Infected with IEmonster.b & Inforstealer.Banker.s

By tcbrb46 ยท 17 replies
Nov 30, 2008
  1. this past week my laptop became infected it appears with spyware and trojan. stuff keeps loading on my browser. How can I get rid if this? Is there a free download? I have Internet explorer 7 with xp. I use avg. did a scan and it told be about monster and banker. I know enough to be able to remove some of these things manually if I can get some directions. Any help will be appreciated
  2. rf6647

    rf6647 TS Maniac Posts: 829

  3. tcbrb46

    tcbrb46 TS Enthusiast Topic Starter Posts: 74

    Got your message thanks.


    Ran scans superantivirus is clear.
  4. mflynn

    mflynn TS Rookie Posts: 2,655


    Rich will be checking back soon, but you need to run MBAM again as all the Malware in the log says "No action taken" meaning you did not click the next button and select to remove all.

    Then if they are removed then you should run MBAM again to confirm it does not find more that the first ones had hidden. Other words the first scan may have exposed others to be cleaned.

    I am surprised SAS came up clean.

    So get those logs and a new HJT log last posted back.

  5. tcbrb46

    tcbrb46 TS Enthusiast Topic Starter Posts: 74

    I will run mbam again



    I ran the mbm and hijack program again and everything was clear. I am going to reformat my hard drive as it is very slow for what ever reason. I seem to have a lot of processes running and I am not sure which ones to close. I think its time to clean up by reformating.


  6. mflynn

    mflynn TS Rookie Posts: 2,655

    Hold on Tom. If we can fix the Malware then we can fix the performance also.

    Formatting is a drastic step fo a slowdown..

    We were waiting for the logs to assure you were clean.

    What about your data photos documents email bookmarks etc?

    Do you want to tackle it?

  7. tcbrb46

    tcbrb46 TS Enthusiast Topic Starter Posts: 74

    Infected with IEmonster.b & ifostealer.banker.s

    ok. I will get back and redue the logs.


  8. mflynn

    mflynn TS Rookie Posts: 2,655

    Well Tom just check to be sure we are clean!

    If we are we will begin to tune/tweak your system for performance.

    To begin do the below so that I can see what is running.
    Download RSIT

    Run it, when finished it will open a log Maximized on the screen, copy/paste the contents of this log back here then close that log.

    Then the 2nd log is Minimized so Max it and attach it also.
    The logs will contain a HighJackThis log also.


    Lets look at your startups
    when run give it a couple minutes it will produce a text file attach the contents back here.

  9. tcbrb46

    tcbrb46 TS Enthusiast Topic Starter Posts: 74

    I have malware running at home presently. Had to sub at the high school and have to play hockey tonight. will get this done in between. Should be able to send stuff back soon. no later than wednesday. Was not aware of other things I could do to speed up computer. Windows startup sucks. Computer startup could be a little faster. Thanks for your time. I have three laptops and a desktop to keep running. There is always new things to learn.

  10. mflynn

    mflynn TS Rookie Posts: 2,655

    10-4 to that.

    I've been doing this for 30 years professionally and I still learn.

    At the age of 64 I have the CRS syndrome so sometimes I even learn from myself.

    I will tackle an issue here or in my work thinking I have never seen this issue before but as I delve in I remember that I had just forgotten.:haha:

    Besides enjoying helping people that is the reason I Volunteer here. It helps keep me sharp.

    Besides I have a lot of help here, even to the point I have a helper following me around to make sure I remember. Now is that nice or what!:D

  11. tcbrb46

    tcbrb46 TS Enthusiast Topic Starter Posts: 74

    Infected with IEmonster.b &Infostealer.Banker.s

    Too long I will reply twice too long. Had to copy and paste superanti spy and malware. could not find the logs i saved today.


    Copy the following text and paste it to your report AS IS!!!

    Moderator Edit:
    Do Not Paste Logs Into Replies. Always Attach Them
  12. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi Tom

    Sorry about the copy/paste thing came from another board where they actually disdained attachments for pasting directly to the post.

    But we have an Opps!

    Run MBAM click More Tools-Run Tool and paste the following one at a time into File name: and click ok

    Additionally Run HJT Scan only select and delete the below.
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    Reboot then we need another HJT log.

  13. tcbrb46

    tcbrb46 TS Enthusiast Topic Starter Posts: 74

    Infected with IEmonster.b &Infostealer.Banker.s


    I ran mbam could not find files. However, I recognized the files. Could not find husowipe.dll. I did find lofiketo.dll in AVG antivirus that was in the virus vault. I remembered this file when I looked at the processes running.

    I ran hjt and deleted the file and ran it again it was gone.

    Attached is the hjt log after reboot.


  14. mflynn

    mflynn TS Rookie Posts: 2,655

    All Right good job!

    OK so we will move on to Tune/tweak for speed.

    Did you forget Ardiag at the bottom of post #8? Get this log to me.

    Has your computer ever had Norton, Mcafee or Zone Alarm installed?

    Below we begin to address your slow system
    Clean and tweak services

    In services stop and disable all of the below just to get them out of the way for now for trouble shooting purposes.

