My pc was visited by Infostealer.Gampass and Infostealer.Perfwo and it was my most pain experience in removing it. I lost 97 exe files which were infected. I would like to share here and hope to help those panic victims.
Folder created by them:
%program Files%Common Files\Microsoft Shared\Web Folders\
Files created:
%windir%\svchost.exe
%program files%\Common Files\Microsoft Shared\Web Folders\MSOSV.EXE
%program files%\Common Files\Microsoft Shared\Web Folders\MSOSVEXT.EXE
Files created after virus activated:
%program files%\Common Files\Microsoft Shared\Web Folders\TempA.exe
...
%program files%\Common Files\Microsoft Shared\Web Folders\TempM.exe
%windir%\Sysfy3\svchost.exe
%windir%\Sysfy3\Ghook.dll
These 2 trojan horse visited me with 4 more viruses, which are
- shualai.exe
- nwizhx2.exe
- nwizAsktao.exe
- cmdbcs.exe
The av (antivirus) is able to deleted the creation of Temp*.exe, svchost.exe and Ghook.dll. However, the other files are able to run at background.
Removal steps:
1. Stop the task of shualai.exe
2. Delete the following files:
- shualai.exe and shualai.dll
- nwizhx2.exe and nwizhx2.dll
- nwizAsktao.exe and nwizAsktao.dll
- cmdbcs.exe and cmdbcs.dll
(note that dll files located in %windir%\windows\system32 while exe files located in %windir%\windows\)
3. Run regedit, search the following registry and remove them.
- shualai (2 entries)
- nwizhx2 (1 entry)
- nwizAsktao (1 enty)
- cmdbcs (2 entries)
4. Remove
%windir%\svchost.exe
%program files%\Common Files\Microsoft Shared\Web Folders\MSOSV.EXE
%program files%\Common Files\Microsoft Shared\Web Folders\MSOSVEXT.EXE
%program files%\Common Files\Microsoft Shared\Web Folders\Temp(x).exe
5. Reboot
If the steps does not solve the problem, format ALL the hardisk logical partition at once.
Hope this helps.
Folder created by them:
%program Files%Common Files\Microsoft Shared\Web Folders\
Files created:
%windir%\svchost.exe
%program files%\Common Files\Microsoft Shared\Web Folders\MSOSV.EXE
%program files%\Common Files\Microsoft Shared\Web Folders\MSOSVEXT.EXE
Files created after virus activated:
%program files%\Common Files\Microsoft Shared\Web Folders\TempA.exe
...
%program files%\Common Files\Microsoft Shared\Web Folders\TempM.exe
%windir%\Sysfy3\svchost.exe
%windir%\Sysfy3\Ghook.dll
These 2 trojan horse visited me with 4 more viruses, which are
- shualai.exe
- nwizhx2.exe
- nwizAsktao.exe
- cmdbcs.exe
The av (antivirus) is able to deleted the creation of Temp*.exe, svchost.exe and Ghook.dll. However, the other files are able to run at background.
Removal steps:
1. Stop the task of shualai.exe
2. Delete the following files:
- shualai.exe and shualai.dll
- nwizhx2.exe and nwizhx2.dll
- nwizAsktao.exe and nwizAsktao.dll
- cmdbcs.exe and cmdbcs.dll
(note that dll files located in %windir%\windows\system32 while exe files located in %windir%\windows\)
3. Run regedit, search the following registry and remove them.
- shualai (2 entries)
- nwizhx2 (1 entry)
- nwizAsktao (1 enty)
- cmdbcs (2 entries)
4. Remove
%windir%\svchost.exe
%program files%\Common Files\Microsoft Shared\Web Folders\MSOSV.EXE
%program files%\Common Files\Microsoft Shared\Web Folders\MSOSVEXT.EXE
%program files%\Common Files\Microsoft Shared\Web Folders\Temp(x).exe
5. Reboot
If the steps does not solve the problem, format ALL the hardisk logical partition at once.
Hope this helps.