How do I remove malware called Facesmooch / layoutsexpress javascripts

I'm not sure how, but my computer has been infected with malware that I can't seem to get rid of.

It is a Facebook "plugin" or "addon" that adds smileys to the Facebook site, but then also runs malicious javascript files.

I've tried to remove it, by running Malwarebytes anti-virus, but it says that there is nothing to detect.

Attached are:

- Facebook screenshot
- NOD32 alert that appears whenever I open Firefox
- HijackThis results

I've removed all possible add-ons from Firefox to no effect. I've reviewed the Windows registry for possible errors and removed recommended malicious items, but no matter what I do, I can't seem to get rid of this malware.

I'm really trying to avoid re-installing Windows 7.

Do you have any suggestions?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The basics for dealing with most malware variants are in my new Article here:

According to Facebook, it is a simple removal using Control Panel/Add Remove Programs:
xcel01Author Commented:
Unfortuantely there is no software installed on my computer to be able to "uninstall". There is no program or software that was ever installed from Facesmooch

It would appear to be malware simply because of the info I've been able to gather on it, via the NOD32 alert.

However, the registry items listed in these links don't seem to exist in my registry (although I was able to remove the Toolbar4 items while in Safe mode).
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Look inside your "HOSTS" file for any modifications that you haven't made.


Also note that you often have to stop the various "Rogue Processes" before your scanners can do the job.
Have you done a Windows Explorer "Search" (including Hidden and System files) for *smooch* on your entire OS partition?

You can also search your Registry (just use smooch) to see if there are any entries.
xcel01Author Commented:
Searched Windows Explorer for *smooch* as well as other relevant search terms, but to no avail.

Also searched the registry, but couldn't find anything.

I ran the RogueKiller but it also didn't find anything.
Really strange - your link here ( definitely shows it in the Program Files directory.

What are your current symptoms (after all the scans)?
xcel01Author Commented:
Well, that's the worst part...there aren't really any "symptoms" as such.

Aside from the NOD32 warning every time I start Firefox and the smiley faces appearing within Facebook, nothing else much seems to happen.

However, I'm obviously concerned about malicious scripts running on my machine and potentially logging keystrokes, getting passwords etc etc.
xcel01Author Commented:
Thank you very much for your help! It is greatly appreciated!
As just a kind of 'generic' piece of advice, go ahead and download
The basic function will clean all the temp/junk files from any browser and the "Registry" function will clean out any left over residue.

(Make sure to click 'Yes' when it asks you if you want to backup your registry.)
Davis McCarnOwnerCommented:
If the Russians have started using FaceSmooch (which is a legitimate Facebook AddOn), we may be facing a whole new world of hurt!
You need three things:
Sysinternals Autoruns:
CCleaner Slim:
and a printout of that threatexpert report:

Use Autoruns to remove (right-click) all the references to Toolbar4, Facesmooch Toolbar, and the file you submitted to ThreatExpert.  Make the Image Path column wide enough for you to see the entries.
If any of them appear in the Task Manager's processes list, highlight and kill those processes.
Run CCleaner and use it to delete all of the temporary files (the standard checks should work)
I would then go check for the %appdata%\Toolbar4, %Temp%(files listed in report), and the %ProgramFiles%\FaceSmooch Toolbar folders to see if they were gone.  If not, try to delete them manually.

Reboot and check again.

Unfortunately; without the uninstaller behaving properly, you still have the task of deleting thos registry keys.  You can try CCleaners registry cleaner (BTW, there are none better); but, some of those inprocessservers will probably be missed.

If you get it cleaned; please, update your Java, Flash, and Adobe Reader's to the lates versions.
Check this link for Firefox uninstalling add-ons if it help.

If the problem persists then either use ComboFix or OTL and we'll remove that Facesmooch manually.


OTL will not delete any files on its first run, it will only remove files with a script which we will give you once we can look at the log. Just like ComboFix, the OTL log lists all files created/modified in the last 30 days.

1. Download OTL, save to Desktop or other convenient location.
2. OTL does not need to be installed, simply click the OTL icon to run
3. Click the Quick Scan Button.
4. A log will open in notepad, and OTL.txt will be saved to the same location as OTL.exe (i.e.: desktop)
5. Post/attach the log here.
Does this only happen when you open FF?  It installs a hidden toolbar and you can't just manually uninstall it.   Do you have show "hidden files and folders" enabled?
Have you checked your "AppData" path (C:\Documents and Settings\[UserName]\Application Data)?  I looked at the HiJackThis log and I see that you have a tbcore3.dll file, it's a legit file for some toolbars, but the facesmooch app also uses that same file and could have overwritten it.  I would do a MD5 hash on it and run it against the database at Virustotal or ThreatExperts to check.

As a side note, you can use NoScript, a FF add-on to block suspicious/malicious scripts from running in FF.  Be aware, it can block globally and it does give false positives, but there have been times where it has detected rogue scripts running on reputable sites.  I think it's a valuable add-on to have installed.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Please note the recommendations for CCleaner were already made here:
xcel01Author Commented:
A combination of all of these things helped to eventually get rid of the virus and relevant files. It was ultimately deleting the toolbar that had installed the tbcore3.dll file that managed to get rid of everything. Thank you for your help!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Browsers

From novice to tech pro — start learning today.