source, Quarantined, [af7f7d0e36630531964f5b39a16321df], 

Registry Values: 1
PUP.Optional.BookSource, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Book Source, C:\Windows\Book Source\Book Source\Book Source.exe, Quarantined, [af7f7d0e36630531964f5b39a16321df]

Registry Data: 0
(No malicious items detected)

Folders: 2
PUP.Optional.BookSource, C:\Windows\Book Source\Book Source, Delete-on-Reboot, [af7f7d0e36630531964f5b39a16321df], 
PUP.Optional.BookSource, C:\Windows\Book Source, Delete-on-Reboot, [af7f7d0e36630531964f5b39a16321df], 

Files: 5
Rogue.TechSupportScam, C:\Users\{username}\Desktop\component.exe, Quarantined, [240a4e3dbedb9b9bb81558bb986a8878], 
PUP.Optional.BookSource, C:\Users\{username}\Desktop\Book Source.lnk, Quarantined, [9a94ddae5346d0663c98513c1fe523dd], 
PUP.Optional.BookSource, C:\Windows\Book Source\Book Source\Uninstall.ini, Quarantined, [af7f7d0e36630531964f5b39a16321df], 
PUP.Optional.BookSource, C:\Windows\Book Source\Book Source\Book Source.exe, Delete-on-Reboot, [af7f7d0e36630531964f5b39a16321df], 
PUP.Optional.BookSource, C:\Windows\Book Source\Book Source\Uninstall.exe, Quarantined, [af7f7d0e36630531964f5b39a16321df], 

Physical Sectors: 0
(No malicious items detected)

As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.