Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan-Spy and Trojan.Downloader problems

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trojan-Spy and Trojan.Downloader problems

Unread postby Andrew » June 25th, 2007, 6:17 am

My virus protection program (and some other software that I have downloaded) has over the past week informed me that my computer has had the following malware (though not all at once):

Trojan.Downloader.CashDeluxe (C:\Windows\system32\msorcl32.exe and C:\Windows\system32\wmvds32.dll)

At one point the computer clock was set back 4 years.... I also noticed that, when I went to the Hotmail sign-in page, Interned Explorer connected briefly with some "secure.footprint.net/…./…." site (without showing the actual page). Is my computer talking to someone behind my back? I changed password and stopped accessing Hotmail from my own computer.

I have tried different software to deal with this. My Internet provider’s virus programme (Securitoo) deleted most viruses/Trojans, but some reappeared once or twice after that. SpyBot only detected 5 DSO exploits (which I asked to have fixed, but for every new scan they were there again…). Trojan Hunter didn't find anything. Neither did Windows Defender.

Lately the computer seems quite OK (because I don't connect with Hotmail – and the secure.footprint site – anymore?...), but the Trojan.Downloader.CashDeluxe, which was detected by PCTools' Spyware Doctor, is still there (at least Spyware Doctor says it is…). (I used the trial version. It would require the paid version to remove it and I don’t want to send credit card details over a connection I don't trust….)

Could you please help me to check if my computer is clean, and, if not, tell me how to deal with it? I am not very keen on reinstalling Windows XP.

Here is a fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:55:38, on 25/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Securitoo\av_fw\Anti-Virus\fsgk32st.exe
C:\Program Files\Securitoo\av_fw\Anti-Virus\FSGK32.EXE
C:\Program Files\Securitoo\av_fw\backweb\1044199\program\fsbwsys.exe
C:\Program Files\Securitoo\av_fw\fswsclds.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Securitoo\av_fw\Anti-Virus\fssm32.exe
C:\Program Files\Securitoo\av_fw\Common\FSMA32.EXE
C:\Program Files\Securitoo\av_fw\Common\FSMB32.EXE
C:\Program Files\Securitoo\av_fw\Common\FCH32.EXE
C:\Program Files\Securitoo\av_fw\Common\FAMEH32.EXE
C:\Program Files\Securitoo\av_fw\DFW\Program\fsdfwd.exe
C:\Program Files\Securitoo\av_fw\Anti-Virus\fsav32.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Securitoo\av_fw\Common\FSM32.EXE
C:\Program Files\Securitoo\av_fw\backweb\1044199\Program\BackWeb-1044199.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Booster Wanadoo\wanadoo_booster.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.fr/go/page_recherche/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.fr
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Securitoo\av_fw\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Securitoo\av_fw\TNB\TNBUtil.exe" /CHECKALL
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Booster Wanadoo.lnk = C:\Program Files\Booster Wanadoo\wanadoo_booster.exe
O8 - Extra context menu item: Afficher l'image non compressée - res://C:\Program Files\Booster Wanadoo\wanadoo_booster.exe/227
O8 - Extra context menu item: Afficher toutes les images non compressées - res://C:\Program Files\Booster Wanadoo\wanadoo_booster.exe/250
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.wanadoo.fr (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 9136993912
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Securitoo AntiVirus Firewall (BackWeb Client - 1044199) - Unknown owner - C:\PROGRA~1\SECURI~2\av_fw\backweb\1044199\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\Securitoo\av_fw\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Authentication Agent (FSAA) - Unknown owner - C:\Program Files\Securitoo\av_fw\Common\FSAA.EXE (file missing)
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\Securitoo\av_fw\backweb\1044199\program\fsbwsys.exe
O23 - Service: F-Secure Distributed Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Securitoo\av_fw\DFW\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Securitoo\av_fw\Common\FSMA32.EXE
O23 - Service: F-Secure Windows Security Center Legacy Detection Service (Fswsclds) - F-Secure Corporation - C:\Program Files\Securitoo\av_fw\fswsclds.exe
Active Member
Posts: 3
Joined: June 20th, 2007, 5:44 am
Register to Remove

Unread postby askey127 » June 26th, 2007, 6:39 am

I am sorry to be the bearer of bad news but unfortunately, as you suspected, you have a very dangerous infection, with "backdoor" capabilities.
This gives remote intruders complete control of your computer, which can include logging key strokes, stealing information, etc.

You are strongly advised to do the following immediately:
  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *ALL* of your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

Because of the infection's backdoor functionality, the basic security of your PC is very likely compromised, and there is no way to be sure it can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action is to reformat and reinstall the Windows Operating System.
The reason for this is that the infection can make undetectable changes to your security settings in order to re-install itself after the machine is "cleaned" and reconnected to the internet.
If you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so. This is your choice to make.

To help you make a more informed decision, you may wish to read the following articles:
Should you have any questions, please feel free to ask.
Please let me know if you choose to Reformat.

If you want to attempt to clean your computer instead of Reformatting and Re-Installing XP, please begin here:
Set Your Computer to Show All Files
  1. Click Start.
  2. Click My Computer.
  3. Select the Tools menu and click Folder Options.
  4. Select the View Tab.
  5. Under the Hidden files and folders heading, select Show hidden files and folders.
  6. Uncheck Hide protected operating system files (recommended).
  7. Click Yes to confirm.
  8. Uncheck the Hide file extensions for known file types.
  9. Click OK.
Using My Computer, navigate to your HiJackThis folder here.
C:\Program Files\HijackThis\
Double click to show the files. Select View, Details
Right-click HijackThis.exe, choose Rename, and rename it myscanner.exe
Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new Log from myscanner.exe

Note: It is possible that VundoFix will encounter a file it cannot remove.
In that case, VundoFix will run on reboot. Simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

User avatar
Posts: 14012
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby Andrew » June 27th, 2007, 4:19 am

It seems bad, alright... :cry:

I will follow your advice and reformat/reinstall.

Many thanks for your help.
Active Member
Posts: 3
Joined: June 20th, 2007, 5:44 am

Unread postby Andrew » June 27th, 2007, 4:44 am


Just one question before I reinstall:

Do I dare to backup my recent Word, Excel, music- and video-editing files before I reformat and use them afterwards, or is there a risk that they too are badly infected?
Active Member
Posts: 3
Joined: June 20th, 2007, 5:44 am

Unread postby askey127 » June 27th, 2007, 6:33 am

It is OK to back up all your DATA files like .doc, .xls, .txt, etc. files before you reformat. Just be sure to scan all those backups with your antivirus before copying them back into their respective folders.
Otherwise, just be sure you have your antivirus installer file saved so you can install it offline BEFORE you plug in the Internet cable.- then when you do plug in the Internet, immediately go to the Microsoft site and get ALL the critical updates, followed by a visit to your Antivirus home site to update your AV.

If you don't have an antivirus installer file or CD, you can download one of these free ones to save before you reformat. This is best to do from a clean computer.
User avatar
Posts: 14012
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby askey127 » July 6th, 2007, 5:49 pm

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Posts: 14012
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Register to Remove

  • Similar Topics
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!

Who is online

Users browsing this forum: No registered users and 101 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware