TechSpot

Experience of Infostealer.Gampass and Infostealer.Perfwo

By samlow
May 6, 2007
  1. My pc was visited by Infostealer.Gampass and Infostealer.Perfwo and it was my most pain experience in removing it. I lost 97 exe files which were infected. I would like to share here and hope to help those panic victims.

    Folder created by them:
    %program Files%Common Files\Microsoft Shared\Web Folders\

    Files created:
    %windir%\svchost.exe
    %program files%\Common Files\Microsoft Shared\Web Folders\MSOSV.EXE
    %program files%\Common Files\Microsoft Shared\Web Folders\MSOSVEXT.EXE

    Files created after virus activated:
    %program files%\Common Files\Microsoft Shared\Web Folders\TempA.exe
    ...
    %program files%\Common Files\Microsoft Shared\Web Folders\TempM.exe
    %windir%\Sysfy3\svchost.exe
    %windir%\Sysfy3\Ghook.dll

    These 2 trojan horse visited me with 4 more viruses, which are
    - shualai.exe
    - nwizhx2.exe
    - nwizAsktao.exe
    - cmdbcs.exe

    The av (antivirus) is able to deleted the creation of Temp*.exe, svchost.exe and Ghook.dll. However, the other files are able to run at background.

    Removal steps:
    1. Stop the task of shualai.exe

    2. Delete the following files:
    - shualai.exe and shualai.dll
    - nwizhx2.exe and nwizhx2.dll
    - nwizAsktao.exe and nwizAsktao.dll
    - cmdbcs.exe and cmdbcs.dll
    (note that dll files located in %windir%\windows\system32 while exe files located in %windir%\windows\)

    3. Run regedit, search the following registry and remove them.
    - shualai (2 entries)
    - nwizhx2 (1 entry)
    - nwizAsktao (1 enty)
    - cmdbcs (2 entries)

    4. Remove
    %windir%\svchost.exe
    %program files%\Common Files\Microsoft Shared\Web Folders\MSOSV.EXE
    %program files%\Common Files\Microsoft Shared\Web Folders\MSOSVEXT.EXE
    %program files%\Common Files\Microsoft Shared\Web Folders\Temp(x).exe

    5. Reboot

    If the steps does not solve the problem, format ALL the hardisk logical partition at once.

    Hope this helps.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...