Remove the PastaLeads and PastaQuotes Adware

  • July 29, 2014

PastaLeads and PastaQuotes are adware programs that are commonly bundled with other free programs that you download off of the Internet. PastaLeads is an adware program that generates leads for companies under various search phrases. For example, if you search for health insurance it will display a form where you enter your information and then the program will send that lead to health insurance sales companies who will contact you. It will also deliver leads for other search terms that include tech support, car insurance, life insurance, lawn care, etc. Though this may sound like a useful service, the program can be intrusive and will display ads whether you want them to or not. Furthermore, any information you enter will be given to various 3rd party companies that may use that information for marketing purposes.

When installed, PastaLeads will create a Windows service that constantly runs in the background and also configures your web browser to use a proxy server. For the most part this adware is not difficult to remove, but there are cases where it doesn't properly uninstall. This is especially the case if the program is uninstalled, but the proxy settings are not removed, which will cause your web browser to not be able to reach any sites. This guide will walk you through removing PastaLeads from your computer and web browsers using only free tools.

  • Tech Support search with PastaLeads ad
  • Car Insurance PastaLeads screen
  • Life Insurance PastaLeads screen

It is important to note that PastaLeads is not a computer infection that is installed through exploits or infections, but rather it is bundled along with free software that you download off the Internet. Therefore, it is important that you pay attention to the license agreements and installation screens when installing anything. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed and allow you to opt out of them. Furthermore, If the license agreement or installation screens state that they are going to install a toolbar or other unwanted adware, it is advised that you cancel the install and not use the free software.

Self Help Guide

This guide contains advanced information, but has been written in such a way so that anyone can follow it. Please ensure your data is backed up before proceeding.

If you are uncomfortable making changes to your computer or following these steps, do not worry! Instead you can get free one-on-one help by asking in the forums.
  1. Print out these instructions as we will need to reboot your computer and you may not have access to your web browser for part of this process.
  2. Please login as the user that is infected with PastaLeads . When your Windows desktop appears, click on the Start button and then select Control Panel.
  3. When in the Control Panel, double-click on one of the options below depending on your version of Windows
    1. For Windows XP double-click on the Add or Remove Programs icon.
    2. For Windows Vista and Windows 7, double-click on the Uninstall Program option.
  4. When the Add or Remove Programs or the Uninstall Program screen is displayed, please scroll through the list of programs and double-click on each of the entries listed in bold below to uninstall them.


    When you double-click on each of the above entries to uninstall them, please follow the default prompts and allow it to terminate the infection and remove the executable associated with the program. If it asks you to reboot, please do not do so. If you cant find the entry to uninstall, or when it is done uninstalling, please continue with the next step.
  5. This program may change your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software. To fix this and to terminate any malware processes we want to download RKill. Please download RKill to your desktop from the following link:

    RKill Download Link - (Download page will open in a new tab or browser window.)

    When at the download page, click on the Download Now button labeled iExplore.exe download link. When you are prompted where to save it, please save it on your desktop.
  6. Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with PastaLeads and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by PastaLeads when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate PastaLeads . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. If you continue having problems running RKill, you can download the other renamed versions of RKill from the rkill download page. All of the files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.

    Do not reboot your computer after running RKill as the malware programs will start again.

  7. Now you should download Emsisoft Anti-Malware, which will scan for and remove any other adware that may have been bundled with this adware. Please download and save the Emsisoft Anti-Malware setup program to your desktop from the link below:

    The download is fairly large, so please be patient while it downloads.
  8. Once the file has been downloaded, double-click on the EmsisoftAntiMalwareSetup_bc.exe icon to start the program. If Windows Smart Screen issues an alert, please allow it to run anyway.

    If the setup program displays an alert about safe mode, please click on the Yes button to continue. You should now see a dialog asking you to agree to a license agreement. Please access the agreement and click on the Install button to continue with the installation.
  9. You will eventually get to a screen asking what type of license you wish to use with Emsisoft Anti-Malware.

    Select License Screen

    If you have an existing license key or want to buy a new license key, please select the appropriate option. Otherwise, select the Freeware or Test for 30 days, free option. If you receive an alert after clicking this button that your trial has expired, just click on the Yes button to enter freeware mode, which still allows the cleaning of infections.
  10. You will now be at a screen asking if you wish to join Emsisoft's Anti-Malware network. Read the descriptions and select your choice to continue.
  11. Emsisoft Anti-Malware will now begin to update it's virus detections.