    Nothing is un-installed or deleted only disabled from running!

    They can be put back anytime later but I would not, as none of them are needed by most home users and very few business users. Basically stuff M$ thought you should have.

    Disabled uses no memory (RAM) and no CPU cycles.
    Manual uses the RAM but a small amount of CPU.
    Auto and not started they use even more RAM and CPU.
    Auto and started even more RAM and CPU ..

    Now in this case we disabling for trouble shooting purposes. But when we finish if you leave them all off until it is noticed that you need one (not likely for 99%) then it can be enabled.

    Leaving these all off, then becomes a performance tweak/boost as they free some RAM and CPU cycles! Special note. If you are going to pick and choose then be aware that the small amount of RAM and CPU cycles of each one individually is not significant but as a group it is! So if you need most of them (or just think you do because you don't) then just as well enable them all)!

    Distributed Link Tracking Client
    Distributed Transaction Coordinator
    DNS Client
    Fast User switching
    Health Key and Certificate Management Service
    Indexing service
    Net logon
    Net.TCP Port Sharing
    NetMeeting Remote Desktop Sharing
    IPsec services
    QoS RSVP
    Remote Registry
    Uninterruptable power supply
    Universal Plug and play
    Web Client
    Windows media player Network Sharing

    IF you are using a wired network card and "NOT" using wireless on this computer then you can
    also disable

    Wireless Zero configuration

    Wireless Zero configuration is only used on computers with a wireless NIC like a Laptop. Do not disable Wireless Zero configuration on a Laptop. Has nothing to do with other wireless hardware like wireless routers etc.

    In short if this computer has a CAT 5 or 6 cable and no ability to connect wirelessly if that cable is unplugged, then you can disable Wireless Zero configuration.

    This is not to be confused with Wired Auto Config do not disable that!

    Download Dial-A-Fix (DAF)

    Have XP CD available in case DAF needs a file.

    Check all boxes on the screen (clear any restrictions if it shows any)
    Then click GO!

    When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

    Here 1 at a time do the below

    Flush DNS
    Flush Icons
    Process Idle Tasks
    Reset WMI/WBEM (not reinstall)

    Watch for any File not found or other errors and make note as this may point to a problem!

    Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

    D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.
    The Malware issues we fixed could be found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy service running which is the default.
    Copy for pasting > chkdsk c: /f
    paste the above.

    It will want to do it on next reboot so reboot and let it do it.

    When back to Desktop do a Defrag and report back on system status and speed.

  15. tcbrb46

    tcbrb46 TS Enthusiast Topic Starter Posts: 74

    Infected with IEmonster.b &Infostealer.Banker.s


    Must of missed ardiag when I messed up the other day. I don't think I ever activated Norton on this wireless laptop. I don't recall Mcfee. I have had zonealarm in the past but not sure if it was before or after I replaced the hard drive. Zonealarm would not let me print wirelessly as did spybot. I have not been able to use my printer from my three wireless laptops for the past seven months. The other day I updated ccleaner and advance system care and low and behold I was able to print from my wireless laptops. My desktop runs wirelessly too. My router is in bedroom next to the cable router. Anyway I will tackle your instructions Thursday as it is a little late and the redwings are on. I don't want to start something I might not be able to finish.

    Thanks so much for your time, take a brake and have beer or something your working too hard.

  16. tcbrb46

    tcbrb46 TS Enthusiast Topic Starter Posts: 74

    Infected with IEmonster.b &Infostealer.Banker.s


    I disabled your list except I did not find Messenger, Ne.TCP Port Sharing, Net Meeting Remote Desktop Sharing, or Remote Registry in the Services Tab. I had to enable Net Logon as I lost my wireless connection.

    Downloaded DAF everything went fine except when I Reset WMI/WBEM error message stated "access violation at address 77c0154D in module version.dll."
    I had to stop program by cntr,alt,delete and end process. Stuck on first item cimwin32.dll read of address 00000004.

    Did ATF cleaner. Did system Restore.

    Did chkdsk c: /f rebooted don't know where the info or file went. It did a check and disappeared.

    Ran defrag.

    System improved somewhat. I clean up files regularly with defrag and ccleaner and tools in windows.

  17. mflynn

    mflynn TS Rookie Posts: 2,655

    No problem on items in Services as not everyone has all of them.

    The Net Logon has nothing to do with wireless it only has to do with logging into a Corporate Domain controller Server.

    You might try disabling it again. And if it does effect your wireless connection let me know as you have something unusual going on.

    I will look into the DAF version.dll and get back to you perhaps tomorrow.

    The Chkdsk gives no log. Normal.

  18. tcbrb46

    tcbrb46 TS Enthusiast Topic Starter Posts: 74

    Infected with IEmonster.b &Infostealer.Banker.s

    Ok thanks.

    The logon did it again, however, I noticed windows was on selected startup so I changed it to normal startup and no problem now.

    Did get a stack overflow before I made change but did not do it this time
    Said stack overflow at line 1509. It did that once before I think last night. Might have been about the time I disabled logon. It came up when I accessed IE explorer.

    Things are going pretty good now.

Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...