I bought a “Renewed” Dell Latitude 7420 on Amazon. Three days after I powered it on for the first time, a popup appeared on my screen asking me to “Choose a recommended antivirus to secure your data” — a documented scareware pattern, branded PC App Store.
That popup is what kicked off the forensic work. What I found, layer by layer, is the kind of thing Amazon’s Renewed program standards explicitly forbid. Allegedly preinstalled adware. Allegedly preinstalled residential proxy software. A 21-minute manual install sequence on the seller’s bench, recorded in the laptop’s own Prefetch directory, 84 days before I logged in for the first time.
Independently confirmed by Malwarebytes: 15 threats across three PUP (potentially unwanted program) families.
A BBB complaint has been filed against Amazon.com for failure to police its own Renewed program standards. Status updates will be appended to this article as the case develops.
Here is everything I found, with the receipts.
What I bought
On May 1, 2026, I placed an Amazon order for a Dell Latitude 7420 Business Laptop, sold under the Amazon Renewed program — Amazon’s official refurbished-electronics tier with its own published quality standards. Specs as listed: 11th Gen Intel Core i7-1185G7, 32GB RAM, 512GB SSD, 14" FHD touchscreen, Windows 11 Pro, carbon fiber finish.
The package was delivered to my front door in Port Orange, Florida on May 3, 2026. Order total: $489.89 ($459.99 plus tax). The order was sold and shipped by a third-party seller — ElectronicsBazaar Store, a doing-business-as name for the legal entity Kay Kay Overseas Corporation. The transaction is covered by the Amazon A-to-z Guarantee.
I powered it on the evening of delivery, set up my Microsoft account, installed my normal working tools, and got to work. Standard new-laptop-day routine.
What I found three days later
May 6, 2026, around 4:30 AM. I’d left the laptop running overnight. When I came back to it, this was on my screen:
“Choose a recommended antivirus to secure your data.” Powered by PC App Store™.
I’ve been doing web work since 2009. I know what scareware looks like. I know I didn’t install anything called PC App Store. So I asked the obvious question: where did this come from, and when did it get here?
That’s where the forensic trail starts.
The 21-minute smoking gun
Windows keeps a folder called Prefetch at C:\Windows\Prefetch. Every time an executable runs, Windows writes a .pf file logging when it ran. The Prefetch creation timestamp on a .pf file is the time that program was executed for the first time on this Windows install.
Prefetch is forensic gold because it can’t be easily faked, it’s enabled by default, and it survives unless someone deliberately wipes it. The seller didn’t wipe it.
The full Prefetch timeline — every executable that ran on this laptop, in order, since the seller wiped and reinstalled Windows on Feb 3, 2026. The 9:50 AM → 10:11 AM block on Feb 10 is the smoking gun.
The full timeline, every entry pulled directly from Prefetch and file system metadata:
| Date | Time | Event |
|---|---|---|
| 2/3/2026 | 5:50 AM | Fresh Windows install completed (OOBENETWORKCONNECTIONFLOW.EXE) |
| 2/9/2026 | 5:39 AM – 7:16 AM | Hardware QA tools run (HDSentinel, BurnInTest, KeyboardTest, LCDTest, BIOEnrollment, MSINFO32) |
| 2/9/2026 | 8:24 AM | C:\ProgramData\BrightData folder created |
| 2/9/2026 | 8:24 AM | C:\Program Files (x86)\Bright VPN folder created |
| 2/10/2026 | 9:50:08 AM | PCAPPSTORE.EXE first execution |
| 2/10/2026 | 9:53:42 AM | REGEDIT.EXE opened — manual registry editing |
| 2/10/2026 | 10:11:19 AM | CMD.EXE opened — manual command prompt |
| 2/10/2026 | 10:11:29 AM | BRIGHT VPN.EXE first execution |
| 2/16 + 2/26/2026 | — | Additional QA passes by seller |
| 5/3/2026 | 8:01:10 PM | My first logon (FIRSTLOGONANIM.EXE) |
| 5/6/2026 | 3:29 AM | UPDATER executes silently while laptop in standby |
| 5/6/2026 | 4:29 AM | PCAPPSTORE.EXE last execution — scareware popup to me |
Read that timeline carefully.
February 10, 2026, 9:50:08 AM: PC App Store runs for the first time on this laptop.
February 10, 2026, 10:11:29 AM: Bright VPN runs for the first time on this laptop.
That’s 21 minutes and 21 seconds apart. REGEDIT and CMD are opened in between. Someone sat at this laptop, executed an adware installer, opened the registry editor, opened a command prompt, and then executed a residential proxy installer. By hand. In sequence.
The seller did the fresh Windows install themselves on February 3rd. Seven days later, they sat at their bench and installed this software on a clean OS. There was no previous owner. There is no plausible explanation other than a refurbisher manually loading these programs onto a laptop they were preparing to sell as Amazon Renewed — “as-new” condition.
