Jump to content

Removal instructions for Desktop-play


Recommended Posts

  • Staff

What is Desktop-play?

The Malwarebytes research team has determined that Desktop-play is adware. These adware applications display advertisements not originating from the sites you are browsing.

How do I know if my computer is affected by Desktop-play?

You may see this entry in your list of installed programs:

warning4.png

and this warning during install:

main.png

You can find this entry in your Startmenu:

icons.png

and expect this type of advertisments :

warning1.png

While this is the main window of the application itself:

warning2.png

How did Desktop-play get on my computer?

Adware applications use different methods for distributing themselves. This particular one was offered as a game portal.

More information can be found on our blog.

How do I remove Desktop-play?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.

  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-version.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:
    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan now. Or select the Threat Scan from the Scan menu.
  • When the scan is complete , make sure that everything is set to "Quarantine", and click Apply Actions.
  • Reboot your computer if prompted.
Is there anything else I need to do to get rid of Desktop-play?
  • No, Malwarebytes' Anti-Malware removes Desktop-play completely.
How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this adware application.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Desktop-play adware. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.

protection1.png

Technical details for experts

You will see these signs in a HijackThis log:

O4 - HKLM\..\Run: [dply_en_006010076] "C:\Program Files (x86)\dply_en_006010076\dply_en_006010076.exe"O4 - HKLM\..\RunOnce: [updply_en_006010076.exe] C:\Users\{username}\AppData\Local\dply_en_006010076\updply_en_006010076.exe -runonce
You may see these signs in FRST logs:

 () C:\Users\{username}\AppData\Local\dply_en_006010076\updply_en_006010076.exe () C:\Program Files (x86)\dply_en_006010076\dply_en_006010076.exe () C:\Program Files (x86)\dply_en_006010076\desktopplay_widget.exe HKLM-x32\...\Run: [dply_en_006010076] => C:\Program Files (x86)\dply_en_006010076\dply_en_006010076.exe [3978384 2015-08-31] () HKLM-x32\...\RunOnce: [updply_en_006010076.exe] => C:\Users\{username}\AppData\Local\dply_en_006010076\updply_en_006010076.exe [3310736 2015-08-31] () C:\Users\{username}\AppData\Local\dply_en_006010076 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DESKTOPPLAY C:\Program Files (x86)\dply_en_006010076Desktop-play 000.006010076 (HKLM-x32\...\dply_en_006010076_is1) (Version:  - DESKTOPPLAY)Setup (HKLM-x32\...\{7ADF667E-E14D-4D2C-827C-B0108F0D93BC}) (Version:  - )
Alterations made by the installer:

File system details [View: All details] (Selection)---------------------------------------------------    Adds the folder C:\Program Files (x86)\dply_en_006010076       Adds the file desktopplay_widget.exe"="24/08/2015 23:57, 10247312 bytes, A       Adds the file dply_en_006010076.exe"="31/08/2015 17:07, 3978384 bytes, A       Adds the file predm.exe"="31/08/2015 10:24, 397304 bytes, A       Adds the file unins000.dat"="02/09/2015 09:02, 114700 bytes, A       Adds the file unins000.exe"="02/09/2015 09:02, 711152 bytes, A       Adds the file unins000.msg"="02/09/2015 09:02, 11408 bytes, A    Adds the folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DESKTOPPLAY       Adds the file Desktopplay.lnk"="02/09/2015 09:02, 1138 bytes, A    Adds the folder C:\Users\{username}\AppData\Local\dply_en_006010076       Adds the file updply_en_006010076.cyl"="02/09/2015 09:05, 600 bytes, A       Adds the file updply_en_006010076.exe"="31/08/2015 17:08, 3310736 bytes, A       Adds the file user_profil.cyp"="02/09/2015 09:05, 1676 bytes, A    Adds the folder C:\Users\{username}\AppData\Local\dply_en_006010076\dply_en_006010076\1.10       Adds the file cnf.cyl"="02/09/2015 09:02, 131 bytes, A       Adds the file eorezo.cyl"="02/09/2015 09:12, 69 bytes, ARegistry details [View: All details] (Selection)------------------------------------------------    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\DESKTOPPLAY\dply_en_006010076]       "PathInstall"="REG_SZ", "C:\Program Files (x86)\dply_en_006010076"    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]       "dply_en_006010076"="REG_SZ", ""C:\Program Files (x86)\dply_en_006010076\dply_en_006010076.exe""    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]       "updply_en_006010076.exe"="REG_SZ", "C:\Users\{username}\AppData\Local\dply_en_006010076\updply_en_006010076.exe -runonce"    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{7ADF667E-E14D-4D2C-827C-B0108F0D93BC}]       "DisplayName"="REG_SZ", "Setup"    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\dply_en_006010076_is1]       "DisplayName"="REG_SZ", "Desktop-play 000.006010076"       "EstimatedSize"="REG_DWORD", 6258       "Inno Setup: App Path"="REG_SZ", "C:\Program Files (x86)\dply_en_006010076"       "Inno Setup: Icon Group"="REG_SZ", "DESKTOPPLAY"       "Inno Setup: Language"="REG_SZ", "en"       "Inno Setup: Setup Version"="REG_SZ", "5.5.5 (a)"       "Inno Setup: User"="REG_SZ", "{username}"       "InstallDate"="REG_SZ", "20150902"       "InstallLocation"="REG_SZ", "C:\Program Files (x86)\dply_en_006010076\"       "NoModify"="REG_DWORD", 1       "NoRepair"="REG_DWORD", 1       "Publisher"="REG_SZ", "DESKTOPPLAY"       "QuietUninstallString"="REG_SZ", ""C:\Program Files (x86)\dply_en_006010076\unins000.exe" /SILENT"       "UninstallString"="REG_SZ", ""C:\Program Files (x86)\dply_en_006010076\unins000.exe""    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Tutorials]       "HostGUID"="REG_SZ", "B4589A39-5B42-4CBA-9A25-C11DAE8BDDD3"    [HKEY_CURRENT_USER\Software\Microsoft\Tinstalls]       "20150902"="REG_SZ", "1"    [HKEY_CURRENT_USER\Software\Tutorials\updatetutorialeshp]       "(Default)"="REG_SZ", "dply_en_006010076"       "MainDir"="REG_SZ", "C:\Users\{username}\AppData\Local\dply_en_006010076"       "version"="REG_SZ", "dply_en_006010076"    [HKEY_CURRENT_USER\Software\Tutorials\updatetutorialshp]       "MainDir"="REG_SZ", ""    [HKEY_CURRENT_USER\Software\Tutorials\updv]       "version"="REG_SZ", "15.08.31"    [HKEY_CURRENT_USER\Software\TutoTag]       "AgenceInstalledYet"="REG_SZ", "true"       "OnceInstalled"="REG_SZ", "en"       "OnceInstalled2"="REG_SZ", "en"
Malwarebytes Anti-Malware log:

Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 02/09/2015Scan Time: 09:23Logfile: mbamDeskTopPlay.txtAdministrator: YesVersion: 2.1.8.1057Malware Database: v2015.09.02.01Rootkit Database: v2015.08.16.01License: PremiumMalware Protection: DisabledMalicious Website Protection: EnabledSelf-protection: DisabledOS: Windows 7 Service Pack 1CPU: x64File System: NTFSUser: {username}Scan Type: Threat ScanResult: CompletedObjects Scanned: 331130Time Elapsed: 4 min, 12 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 3PUP.Optional.EoRezo, C:\Users\{username}\AppData\Local\dply_en_006010076\updply_en_006010076.exe, 884, Delete-on-Reboot, [8f8a7dae2f5c74c2fbdbfa9929dcae52]PUP.Optional.EoRezo, C:\Program Files (x86)\dply_en_006010076\dply_en_006010076.exe, 2928, Delete-on-Reboot, [3adf6fbc1e6dd462b026781b8283c838]PUP.Optional.EoRezo, C:\Program Files (x86)\dply_en_006010076\desktopplay_widget.exe, 3168, Delete-on-Reboot, [cd4ced3e018a04325185c5ce887d6997]Modules: 0(No malicious items detected)Registry Keys: 7PUP.Optional.Tuto4PC, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\dply_en_006010076_is1, Quarantined, [ce4bb378ed9e2e08601b583b60a57987], PUP.Optional.DeskTopPlay, HKLM\SOFTWARE\WOW6432NODE\DESKTOPPLAY\dply_en_006010076, Quarantined, [948574b7d7b41c1a46bfccf427ddce32], PUP.Optional.Tuto4PC, HKLM\SOFTWARE\WOW6432NODE\TUTORIALS, Quarantined, [0712101be9a2a195461f496e47bdb848], PUP.Optional.Tuto4PC, HKCU\SOFTWARE\TutoTag, Quarantined, [e83180ab0e7d4aec9ec33384c34151af], PUP.Optional.Tuto4PC, HKCU\SOFTWARE\TUTORIALS\updatetutorialeshp, Quarantined, [b366df4ce6a576c049153a7d20e4d030], PUP.Optional.Tuto4PC, HKCU\SOFTWARE\TUTORIALS\updatetutorialshp, Quarantined, [6faa4cdfa8e32e083c23585ff4108878], PUP.Optional.Tuto4PC, HKCU\SOFTWARE\TUTORIALS\updv, Quarantined, [ee2bc7641d6e3600f8689b1cd1339d63], Registry Values: 3PUP.Optional.EoRezo, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE|updply_en_006010076.exe, C:\Users\{username}\AppData\Local\dply_en_006010076\updply_en_006010076.exe -runonce, Quarantined, [8f8a7dae2f5c74c2fbdbfa9929dcae52]PUP.Optional.EoRezo, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|dply_en_006010076, "C:\Program Files (x86)\dply_en_006010076\dply_en_006010076.exe", Quarantined, [3adf6fbc1e6dd462b026781b8283c838]PUP.Optional.Tuto4PC, HKLM\SOFTWARE\WOW6432NODE\TUTORIALS|HostGUID, B4589A39-5B42-4CBA-9A25-C11DAE8BDDD3, Quarantined, [0712101be9a2a195461f496e47bdb848]Registry Data: 0(No malicious items detected)Folders: 5PUP.Optional.DeskTopPlay, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DESKTOPPLAY, Quarantined, [fc1d85a66922191dc044873926deaf51], PUP.Optional.DeskTopPlay, C:\Users\{username}\AppData\Local\dply_en_006010076, Delete-on-Reboot, [85941f0ccac139fd626d5ac6c1422bd5], PUP.Optional.DeskTopPlay, C:\Users\{username}\AppData\Local\dply_en_006010076\dply_en_006010076, Quarantined, [85941f0ccac139fd626d5ac6c1422bd5], PUP.Optional.DeskTopPlay, C:\Users\{username}\AppData\Local\dply_en_006010076\dply_en_006010076\1.10, Quarantined, [85941f0ccac139fd626d5ac6c1422bd5], PUP.Optional.DeskTopPlay, C:\Program Files (x86)\dply_en_006010076, Delete-on-Reboot, [1cfd6cbfc5c68ea8e9e78f91bf44de22], Files: 13PUP.Optional.EoRezo, C:\Users\{username}\AppData\Local\dply_en_006010076\updply_en_006010076.exe, Delete-on-Reboot, [8f8a7dae2f5c74c2fbdbfa9929dcae52], PUP.Optional.EoRezo, C:\Program Files (x86)\dply_en_006010076\dply_en_006010076.exe, Delete-on-Reboot, [3adf6fbc1e6dd462b026781b8283c838], PUP.Optional.EoRezo, C:\Program Files (x86)\dply_en_006010076\desktopplay_widget.exe, Delete-on-Reboot, [cd4ced3e018a04325185c5ce887d6997], PUP.Optional.Tuto4PC, C:\Users\{username}\Desktop\DeskTopPlay.exe, Quarantined, [8891c8634c3f3ef8c0bb7d169d68718f], PUP.Optional.Tuto4PC, C:\Program Files (x86)\dply_en_006010076\predm.exe, Quarantined, [cb4e77b445466ccaadce850e9f6622de], PUP.Optional.Tuto4PC, C:\Program Files (x86)\dply_en_006010076\unins000.exe, Quarantined, [ce4bb378ed9e2e08601b583b60a57987], PUP.Optional.DeskTopPlay, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DESKTOPPLAY\Desktopplay.lnk, Quarantined, [fc1d85a66922191dc044873926deaf51], PUP.Optional.DeskTopPlay, C:\Users\{username}\AppData\Local\dply_en_006010076\updply_en_006010076.cyl, Quarantined, [85941f0ccac139fd626d5ac6c1422bd5], PUP.Optional.DeskTopPlay, C:\Users\{username}\AppData\Local\dply_en_006010076\user_profil.cyp, Quarantined, [85941f0ccac139fd626d5ac6c1422bd5], PUP.Optional.DeskTopPlay, C:\Users\{username}\AppData\Local\dply_en_006010076\dply_en_006010076\1.10\cnf.cyl, Quarantined, [85941f0ccac139fd626d5ac6c1422bd5], PUP.Optional.DeskTopPlay, C:\Users\{username}\AppData\Local\dply_en_006010076\dply_en_006010076\1.10\eorezo.cyl, Quarantined, [85941f0ccac139fd626d5ac6c1422bd5], PUP.Optional.DeskTopPlay, C:\Program Files (x86)\dply_en_006010076\unins000.dat, Quarantined, [1cfd6cbfc5c68ea8e9e78f91bf44de22], PUP.Optional.DeskTopPlay, C:\Program Files (x86)\dply_en_006010076\unins000.msg, Quarantined, [1cfd6cbfc5c68ea8e9e78f91bf44de22], Physical Sectors: 0(No malicious items detected)(end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.