Friday
2013-03-20, 13:19
The following instructions have been created to help you to get rid of "Elex.Desk365" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
malware
Description:
Elex.Desk365 is a malware that gets installed along other software by pretending to offer the freedom of choice to deny its installation. However the carrier software cannot be installed without Elex.Desk365.
Removal Instructions:
Autorun:
Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.
Entries named "CheckRun22find_uninstaller" and pointing to "*<$APPDATA>\CheckRun22find.exe*".
Entries named "Desk 365" and pointing to "<$PROGRAMFILES>\Desk 365\desk365.exe /autorun".
Installed Software List:
You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.
Products that have a key or property named "CheckRun22find_uninstaller".
Products that have a key or property named "Desk 365".
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$APPDATA>\CheckRun22find.exe".
The file at "<$APPDATA>\Desk 365\accelerate".
The file at "<$APPDATA>\Desk 365\desk_bkg_list.xml".
The file at "<$APPDATA>\Desk 365\desk_list.xml".
The file at "<$APPDATA>\Desk 365\desk_settings.ini".
The file at "<$APPDATA>\Desk 365\firstrun".
The file at "<$APPDATA>\Desk 365\process_mgr.xml".
The file at "<$APPDATA>\Desk 365\promote.xml".
The file at "<$APPDATA>\eDownload\22findhpnt_v2.exe".
The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\22find.lnk".
The file at "<$COMMONPROGRAMS>\Desk 365\Desk 365.lnk".
The file at "<$COMMONPROGRAMS>\Desk 365\eUninstall.lnk".
The file at "<$DESKTOP>\22find.lnk".
The file at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\newtab.crx".
The file at "<$LOCALSETTINGS>\Temp\V9Zip_003\Desk365.exe".
The file at "<$PROGRAMFILES>\Desk 365\desk_bkg_list.xml".
The file at "<$PROGRAMFILES>\Desk 365\desk_list.xml".
The file at "<$PROGRAMFILES>\Desk 365\desk_settings.ini".
The file at "<$PROGRAMFILES>\Desk 365\desk365.exe".
The file at "<$PROGRAMFILES>\Desk 365\deskSvc.exe".
The file at "<$PROGRAMFILES>\Desk 365\ebase.dll".
The file at "<$PROGRAMFILES>\Desk 365\edeskcmn.dll".
The file at "<$PROGRAMFILES>\Desk 365\eDhelper.exe".
The file at "<$PROGRAMFILES>\Desk 365\eDhelper64.exe".
The file at "<$PROGRAMFILES>\Desk 365\edis.dll".
The file at "<$PROGRAMFILES>\Desk 365\edis64.dll".
The file at "<$PROGRAMFILES>\Desk 365\ElexDbg.dll".
The file at "<$PROGRAMFILES>\Desk 365\eUninstall.exe".
The file at "<$PROGRAMFILES>\Desk 365\libpng.dll".
The file at "<$PROGRAMFILES>\Desk 365\main".
The file at "<$PROGRAMFILES>\Desk 365\ouilibnl.dll".
The file at "<$PROGRAMFILES>\Desk 365\process_mgr.xml".
The file at "<$PROGRAMFILES>\Desk 365\promote.xml".
The file at "<$PROGRAMFILES>\Desk 365\recent.xml".
The file at "<$PROGRAMFILES>\Desk 365\sqlite3.dll".
The file at "<$PROGRAMFILES>\Desk 365\svc.conf".
The file at "<$PROGRAMFILES>\Desk 365\TrayDownloader.exe".
The file at "<$PROGRAMFILES>\Desk 365\zlib1.dll".
The file at "<$PROGRAMFILES>\Mozilla Firefox\searchplugins\22find.xml".
The file at "<$SENDTO>\Desk 365.lnk".
Make sure you set your file manager to display hidden and system files. If Elex.Desk365 uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Folders:
Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
The directory at "<$APPDATA>\Desk 365".
The directory at "<$APPDATA>\eDownload".
The directory at "<$COMMONPROGRAMFILES>\337".
The directory at "<$COMMONPROGRAMS>\Desk 365".
The directory at "<$LOCALSETTINGS>\Temp\Desk365".
The directory at "<$LOCALSETTINGS>\Temp\V9Zip_003".
The directory at "<$PROGRAMFILES>\Desk 365".
Make sure you set your file manager to display hidden and system files. If Elex.Desk365 uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
Delete the registry key "{33BB0A4E-99AF-4226-BDF6-49120163DE86}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".
Delete the registry key "deskSvc" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "desksvc" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
Delete the registry key "desksvc" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\".
Delete the registry key "desksvc" at "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\".
Delete the registry key "desksvc" at "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\".
Delete the registry key "findSoftware" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "ijblflkdjdopkpdgllkmlbgcffjbnfda" at "HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\".
Delete the registry key "lnkguard" at "HKEY_CURRENT_USER\Software\".
Delete the registry key "V9" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
If Elex.Desk365 uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
Browser:
The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer).
Please check your bookmarks for links to "http://www.22find.com".
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
malware
Description:
Elex.Desk365 is a malware that gets installed along other software by pretending to offer the freedom of choice to deny its installation. However the carrier software cannot be installed without Elex.Desk365.
Removal Instructions:
Autorun:
Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.
Entries named "CheckRun22find_uninstaller" and pointing to "*<$APPDATA>\CheckRun22find.exe*".
Entries named "Desk 365" and pointing to "<$PROGRAMFILES>\Desk 365\desk365.exe /autorun".
Installed Software List:
You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.
Products that have a key or property named "CheckRun22find_uninstaller".
Products that have a key or property named "Desk 365".
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$APPDATA>\CheckRun22find.exe".
The file at "<$APPDATA>\Desk 365\accelerate".
The file at "<$APPDATA>\Desk 365\desk_bkg_list.xml".
The file at "<$APPDATA>\Desk 365\desk_list.xml".
The file at "<$APPDATA>\Desk 365\desk_settings.ini".
The file at "<$APPDATA>\Desk 365\firstrun".
The file at "<$APPDATA>\Desk 365\process_mgr.xml".
The file at "<$APPDATA>\Desk 365\promote.xml".
The file at "<$APPDATA>\eDownload\22findhpnt_v2.exe".
The file at "<$APPDATA>\Microsoft\Internet Explorer\Quick Launch\22find.lnk".
The file at "<$COMMONPROGRAMS>\Desk 365\Desk 365.lnk".
The file at "<$COMMONPROGRAMS>\Desk 365\eUninstall.lnk".
The file at "<$DESKTOP>\22find.lnk".
The file at "<$LOCALAPPDATA>\Google\Chrome\User Data\Default\Extensions\newtab.crx".
The file at "<$LOCALSETTINGS>\Temp\V9Zip_003\Desk365.exe".
The file at "<$PROGRAMFILES>\Desk 365\desk_bkg_list.xml".
The file at "<$PROGRAMFILES>\Desk 365\desk_list.xml".
The file at "<$PROGRAMFILES>\Desk 365\desk_settings.ini".
The file at "<$PROGRAMFILES>\Desk 365\desk365.exe".
The file at "<$PROGRAMFILES>\Desk 365\deskSvc.exe".
The file at "<$PROGRAMFILES>\Desk 365\ebase.dll".
The file at "<$PROGRAMFILES>\Desk 365\edeskcmn.dll".
The file at "<$PROGRAMFILES>\Desk 365\eDhelper.exe".
The file at "<$PROGRAMFILES>\Desk 365\eDhelper64.exe".
The file at "<$PROGRAMFILES>\Desk 365\edis.dll".
The file at "<$PROGRAMFILES>\Desk 365\edis64.dll".
The file at "<$PROGRAMFILES>\Desk 365\ElexDbg.dll".
The file at "<$PROGRAMFILES>\Desk 365\eUninstall.exe".
The file at "<$PROGRAMFILES>\Desk 365\libpng.dll".
The file at "<$PROGRAMFILES>\Desk 365\main".
The file at "<$PROGRAMFILES>\Desk 365\ouilibnl.dll".
The file at "<$PROGRAMFILES>\Desk 365\process_mgr.xml".
The file at "<$PROGRAMFILES>\Desk 365\promote.xml".
The file at "<$PROGRAMFILES>\Desk 365\recent.xml".
The file at "<$PROGRAMFILES>\Desk 365\sqlite3.dll".
The file at "<$PROGRAMFILES>\Desk 365\svc.conf".
The file at "<$PROGRAMFILES>\Desk 365\TrayDownloader.exe".
The file at "<$PROGRAMFILES>\Desk 365\zlib1.dll".
The file at "<$PROGRAMFILES>\Mozilla Firefox\searchplugins\22find.xml".
The file at "<$SENDTO>\Desk 365.lnk".
Make sure you set your file manager to display hidden and system files. If Elex.Desk365 uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Folders:
Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
The directory at "<$APPDATA>\Desk 365".
The directory at "<$APPDATA>\eDownload".
The directory at "<$COMMONPROGRAMFILES>\337".
The directory at "<$COMMONPROGRAMS>\Desk 365".
The directory at "<$LOCALSETTINGS>\Temp\Desk365".
The directory at "<$LOCALSETTINGS>\Temp\V9Zip_003".
The directory at "<$PROGRAMFILES>\Desk 365".
Make sure you set your file manager to display hidden and system files. If Elex.Desk365 uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
Delete the registry key "{33BB0A4E-99AF-4226-BDF6-49120163DE86}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\".
Delete the registry key "deskSvc" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "desksvc" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
Delete the registry key "desksvc" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\".
Delete the registry key "desksvc" at "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\".
Delete the registry key "desksvc" at "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\".
Delete the registry key "findSoftware" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "ijblflkdjdopkpdgllkmlbgcffjbnfda" at "HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\".
Delete the registry key "lnkguard" at "HKEY_CURRENT_USER\Software\".
Delete the registry key "V9" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
If Elex.Desk365 uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
Browser:
The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer).
Please check your bookmarks for links to "http://www.22find.com".
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.