Jump to content

Removal instructions for DesktopSearch


Recommended Posts

  • Staff

What is DesktopSearch?

The Malwarebytes research team has determined that DesktopSearch is adware. These adware applications display advertisements not originating from the sites you are browsing.

How do I know if my computer is affected by DesktopSearch?

You may see this entry in your list of installed programs:

warning4.png

and these warnings during install:

main.png

warning1.png

and you may see these icons on your desktop and in your taskbar:

icons.png

and this Scheduled Task:

warning3.png

How did DesktopSearch get on my computer?

Adware applications use different methods for distributing themselves. This particular one was downloaded from their site.

How do I remove DesktopSearch?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.

  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-version.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:
    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
Is there anything else I need to do to get rid of DesktopSearch?
  • The shortcut called DesktopSearch on the desktop can be deleted if it belonged to the rogue.
  • This PUP creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks.
How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the DesktopSearch adware. �It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.

protection1.png

Technical details for experts

You will see these signs in a HijackThis log:

O4 - HKCU\..\Run: [DesktopSearch] C:\ProgramData\DesktopSearch\DesktopSearch.exe -rosO23 - Service: DesktopSearch - Unique Solutions - C:\ProgramData\DesktopSearch\DesktopSearchService.exe
Possible signs in FRST logs:

 (Unique Solutions) C:\ProgramData\DesktopSearch\DesktopSearchService.exe () C:\ProgramData\DesktopSearch\DesktopSearch.exe () C:\ProgramData\NetEngine\bin\D10\netengine.exe () C:\ProgramData\NetEngine\bin\D10\netengine.exe HKCU\...\Run: [DesktopSearch] => C:\ProgramData\DesktopSearch\DesktopSearch.exe [153568 2015-05-13] () R2 DesktopSearch; C:\ProgramData\DesktopSearch\DesktopSearchService.exe [2730976 2015-05-13] (Unique Solutions) () C:\ProgramData\NetEngine () C:\Users\{username}\Desktop\Desktop Search.lnk () C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Desktop Search () C:\ProgramData\DesktopSearchDesktopSearch (HKLM\...\DesktopSearch) (Version: 3.0.54 - Unique Solutions)Task: {0DD188F0-38FE-4A95-A01E-224E9639359D} - System32\Tasks\NetEngine => C:\ProgramData\NetEngine\bin\D10\netengine.exe [2015-05-13] () <==== ATTENTION
Alterations made by the installer:

File system details  ---------------------------------------------    Adds the folder C:\ProgramData\DesktopSearch       Adds the file DesktopSearch.dll"="5/13/2015 6:05 PM, 1240544 bytes, A       Adds the file DesktopSearch.exe"="5/13/2015 6:05 PM, 153568 bytes, A       Adds the file DesktopSearch.exe.config"="5/13/2015 6:05 PM, 193 bytes, A       Adds the file DesktopSearch.ico"="5/13/2015 6:05 PM, 112849 bytes, A       Adds the file DesktopSearchService.exe"="5/13/2015 6:05 PM, 2730976 bytes, A       Adds the file DesktopSearchService.exe.config"="5/13/2015 6:05 PM, 288 bytes, A       Adds the file info.dat"="5/13/2015 6:10 PM, 112 bytes, A       Adds the file uninstall.exe"="5/13/2015 6:05 PM, 657376 bytes, A       Adds the file uninstall.exe.config"="5/13/2015 6:05 PM, 168 bytes, A    Adds the folder C:\ProgramData\NetEngine       Adds the file dat.dat"="5/13/2015 6:10 PM, 0 bytes, A    Adds the folder C:\ProgramData\NetEngine\bin\D10       Adds the file netengine.exe"="5/13/2015 6:10 PM, 75776 bytes, A       Adds the file netengine.exe.config"="5/13/2015 6:10 PM, 202 bytes, A       Adds the file sqlite3.dll"="5/13/2015 6:10 PM, 650725 bytes, A    Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Desktop Search       Adds the file Desktop Search FAQ.lnk"="5/13/2015 6:05 PM, 1409 bytes, A       Adds the file Desktop Search.lnk"="5/13/2015 6:05 PM, 2047 bytes, A       Adds the file Uninstall Desktop Search.lnk"="5/13/2015 6:05 PM, 1784 bytes, A    In the existing folder C:\Users\{username}\Desktop       Adds the file Desktop Search.lnk"="5/13/2015 6:05 PM, 1913 bytes, A    In the existing folder C:\Windows\System32\Tasks       Adds the file NetEngine"="5/13/2015 6:10 PM, 3438 bytes, ARegistry details  ------------------------------------------    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}]       "id"="REG_SZ", "65f8a1ec38b847a992d6b033b008bb00"       "p"="REG_SZ", "4389"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3c99d633-49e8-e8c6-d357-75e3a7c88e44}]       "csv"="REG_SZ", "1"       "id"="REG_SZ", "65f8a1ec38b847a992d6b033b008bb00"       "lpvcc"="REG_SZ", "3.0.54"       "p"="REG_SZ", "4389"       "ti"="REG_SZ", "635671374436059772"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50beb03f-f722-efc9-e389-fad02eb2c7a5}]       "ik"="REG_SZ", "{c55bb3fb-6e23-3fd0-21ea-22035c3003fe}"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C4EFBD5-1ADF-41E6-BE26-AF44326E30E4}]       "(Default)"="REG_DWORD", 1       "v"="REG_DWORD", 1       "vs"="REG_SZ", "1"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A2970C7C-8392-4E6F-8B51-B763CF38E13C}]    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a5ccf091-66f3-e131-ec6f-c8f30a192789}]       "id"="REG_SZ", "65f8a1ec38b847a992d6b033b008bb00"       "ip"="REG_SZ", "4389"       "p"="REG_SZ", "4389"    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}]       "id"="REG_SZ", "65f8a1ec38b847a992d6b033b008bb00"       "p"="REG_SZ", "4389"    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DesktopSearchService_RASAPI32]       "ConsoleTracingMask"="REG_DWORD", -65536       "EnableConsoleTracing"="REG_DWORD", 0       "EnableFileTracing"="REG_DWORD", 0       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"       "FileTracingMask"="REG_DWORD", -65536       "MaxFileSize"="REG_DWORD", 1048576    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DesktopSearchService_RASMANCS]       "ConsoleTracingMask"="REG_DWORD", -65536       "EnableConsoleTracing"="REG_DWORD", 0       "EnableFileTracing"="REG_DWORD", 0       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"       "FileTracingMask"="REG_DWORD", -65536       "MaxFileSize"="REG_DWORD", 1048576    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\netengine_RASAPI32]       "ConsoleTracingMask"="REG_DWORD", -65536       "EnableConsoleTracing"="REG_DWORD", 0       "EnableFileTracing"="REG_DWORD", 0       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"       "FileTracingMask"="REG_DWORD", -65536       "MaxFileSize"="REG_DWORD", 1048576    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\netengine_RASMANCS]       "ConsoleTracingMask"="REG_DWORD", -65536       "EnableConsoleTracing"="REG_DWORD", 0       "EnableFileTracing"="REG_DWORD", 0       "FileDirectory"="REG_EXPAND_SZ, "%windir%\tracing"       "FileTracingMask"="REG_DWORD", -65536       "MaxFileSize"="REG_DWORD", 1048576    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DesktopSearch]       "DisplayIcon"="REG_SZ", "C:\ProgramData\DesktopSearch\DesktopSearch.ico"       "DisplayName"="REG_SZ", "DesktopSearch"       "DisplayVersion"="REG_SZ", "3.0.54"       "EstimatedSize"="REG_DWORD", 5000       "HelpLink"="REG_SZ", "http://www.desktopsearchapp.com/about.html"       "InstallDate"="REG_SZ", "5/13/2015"       "Publisher"="REG_SZ", "Unique Solutions"       "UninstallString"="REG_SZ", ""C:\ProgramData\DesktopSearch\uninstall.exe""    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DesktopSearch]       "DependOnService"="REG_MULTI_SZ, "Winmgmt CryptSvc "       "DisplayName"="REG_SZ", "DesktopSearch"       "ErrorControl"="REG_DWORD", 1       "FailureActions"="REG_BINARY, <.....................       "ImagePath"="REG_EXPAND_SZ, ""C:\ProgramData\DesktopSearch\DesktopSearchService.exe""       "ObjectName"="REG_SZ", "LocalSystem"       "Start"="REG_DWORD", 2       "Type"="REG_DWORD", 16    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]       "DesktopSearch"="REG_SZ", "C:\ProgramData\DesktopSearch\DesktopSearch.exe -ros"
Malwarebytes Anti-Malware log:

Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 5/13/2015Scan Time: 6:22:02 PMLogfile: mbamDeskTopSearch.txtAdministrator: YesVersion: 2.01.6.1022Malware Database: v2015.05.13.04Rootkit Database: v2015.04.21.01License: TrialMalware Protection: DisabledMalicious Website Protection: EnabledSelf-protection: DisabledOS: Windows 7 Service Pack 1CPU: x86File System: NTFSUser: MalwarebytesScan Type: Threat ScanResult: CompletedObjects Scanned: 289848Time Elapsed: 5 min, 37 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: DisabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 4PUP.Optional.PullUpdate.A, C:\ProgramData\DesktopSearch\DesktopSearchService.exe, 3136, Delete-on-Reboot, [3cece1b2f991d264484e530340c6748c]PUP.Optional.PullUpdate.A, C:\ProgramData\DesktopSearch\DesktopSearch.exe, 2664, Delete-on-Reboot, [d058d7bc97f3f244ddb92630fe0823dd]PUP.Optional.NetEngine.A, C:\ProgramData\NetEngine\bin\D10\netengine.exe, 1968, Delete-on-Reboot, [d157890a7c0e6ec8de442345dc295ca4]PUP.Optional.NetEngine.A, C:\ProgramData\NetEngine\bin\D10\netengine.exe, 1104, Delete-on-Reboot, [d157890a7c0e6ec8de442345dc295ca4]Modules: 1PUP.Optional.NetEngine.A, C:\ProgramData\NetEngine\bin\D10\sqlite3.dll, Delete-on-Reboot, [d157890a7c0e6ec8de442345dc295ca4], Registry Keys: 4PUP.Optional.PullUpdate.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\DesktopSearch, Quarantined, [3cece1b2f991d264484e530340c6748c], PUP.Optional.WebSteroids.A, HKLM\SOFTWARE\CLASSES\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}, Quarantined, [b27630639bef60d6c8fc2b2cac57a759], PUP.Optional.DynConIE.A, HKLM\SOFTWARE\CLASSES\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}, Quarantined, [29ffd0c395f548ee474c1a3dc63d38c8], PUP.Optional.PullUpdate.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DesktopSearch, Quarantined, [22064e45ff8bf93d9ef84c0af214d52b], Registry Values: 2PUP.Optional.PullUpdate.A, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|DesktopSearch, C:\ProgramData\DesktopSearch\DesktopSearch.exe -ros, Quarantined, [d058d7bc97f3f244ddb92630fe0823dd]PUP.Optional.DesktopSearch.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\DESKTOPSEARCH|ImagePath, "C:\ProgramData\DesktopSearch\DesktopSearchService.exe", Quarantined, [0721fe9548427cbaf64d7eedf5108977]Registry Data: 0(No malicious items detected)Folders: 4PUP.Optional.NetEngine.A, C:\ProgramData\NetEngine, Delete-on-Reboot, [d157890a7c0e6ec8de442345dc295ca4], PUP.Optional.NetEngine.A, C:\ProgramData\NetEngine\bin, Delete-on-Reboot, [d157890a7c0e6ec8de442345dc295ca4], PUP.Optional.NetEngine.A, C:\ProgramData\NetEngine\bin\D10, Delete-on-Reboot, [d157890a7c0e6ec8de442345dc295ca4], PUP.Optional.DesktopSearch.A, C:\ProgramData\DesktopSearch, Delete-on-Reboot, [8f99642f533737ff99a83734719429d7], Files: 14PUP.Optional.PullUpdate.A, C:\ProgramData\DesktopSearch\DesktopSearchService.exe, Delete-on-Reboot, [3cece1b2f991d264484e530340c6748c], PUP.Optional.PullUpdate.A, C:\ProgramData\DesktopSearch\DesktopSearch.exe, Delete-on-Reboot, [d058d7bc97f3f244ddb92630fe0823dd], PUP.Optional.ZombieInvasion.A, C:\ProgramData\DesktopSearch\DesktopSearch.dll, Quarantined, [5bcd94ff4d3de1555ba446be15f1a25e], PUP.Optional.PullUpdate.A, C:\ProgramData\DesktopSearch\uninstall.exe, Quarantined, [22064e45ff8bf93d9ef84c0af214d52b], PUP.Optional.PullUpdate.A, C:\Users\{username}\Desktop\DeskTopSearch.exe, Quarantined, [3eeacec55d2ddb5bd3c33e1859ad2ed2], PUP.Optional.NetEngine.A, C:\ProgramData\NetEngine\dat.dat, Quarantined, [d157890a7c0e6ec8de442345dc295ca4], PUP.Optional.NetEngine.A, C:\ProgramData\NetEngine\bin\D10\netengine.exe, Delete-on-Reboot, [d157890a7c0e6ec8de442345dc295ca4], PUP.Optional.NetEngine.A, C:\ProgramData\NetEngine\bin\D10\netengine.exe.config, Quarantined, [d157890a7c0e6ec8de442345dc295ca4], PUP.Optional.NetEngine.A, C:\ProgramData\NetEngine\bin\D10\sqlite3.dll, Delete-on-Reboot, [d157890a7c0e6ec8de442345dc295ca4], PUP.Optional.DesktopSearch.A, C:\ProgramData\DesktopSearch\DesktopSearchService.exe.config, Quarantined, [8f99642f533737ff99a83734719429d7], PUP.Optional.DesktopSearch.A, C:\ProgramData\DesktopSearch\DesktopSearch.exe.config, Quarantined, [8f99642f533737ff99a83734719429d7], PUP.Optional.DesktopSearch.A, C:\ProgramData\DesktopSearch\DesktopSearch.ico, Quarantined, [8f99642f533737ff99a83734719429d7], PUP.Optional.DesktopSearch.A, C:\ProgramData\DesktopSearch\info.dat, Delete-on-Reboot, [8f99642f533737ff99a83734719429d7], PUP.Optional.DesktopSearch.A, C:\ProgramData\DesktopSearch\uninstall.exe.config, Quarantined, [8f99642f533737ff99a83734719429d7], Physical Sectors: 0(No malicious items detected)(end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.