    Downloading Updates

    Please be patient as it may take a few minutes for the updates to finish downloading.
  12. When the updates are completed, you will be at a screen asking if you wish to enable PUPs detection. We strongly suggest that you select Enable PUPs Detection to protect your computer from nuisance programs such as toolbars and adware.
  13. You will now be at a screen asking what type of scan you would like to perform.

    Scan selection screen

    Please select the Full Scan option to begin scanning your computer for infections. The Full Scan option will take the longest time to scan your computer, but will also be the most thorough. As you are here to clean infections, it is worth the wait to make sure your computer is properly scanned.
  14. Emsisoft Anti-Malware will now start to scan your computer for rootkits and malware. Please note that the detected infections in the image below may be different than what this guide is for.

    Scanning screen

    Please be patient while Emsisoft Anti-Malware scans your computer.
  15. When the scan has finished, the program will display the scan results that shows what infections where found. Please note, due to an updated version of Emsisoft Anti-Malware, the screenshot below may look different than the rest of the guide.

    Scan Results

    Now click on the Quarantine Selected button, which will remove the infections and place them in the program's quarantine. You will now be at the last screen of the Emsisoft Anti-Malware setup program, which you can close. If Emsisoft prompts you to reboot your computer to finish the clean up process, please allow it to do so. Otherwise you can close the program.
  16. As many rogues, adware, and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:

    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector


Your computer should now be free of the PastaQuotes program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Emsisoft Anti-Malware to protect against these types of threats in the future.

View Associated PastaLeads Files

%CommonAppData%\pastaleads\ %CommonAppData%\pastaleads\errsent.config %CommonAppData%\pastaleads\instltm_20140729104649 %CommonAppData%\pastaleads\ServiceConfig2.json %CommonAppData%\pastaleads\WinApp.config %ProgramFiles%\pastaleads\ %ProgramFiles%\pastaleads\HtmlAgilityPack.dll %ProgramFiles%\pastaleads\Microsoft.Win32.TaskScheduler.dll %ProgramFiles%\pastaleads\Newtonsoft.Json.dll %ProgramFiles%\pastaleads\PastaLeadsService.exe %ProgramFiles%\pastaleads\RestSharp.dll %ProgramFiles%\pastaleads\ScheduledTask.exe %ProgramFiles%\pastaleads\uninstall.exe %ProgramFiles%\pastaleads\images\ %ProgramFiles%\pastaleads\images\logo_256.ico %System%\config\pastalea.evt %Temp%\ttt

File Location Notes:

%System% is a variable that refers to the Windows System folder. By default this is C:\Windows\System for Windows 95/98/ME, C:\Winnt\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP/Vista/7/8.

%ProgramFiles% refers to the Program Files folder. The path to this folder is C:\Program Files\ or C:\Program Files (X86)\ depending on whether the version of Windows or the program being installed is 32-bit or 64-bit.

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\<Current User>\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\<Current User>\AppData\Local\Temp in Windows Vista, Windows 7, and Windows 8.

%CommonAppData% refers to the Application Data folder for the All Users Profile. By default, this is C:\Documents and Settings\All Users\Application Data for Windows 2000/XP and C:\ProgramData\ in Windows Vista, Windows 7, and Windows 8.

%CommonAppData% refers to the Application Data folder in the All Users profile. For Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\All Users\Application Data\, and for Windows Vista, Windows 7, and Windows 8 it is C:\ProgramData.

View Associated PastaLeads Registry Information

HKEY_USERS\.DEFAULT\Software\Microsoft\KanarCore HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pastaleads HKEY_LOCAL_MACHINE\SOFTWARE\NpApp HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pastaleadsServiceCore HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings "MigrateProxy" = "1" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyEnable" = "1" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyOverride" = "<-loopback>" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings "ProxyServer" = "http=;https=;" HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings "ProxySettingsPerUser" = "0"

This is a self-help guide. Use at your own risk. can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can ask for malware removal assistance in our Virus,Trojan,Spyware, and Malware Removal Logs forum.

If you have any questions about this self-help guide then please post those questions in our Am I infected? What do I do? and someone will help you.

search guides


Remember Me
Sign in anonymously