How to remove the PWSteal.Formglieder


What this program does:

A Trojan that attempts to steal passwords for certain banks web sites and applications. It also has keylogging and backdoor functionality.

Tools Needed for this fix: Related Tutorials: Symptoms in a HijackThis Log (Maybe different entries but will contain the same domains and hostnames):


O4 - HKLM\..\Run: [winhlp.exe] C:\Windows\winhlp.exe


Removal Instructions:
  1. Download HijackThis from the above link and extract it to c:\hijackthis.

  2. Print out these instructions.

  3. Navigate to the c:\hijackthis directory and double-click on HijackThis

  4. When the program starts, double-click on the HijackThis icon and then click on the Scan button.

  5. Put a checkmark next to the following entries if they exist:


    O4 - HKLM\..\Run: [winhlp.exe] C:\Windows\winhlp.exe
  6. Then click the Fix button

  7. Exit HijackThis.

  8. Reboot your computer

  9. Search for the following files in your windows directory (c:\windows, c:\winnt) and delete them:

    winhlp.exe

  10. Change your banking passwords and pins if applicable.

This infection monitors the following banks:
  • commbank.com.au
  • direct-validate.bankofamerica.com
  • hsbc
  • client.ccf.fr
  • cajamadrid
  • sabb.com
  • firstdirect.com
  • hangseng.com
  • citibank
  • butterfielddirect.com
  • navyfcu.org
  • internationalbanking
  • stgeorge.com.au
  • national.com.au
  • bendigobank.com.au
  • suncorp.com.au
  • bankwest.com.au
  • adelaidebank.com.au
  • interactivebrokers
  • citibank
  • benbank.com.au
  • macquarie.com.au
  • etrade.com.ua
  • e-gold
  • 1mdc
  • shwab
  • etradebank
  • bank
  • money
  • goldmoney
  • westernunion
  • etrade
  • ameritrade
  • navyfcu
  • netbank wellsfargo
  • ikobo
Now your computer should no longer be infected with the PWSteal.Formglieder infection. It may be possible that you still have some spyware or malware installed on your computer. If you feel this is the case, follow the instructions below to post a HijackThis log and someone will help you to remove the rest.


This is a self-help guide. Use at your own risk.



BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum.

If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.