I didn’t power this laptop on for the first time until May 3, 2026 at 8:01 PM.
That’s an 84-day gap.
Filtered PowerShell query showing PC App Store’s original Feb 10 install and the cascade of UPDATER executions starting the moment I powered the laptop on. The 5/6 4:29:19 AM entry is the scareware popup.
What was actually installed
PC App Store — adware / PUP
PC App Store is documented adware. Industry signatures and writeups exist from major vendors:
- Trend Micro Knowledge Base article tmka-12075 covers PC App Store removal.
- Malwarebytes signature:
PUP.Optional.PCAppStore. - BleepingComputer has covered the family in multiple removal guides.
Documented behaviors include scareware popups (the one I got), browser-search hijacking to Yahoo or DSR Search, persistence through scheduled tasks, and telemetry exfiltration.
Bright VPN — residential proxy software
This one’s worse, and most consumers don’t know what it actually is.
Bright VPN is a product of Bright Data Ltd. — the parent company of Hola VPN. If you remember the 2015 Hola botnet scandal (covered at adios-hola.org and across the security press), this is the same operator under a different brand.
The business model is straightforward and, I’d argue, allegedly nefarious when the user doesn’t understand it: your home internet connection becomes a commercial proxy exit node. Bright Data’s third-party customers — including web scrapers, marketing-data firms, and anyone else willing to pay — route their internet traffic through your residential IP address. Whatever they do online exits your house, attached to your name, on your bill.
If one of those customers is doing something abusive — credential stuffing, scraping copyrighted content, accessing geo-blocked services in ways that violate terms — the source IP that gets logged, complained about, or sued is yours. Not Bright Data’s.
This program was on my laptop, fully installed, before I had ever touched the machine.
Windows Settings confirms it: Bright VPN 1.557.755 by Bright Data Ltd., install date 2/9/2026 — 84 days before I powered on the laptop.
There is also forensic evidence in the Windows event logs of a service named BVPNPreinstallMonitorService, with workflow stages internally labeled exec, windows_audit, oobe, and autostart. That language is consistent with Bright Data’s commercial OEM preinstall partner program — which would mean the seller was being paid by Bright Data to silently install this on machines being sold to consumers. I cannot prove the contractual relationship from the laptop alone. I can prove the program ran. I can prove when it ran. The rest is inference.
Independent confirmation: Malwarebytes flagged 15 threats
I’m not asking anyone to take my Prefetch analysis on faith. So I ran a full scan with Malwarebytes — the industry-standard commercial anti-malware scanner used by enterprises and consumers worldwide.
It scanned 197,663 files and flagged 15 threats across three PUP families, every one of them matching what the manual forensics had already pinned:
Malwarebytes scan complete: 15 threats across three PUP families, 197,663 files scanned. Independent confirmation of what the manual Prefetch forensics already showed.
PUP.Optional.PCAppStore— registry persistence underHKU\...\SOFTWARE\PCAppStore.PUP.Optional.BrightData— fully installed program:C:\Program Files (x86)\Bright VPN\Bright VPN.exe, Start Menu shortcut,HKLM\...\Uninstall\registry entry, the works.PUP.Optional.VeryFast— a third unwanted program family I hadn’t even spotted in the manual analysis, deposited underC:\Users\<me>\AppData\Local\Temp\~NSUA.TMP\.
So now we have two independent forensic methods — manual Prefetch + commercial scanner — pointing to the same conclusion. Different tools. Same answer.
Amazon Renewed program standards — allegedly violated
This is the part Amazon corporate needs to read.
Amazon’s own Renewed program publishes specific quality standards. Among them, sellers participating in Renewed are required to ship products that:
- Have undergone a fresh OS install with no previous-user data.
- Contain no preinstalled adware, PUPs, or third-party software that wasn’t there from the manufacturer.
- Arrive in “as-new” condition — visually and functionally indistinguishable from new.
The forensic evidence on this laptop establishes that the seller did perform a fresh OS install on February 3, 2026. That part of the program standard, they followed.
Then — by my read of the timestamps — they injected adware and a residential proxy onto the clean OS seven days later. That allegedly violates the second standard. The third — “as-new condition” — falls automatically once you accept that a clean Dell laptop and a Dell laptop with a residential proxy phoning home aren’t the same product.
The seller is responsible regardless of whether they sourced the hardware from Dell, a corporate fleet refresh, a recycler, or anywhere else. The fresh Windows install and the alleged adware-injection sequence happened on the same bench, by the same hand, seven days apart.
The seller of record
Per the Amazon order detail page for this purchase, the seller is ElectronicsBazaar Store — a doing-business-as name for the legal entity Kay Kay Overseas Corporation.
