Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unwanted Sidebar On Desktop With "dating, Gambling,pharmacy, Xxx, Spyware, Insurance" Buttons


  • Please log in to reply
12 replies to this topic

#1 Kzork

Kzork

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 25 November 2005 - 11:49 PM

Also IE doesnt really want to work either, though firefox seems fine. I'm on another user account right now, but I can try to get back on it and get a HJT log if its needed. But I was hoping someone knew what this was.

Also it won't let me delete the account even in safe mode. I've used AdAware, Spybot S&D, Ewido, but nothing seems to beat it. In my system32 folder i have image files named after the buttons i listed "pharmacy dating xxx insurance spyare etc" and also a Idesk.conf file, I delete these in safe mode but they will come back when I restart and my cable modem is hooked up. Thank you in advance.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:23 PM

Posted 26 November 2005 - 08:19 AM

but I can try to get back on it and get a HJT log if its needed.

Thats probably your best course of action. I suggest you read and follow all instructions in the pinned topic titled Preparation Guide For Use Before Posting A Hijackthis Log.

When you have done that, post a log in the HijackThis Forum for assistance by the experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Hellion-MCP

Hellion-MCP

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 29 November 2005 - 08:16 PM

Check your system processes (control + alt + delete, task manager, processes) for the process "idemlog.exe".

If you find that process listed, highlight it and click the "end process" button. The side bar should immediately disappear. You can now exit the task manager and return to your desktop.

Next, right click your start button, select "search" from the pop up menu, enter " idemlog " (without the quotes) in the box labeled " All or part of the file name", in the "Look in" drop down menu select "My Computer", and click the "search " button.

Delete every entry that matches "idemlog". Most likely, you will find two entries. One entry will be in the system32 folder, the other entry will be in the prefetch.

Next, hit the start button, select "run", and type "regedit" in the text box, then click "ok".


Next, in the left pane, highlight "My Computer". Now click the "edit" button, then select "Find". In the text box type in " idemlog " (without the quotes). Now hit the "find next" button. The computer will begin searching your registry for any entry matching "idemlog". Delete the entries as you find them. To continue the search after each deletion, press the F3 key. Continue deleting these entries until you get the "Finished searching through the registry" box.

Reboot the computer. You should find that the side bar is now gone.

***NOTE*** Editing your registry can be dangerous. It is always a good idea to back up the registery before you add, delete, or modify registry keys.

Hope that helps :thumbsup:

#4 Kzork

Kzork
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 30 November 2005 - 10:34 AM

I thank you guys for your replies but I seemed to have fixed it another way. First I want to clarify that when I said IE didnt work right, when you tried to type an address in like google.com, the text would be delayed from your keystrokes, and the webpage wouldn't load anyways.

What I did was download AVG free, one of the few programs i hadn't used yet, it found several Trojan files , like Trojandownloader and other stuff like that,in a folder deep in the Java folder. So I made a note of the folder, went into safe mode and deleted it. Then I went into Windows/system32, and I deleted all the XXX, gambling, dating, spyware, insurance,pharmacy image files, the idesk.conf file, and anything that had the same date as those files. I hope this works for you guys too.

#5 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:06:23 PM

Posted 30 November 2005 - 10:36 AM

Thanks for letting us know! Keep a close eye for recurrences of this - some of these buggers have a way of respawning themselves!
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:23 PM

Posted 30 November 2005 - 12:18 PM

You may want to purge your old System Restore points and start with a fresh restore point. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside.

Read up on how to do this here:
http://www.bleepingcomputer.com/forums/ind...showtutorial=56
http://www.pchell.com/virus/systemrestore.shtml
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 mplleafan

mplleafan

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 30 November 2005 - 04:03 PM

Check your system processes (control + alt + delete, task manager, processes) for the process "idemlog.exe".

If you find that process listed, highlight it and click the "end process" button. The side bar should immediately disappear. You can now exit the task manager and return to your desktop.

Next, right click your start button, select "search" from the pop up menu, enter " idemlog " (without the quotes) in the box labeled " All or part of the file name", in the "Look in" drop down menu select "My Computer", and click the "search " button.

Delete every entry that matches "idemlog". Most likely, you will find two entries. One entry will be in the system32 folder, the other entry will be in the prefetch.

Next, hit the start button, select "run", and type "regedit" in the text box, then click "ok".


Next, in the left pane, highlight "My Computer". Now click the "edit" button, then select "Find". In the text box type in " idemlog " (without the quotes). Now hit the "find next" button. The computer will begin searching your registry for any entry matching "idemlog". Delete the entries as you find them. To continue the search after each deletion, press the F3 key. Continue deleting these entries until you get the "Finished searching through the registry" box.

Reboot the computer. You should find that the side bar is now gone.

***NOTE*** Editing your registry can be dangerous. It is always a good idea to back up the registery before you add, delete, or modify registry keys.

Hope that helps :thumbsup:


Idid exactly this and it still shows up.. AVG ran and found no viruses.. I ran adaware and it cleaned what it found.. Restore is off. XP home.. I deleted any occurence of idemlog and search assistant (srchasst) where I could find it.. All Run keys in reg are free of any thing. Active desktop is off.. Where is the crap coming from!

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:23 PM

Posted 30 November 2005 - 05:10 PM

If the malware keeps returning despite your efforts, then again I suggest you post a Hijackthis log and seek expert help from the staff in that forum. In addition to analyzing your log, they use specialized fix tools to search for and remove hidden malware that does not always show in a HJT log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Hellion-MCP

Hellion-MCP

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 30 November 2005 - 07:24 PM

When you searched the registry did you search the entire registery or the run keys only?

Typically when I see this kind of recurrence, the spyware has nested deeper in the registry.

#10 Audrey on Bleeping's Forums

Audrey on Bleeping's Forums

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 02 December 2005 - 10:37 PM

Hi Kzork, mplleafan, Hellion-MCP, usasma, quietman7.

I HAD the exact same problem. This is an extemely difficult pest to permanently remove. Read my initial post here (at SWI): http://forums.spywareinfo.com/index.php?showtopic=62461

My above post contains an intricately detailed description of everything I tried, and what happened when I tried it. This is a very new type of malware that has just started popping up. When I finally got rid of the vertical bitmap on my desktop, and my Avast 4.6 Home Edition said I was clean, I began to think it was true. But then I installed BitDefender's antivirus app from their website as a second test. BitDEf. kept popping up messages saying explorer was trying to register something. I kept clicking NO to BD's prompt asking if I wanted to allow c:\winnt\Explorer.exe to do this. But each time I clicked NO, it popped back up right away (then I saw the checkbox saying to answer NO for all occurrences of this particular popup)! But, I could not expand the popup message's window to see what it was that c:\winnt\Explorer.exe was trying to do! BitDefender should have written their popup to display the exact string that the bad app would be attempting to put into my registry. Otherwise, how would I be able to make an informed decision as to whether Explorer.exe was being bad or being normal? I uninstalled BD shortly after I got rid of this malware. And other symptoms were that IE was hesitating when I'd type in a URL. It often said "page not found" but then I'd hit F5, and there the page would be, without any problems. So I knew, at that point, that my problem was still lucking somewhere in the deep bowels of Windows. I also could not run Spybot S&D to its conclusion even with AVast saying my pc was clean. SS&D still ran at about 3 checks every 30 seconds. Rerunning CWS 2.19 found nothing, tho. So I decided to check for Rootkits. Sure enough, F-Secure's Blacklight found those hiding files.

So, read this thread to find out how to get rid of this new pest:
http://forums.subratam.org/index.php?showtopic=6121

Follow AutoDad's instructions exactly! I had already gotten to the point where I downloaded and run F-Secure's blacklight. So I had seen the filenames that were hidden. That is how I came across AutoDad's instructions. Tho I searched for 4 of the filenames listed in F-Secure, Google only located results containing the filenames of 2 out of those 4 hidden files which I had searched for. Just 2 results appeared in my Google search. AutoDad's reply was both of those results!

Question for anyone: What does it mean when someone writes the word/phrase "Bump" in a post? It seems to only get done by an admin or moderator of some sort. I don't understand what this means.

I would appreciate it if someone here would make a post back to let me know how things went with you after following the above directions at Subratam.

Good luck.

#11 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:04:23 PM

Posted 02 December 2005 - 11:07 PM

Audrey on Bleeping's Forums,
"Bump" is just a phrase used, if you don't have anything to add to a thread, to bump the thread back up to the top of the list.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#12 otspc3

otspc3

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 10 December 2005 - 09:10 AM

Here are my experiences with what I call the iDesk trojan.

It was first noticed when a vertical banner ad appeared on the desktop which had the following categories:

Gambling (shows red dice) [gambling.bmp]
Dating (shows a woman) [dating.bmp]
Pharmacy (shows a large red and white capsule) [pharmacy.bmp]
XXX (a sultry-looking woman) [xxx.bmp]
Spyware (man in black trench coat with magnifying glass in front of his eye) [spyware.bmp]
Insurance (a sleeping man in his bed) [insurance.bmp]
close button [close.bmp]

Running SpybotS&D took a long time to complete and it failed to remove the desktop banner.

The system had a task called "idemlog.exe" running in the background. This wasn't reported by Windows Task Manager.

Using a kill process utility was the only way to end the task. The banner is no longer visible on the destkop.

After stopping the task, I removed the following files I found in %systemroot%\system32:

idesk.conf
howiper.exe
sphlp32.exe
close.bmp
favset.exe
spyware.bmp
insurance.bmp
xxx.bmp
dating.bmp
pharmacy.bmp
gambling.bmp
hgqhp.exe
pppcgm.exe
idemlog.exe
fran-hot.exe
qurrv.dll
filesafer23.exe

I then ran SpybotS&D again and it reported that nothing further was found.

The desktop banner no longer appears after rebooting the system.

There isn't any information about this on Trend Micro, Symantec, CA, McAfee, or FSecure websites. The conclusion is that the vendors are still playing catchup for a problem that has existed since Nov 27 , it's now Dec 10.

I hope that helps the well intended.

#13 ogubogu

ogubogu

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 11 December 2005 - 12:18 AM

hi
what du u mean by killer process utility?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users