PUP:MSIL/GameHackBy is a potentially unwanted program (PUP) that masquerades as a game-cheating utility or trainer, promising players the ability to modify video games for unlimited resources, invincibility, or other advantages. Written in Microsoft Intermediate Language (MSIL/.NET), this software typically delivers far more than advertised cheats—it often installs adware, browser hijackers, or information-stealing components onto your system. What begins as a shortcut to in-game success frequently ends with a compromised PC exhibiting slow performance, unwanted browser redirects, and privacy violations.

PUP:MSIL/GameHackBy — cybersecurity illustration
Photo by Daniil Komov on Pexels

While technically classified as a PUP rather than outright malware, GameHackBy variants blur this distinction by employing deceptive installation practices, resisting removal attempts, and frequently bundling genuinely malicious payloads. The MSIL designation indicates .NET framework dependency, making it cross-compatible across Windows versions but also easily reverse-engineered—a characteristic that has led to numerous repackaged variants circulating through game-hacking forums and torrent sites.

Think you're infected right now? Disconnect from the internet immediately if you're experiencing unexplained browser redirects or pop-ups. Don't enter passwords or financial information until the machine is cleaned. Call us at (770) 667-9810 or bring your computer to our Roswell shop—we'll diagnose the infection at no charge and provide a flat-rate quote for complete removal with our 90-day reinfection warranty.

Threat Profile

Attribute Details
Family GameHackBy/Game-Cheat PUP cluster
Aliases MSIL/GameHackBy, PUA.GameHack, Misleading:Win32/GameHackBy, HackTool:MSIL/Cheater (varies by vendor)
Platform Windows (all versions with .NET Framework 3.5+)
Discovered Variants circulating since at least 2018, continuously updated
Distribution Bundled installers, game-cheat websites, torrent sites, YouTube video descriptions, social media links
Persistence Mechanisms Registry Run keys, Scheduled Tasks, browser extensions, startup folder shortcuts
Primary Capabilities Adware injection, browser modification, data collection, payload delivery, system modification
Typical Filesystem Artifacts %APPDATA%\GameHackBy\, %LOCALAPPDATA%\[random GUID]\, %TEMP%\[installer remnants], browser extension folders
Registry Modifications HKCU\Software\GameHackBy, Run/RunOnce keys, browser policy keys, proxy settings
Network Behavior C2 beaconing (typical for this family), ad network connections, tracking pixel loads, affiliate redirect chains
Data at Risk Browser history, search queries, system information, game account credentials (varies by variant)
Removal Difficulty Moderate—uses watchdog processes and reinstallation triggers common to this PUP family

How It Spreads

GameHackBy's distribution model exploits the gaming community's desire for competitive advantages. Creators of these PUPs specifically target players searching for cheats, trainers, or mods for popular titles like Fortnite, Roblox, Minecraft, Counter-Strike, and mobile game emulators. The software is packaged with names like "Ultimate Game Trainer," "UnlimitedCoins Generator," or "God Mode Enabler" and promoted through channels where gamers congregate.

The infection chain typically begins on a third-party website promising free game cheats. These sites use search engine optimization to rank highly for queries like "[game name] free cheats" or "how to get unlimited [in-game currency]." Many feature convincing screenshots, fake user testimonials, and download counters to establish legitimacy. YouTube videos demonstrating the "working cheat" further drive traffic, with malicious download links buried in video descriptions or pinned comments.

Common distribution vectors include:

  • Bundled installers: Downloaded as "GameCheat_Setup.exe" or similar, the installer presents legitimate-looking EULA screens while pre-checking boxes to install "recommended software" that includes GameHackBy components
  • Torrent packages: Uploaded to torrent sites as part of game cracks or trainers, often with inflated seeders/leechers to appear trustworthy
  • Social media links: Shared in Discord servers, Reddit threads, or gaming forums by compromised accounts or paid promoters
  • Fake update notifications: Browser pop-ups claiming you need to update Flash Player, Java, or video codecs to use the cheat, where the "update" is GameHackBy
  • Repackaged legitimate tools: Actual working trainers or mods bundled with the PUP by third-party redistributors
  • Malvertising: Ads on game-related websites that mimic download buttons or system warnings

What It Does On Your Machine

Upon execution, GameHackBy typically presents a functional-looking interface that may even deliver some basic game-modification capability—just enough to convince users it's legitimate while its background processes get to work. The installer requests administrative privileges (a red flag for software that should only modify game memory), which it uses to embed itself deeply into the system. Within minutes, multiple components are dropped across the filesystem and registry, establishing persistence mechanisms that survive basic uninstallation attempts.

The primary behavior is aggressive advertising. Your browser becomes a revenue stream for the PUP's operators through multiple techniques: homepage and search engine hijacking redirects all searches through affiliate networks that pay per query; new tabs open to advertising landing pages; in-page ads are injected into legitimate websites you visit; and pop-unders open in the background, generating click revenue without immediate detection. These modifications often involve browser extensions installed without permission, proxy settings that route traffic through monetization servers, and modified shortcuts that launch the browser with command-line flags pointing to advertiser pages.

Data collection runs parallel to ad injection. Variants in this family commonly track your browsing habits, search terms, clicked links, and the software installed on your machine. This telemetry gets bundled and sold to data brokers or used to refine the advertising you're shown. More concerning variants specifically monitor for game-related credentials—if you enter login information for Steam, Epic Games, or other gaming platforms while infected, that data may be exfiltrated to command-and-control servers. The .NET framework makes it trivial for these PUPs to include keylogging or form-grabbing modules that capture anything typed in browser windows.

System performance degradation becomes noticeable within days. The background processes consume memory and CPU cycles even when you're not gaming, with typical installations running three to five persistent processes. Browser responsiveness suffers dramatically due to the overhead of injecting ads into every page. Startup time increases as the PUP's scheduled tasks and autorun entries compete for resources. Some users report their antivirus being disabled or Windows Defender real-time protection mysteriously turning off—behavior typical for PUPs that include components to suppress security software.

Typical Filesystem and Registry Artifacts
Filesystem locations (common for this family): C:\Users\[YourName]\AppData\Roaming\GameHackBy\GameHackBy.exe C:\Users\[YourName]\AppData\Local\{3F2E9B4A-C8D1-4F7E-A9B2-1D5E8F6C9A3B}\updater.exe C:\Users\[YourName]\AppData\Local\Temp\ghb_install_tmp\ C:\Program Files (x86)\GameHackBy\ (if installed system-wide) Browser extensions: Chrome: C:\Users\[YourName]\AppData\Local\Google\Chrome\User Data\Default\Extensions\[random_id]\ Firefox: C:\Users\[YourName]\AppData\Roaming\Mozilla\Firefox\Profiles\[profile].default\extensions\ Registry persistence (typical locations): HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "GameHackBy" = "C:\Users\[...]\AppData\Roaming\GameHackBy\GameHackBy.exe" HKEY_CURRENT_USER\Software\GameHackBy (configuration data, install ID, C2 server addresses) Scheduled Tasks: Task: "GameHackBy Updater" - runs hourly to reinstall if removed Task: "{Random GUID}" - launches at logon, points to updater.exe Browser modifications: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page" = "http://[affiliate-redirect-domain].com" HKEY_CURRENT_USER\Software\Policies\Google\Chrome\ (forced extensions, proxy settings, homepage locks)

Manual Removal — Step by Step

01

Disconnect from the Internet

Unplug your Ethernet cable or disable Wi-Fi before proceeding. This prevents the PUP from downloading additional components, communicating with command-and-control servers, or triggering cloud-based reinstallation mechanisms that some variants use. Complete the entire removal process offline.

02

Boot into Safe Mode with Networking

Restart your computer and repeatedly press F8 (or Shift+F8 on newer systems) during boot. Select "Safe Mode with Networking" from the menu. This loads Windows with minimal drivers and prevents most PUP processes from auto-starting, including watchdog processes that monitor for removal attempts. If you can't access F8, use Settings > Update & Security > Recovery > Advanced Startup > Restart Now, then Troubleshoot > Advanced Options > Startup Settings > Restart > press 5 for Safe Mode with Networking.

03

Uninstall via Programs and Features

Open Control Panel > Programs and Features (or Settings > Apps on Windows 10/11). Sort by install date and look for unfamiliar programs installed around the time symptoms started—GameHackBy may appear under its own name or disguised as "Game Optimizer," "PC Speed Booster," or similar. Uninstall anything suspicious, but understand this step rarely removes everything; it's just the starting point. Watch for uninstaller screens offering to "keep your settings" or install "replacement software"—decline everything.

04

Terminate Remaining Processes

Open Task Manager (Ctrl+Shift+Esc) and examine the Processes tab. Look for unfamiliar processes, especially those running from AppData\Roaming or AppData\Local with random names or GUIDs. Right-click suspicious entries, select "Open file location," then end the process. Note the file paths—you'll delete these folders shortly. GameHackBy variants often run two to three watchdog processes that restart each other, so you may need to terminate them simultaneously by selecting all related processes and clicking "End Task" once.

05

Remove Persistence Mechanisms

Press Win+R, type "taskschd.msc" and hit Enter to open Task Scheduler. Expand Task Scheduler Library and look for tasks with names like "GameHackBy Updater," random GUIDs, or anything referencing the file paths you noted earlier. Right-click and delete them. Next, press Win+R again, type "regedit" and navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Delete any entries pointing to GameHackBy executables or suspicious AppData locations. Also check HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce and the same paths under HKEY_LOCAL_MACHINE for system-wide installations.

06

Delete Program Folders and Files

Navigate to the folders you identified earlier—typically C:\Users\[YourName]\AppData\Roaming\GameHackBy\ and any random GUID folders in AppData\Local. Delete these entire folders. Also check C:\Program Files and C:\Program Files (x86) for GameHackBy directories. Empty your Recycle Bin afterward. If you encounter "file in use" errors, the associated processes weren't fully terminated in step 4—return to Task Manager and verify they're gone before proceeding.