Per the seller’s own About Seller blurb on Amazon, Kay Kay Overseas Corporation describes itself as a refurbisher of “premium and ’equal to new’ quality” PCs, and operates parallel storefronts on Amazon, eBay, and Newegg under the ElectronicsBazaar brand. The corporate name suggests a non-US legal domicile.
That detail matters for what comes next.
Why this is Amazon’s problem to fix
When I first started writing this up, the obvious move looked like: file regulatory complaints against the seller. BBB. State Attorney General. FTC. Maybe small claims.
That theory falls apart on contact with reality. Kay Kay Overseas Corporation is a foreign entity. BBB has no jurisdiction over foreign companies. State AG enforcement actions don’t reach them. Small-claims judgments against foreign defendants are uncollectable paper. Even a journalism-style exposé doesn’t move them, because they don’t trade on US brand reputation — they trade on Amazon’s brand reputation, under Amazon’s program standards, on Amazon’s marketplace.
So the question isn’t who Kay Kay Overseas Corporation answers to. It’s who Amazon answers to when one of their Renewed-program sellers ships compromised hardware to American consumers under Amazon’s “as-new condition” promise.
The answer is: Amazon is the only party with both the responsibility and the capability to act. Amazon owns the Renewed program. Amazon sets the standards. Amazon takes a cut of every sale. Amazon publishes the A-to-z Guarantee that’s supposed to protect buyers from exactly this kind of violation. And Amazon is a US-domiciled, publicly-traded company with a brand to protect, customer service that can issue replacements, and seller-trust infrastructure that can investigate this seller’s other Renewed inventory.
This complaint is with Amazon. Not Kay Kay Overseas Corporation.
What I’m asking Amazon for
- Replacement Dell Latitude 7420, in genuine “as-new” condition, shipped at no cost. Not a refund-after-return. The current laptop is forensic evidence and stays preserved as such.
- An audit of ElectronicsBazaar Store / Kay Kay Overseas Corporation’s other Amazon Renewed listings — particularly Dell Latitude inventory shipped during the same QA window (February 2026). If this seller is doing it once, they are doing it at scale.
- A pattern check across the broader Amazon Renewed marketplace for the
BVPNPreinstallMonitorServicesignature and PC App Store binary. Other consumers may be carrying this software right now without knowing. - Written confirmation that Amazon has investigated this seller’s Renewed-program compliance and taken appropriate action.
What you can do if this happened to you
If you bought a laptop, desktop, or phone through Amazon Renewed in the last 12 months and you’ve seen unexpected popups, browser redirects, slow performance, or a “Bright VPN” entry in your installed apps list — do not assume it’s a virus you picked up. Run these four things:
Open Settings → Apps → Installed apps. Sort by install date. Anything that says it was installed before you first powered the machine on did not come from you. Screenshot it.
Run Malwarebytes (free version is fine). Save the scan report.
Open PowerShell as Administrator and run:
Get-ChildItem C:\Windows\Prefetch -Filter *.pf | Sort-Object CreationTime | Select-Object Name, CreationTime, LastWriteTimeAnything older than your first logon is preinstalled, not yours.
File an Amazon A-to-z claim under “item materially different from description.” You can request a partial refund — meaning you keep the device and get money back. Amazon does grant partial A-to-z refunds in cases like this; most consumers don’t know to ask.
For a paper trail with teeth, file a BBB complaint against Amazon.com, Inc. (Seattle, WA) — not against the third-party seller. Frame it as Amazon’s failure to enforce its own Renewed program standards. BBB’s response window is 14 days and Amazon’s BBB-response team takes these seriously because they affect Amazon’s accreditation rating.
You can also email Amazon Executive Customer Relations at ecr@amazon.com (cc jeff@amazon.com) with the same evidence package — that path tends to get a real human at corporate to read it within a few business days.
Update log
May 6, 2026 — Initial publication. Forensic evidence, Malwarebytes scan, and Amazon order details documented above.
May 6, 2026 — BBB complaint filed against Amazon.com, Inc. naming ElectronicsBazaar Store (Kay Kay Overseas Corporation) as the seller of record. Filing identifies failure to enforce Renewed program standards and requests replacement, seller audit, and pattern check across the broader Renewed marketplace. Amazon’s standard BBB response window is 14 days.
This page will be updated with each material development: Amazon’s response, the seller’s response, regulatory acknowledgments, and any new evidence that surfaces.
If you bought a Renewed laptop from this seller — or you have screenshots showing the same BVPNPreinstallMonitorService or PC App Store install on your machine — contact Bowman Web Services. Your evidence helps build the pattern.
— Tommy Bowman Bowman Web Services LLC, Daytona Beach, Florida
Nothing on this page is a legal accusation. Every factual claim is documented above with timestamps, file paths, and tool output that anyone can independently verify on the same laptop. Inferences about seller intent are clearly labeled as inferences. The word “alleged” is used where a legal element of fraud, deception, or contractual violation is implied but has not been adjudicated.