07

Reset Browser Settings

For Chrome: Settings > Reset settings > Restore settings to their original defaults. For Firefox: Help > More Troubleshooting Information > Refresh Firefox. For Edge: Settings > Reset settings > Restore settings to their default values. This removes forced extensions, proxy configurations, and homepage locks. Manually verify your homepage and search engine afterward—navigate to browser settings and confirm they're set to your preferred choices. Check installed extensions (chrome://extensions or about:addons) and remove anything unfamiliar that survived the reset.

08

Run Malwarebytes or Similar Scanner

Download Malwarebytes Free (from malwarebytes.com only—search results may show fake sites) and run a full Threat Scan. This catches components that manual removal missed, particularly registry entries, browser policy modifications, and secondary payloads that GameHackBy may have installed. Quarantine everything detected. If Malwarebytes won't install or run, the PUP likely modified system policies—bring the machine to our shop, as this indicates a more aggressive infection requiring specialized tools.

09

Change Passwords (If Data Theft Suspected)

If you logged into any gaming platforms, email, or financial sites while infected, change those passwords from a different, known-clean device. Some GameHackBy variants specifically target Steam, Epic Games, and Discord credentials. Enable two-factor authentication on all gaming and email accounts if you haven't already—this prevents unauthorized access even if passwords were compromised.

10

Reboot Normally and Verify

Restart your computer into normal mode (not Safe Mode) and reconnect to the internet. Monitor behavior for 24-48 hours: verify your browser homepage and search engine remain correct, watch for unexpected pop-ups or redirects, check Task Manager for suspicious processes, and confirm Windows Defender or your antivirus is running properly. Run another Malwarebytes scan after two days to catch anything using delayed activation. If symptoms return, the infection was more complex than typical for this PUP—professional removal is warranted.

Prevention

  1. Abandon the cheat-seeking behavior. Game cheats and trainers are the single highest-risk software category for PUP infection. Beyond malware risks, using cheats violates terms of service for virtually all online games and leads to account bans. The competitive advantage isn't worth the security and financial consequences.
  2. Download software only from official sources. Game mods and trainers should come exclusively from verified developer websites, Steam Workshop, Nexus Mods with high endorsement counts, or GitHub repositories with substantial community vetting. Never download executables from YouTube video descriptions, torrent sites, or forums where anyone can post.
  3. Scrutinize installers before clicking "Next." Read every screen during installation. Uncheck any boxes offering to install additional software, change your homepage, or add browser extensions. Legitimate software doesn't bundle third-party offers. If an installer won't proceed without accepting bundled software, cancel and delete it—it's malicious by design.
  4. Keep Windows Defender or quality antivirus active. Don't disable real-time protection even temporarily. Modern security software catches most PUP installers before execution if you haven't deliberately overridden warnings. If software you're trying to install triggers antivirus alerts, that's a hard stop—do not proceed.
  5. Run a standard user account for daily activities. Create a separate administrator account used only for software installation and system changes. This limits PUP damage when infections occur, as malware running under standard user privileges cannot modify system-wide settings, install services, or create admin-level scheduled tasks.
  6. Use browser extensions that block deceptive ads. Install uBlock Origin (not uBlock—different extension) from official browser stores. This blocks most malvertising and fake download buttons that redirect to PUP installers. Combine with HTTPS Everywhere to reduce exposure to compromised sites.
  7. Enable "Show file extensions" in Windows Explorer. Many PUPs disguise themselves with double extensions like "GameCheat.pdf.exe" that appear as "GameCheat.pdf" when extensions are hidden. File Explorer > View > Options > View tab > uncheck "Hide extensions for known file types." Be suspicious of executable files (.exe, .scr, .bat, .cmd, .msi) arriving from unexpected sources.
  8. Educate younger family members specifically. Kids and teenagers are disproportionately targeted because they actively seek game cheats and lack experience recognizing malicious software. Have explicit conversations about the risks, show them examples of fake cheat sites, and establish a rule that all game-related downloads require adult approval before installation.
Our 90-Day Reinfection Warranty: When Computer Repair Roswell cleans your machine, we guarantee it stays clean. If the same malware returns within 90 days, we'll remove it again at absolutely no charge. We use professional-grade tools and techniques that go far beyond consumer antivirus, and we verify removal with multiple scanners before returning your system. This isn't a quick fix—it's a complete remediation with accountability.

Bring It In

PUP infections like GameHackBy often hide components that manual removal misses. Registry modifications scattered across multiple hives, browser policies enforced through Group Policy Objects, scheduled tasks with randomized names, and secondary payloads installed before you realized something was wrong—these require professional-grade tools and experience to eliminate completely. Our technicians at Computer Repair Roswell see these infections daily and know the patterns, the hiding spots, and the removal techniques that actually work.

We're located at 700 Houze Way in Roswell, open Monday through Friday 9am-6pm, with Saturday appointments available by request. Call us at (770) 667-9810 to describe your symptoms—we'll let you know immediately if you need to bring it in or if phone guidance might resolve it. Diagnostic evaluation is always free, and our flat-rate malware removal service includes the 90-day warranty plus a full security audit to prevent reinfection. Don't spend your weekend fighting a PUP that keeps coming back—let professionals handle it correctly the first time.