W32.Queshare
W32.Queshare is a computer worm that propagates via USB and other removable devices. It also inflicts damages through instant messaging application’s shared folders. W32.Queshare also downloads more harmful files on infected system and steals confidential data.
Damage Level: Medium
Threat Assessment By: Symantec
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
First Aid to Stop W32.Queshare:
When W32.Queshare virus infects a computer, it will modify system settings and inject itself to legitimate Windows files. System Restore is the tool-to-go-to in bringing back clean files and restoring earlier configuration. If you have saved previous restore point, please restore Windows to an earlier date.
Manual Removal of W32.Queshare:
1. If an anti-virus program is present, update the definition file.
2. Reboot Windows in Safe Mode
- After turning on the power, press F8 on the keyboard.
- From the menu, select Safe Mode.
3. Run a full system scan and clean/delete all infected file(s).
4. Delete/Modify any values added to the registry if present.
- To edit the registry, click on Start. Search or Run regedit.exe.
Note: For a complete guide on Safe Mode and Registry Editor, please see tutorial links on the sidebar.
5. Exit registry editor and restart Windows.
Additional Tools and Programs:
Scan with Norton Power Eraser:
Norton Power Erase is a useful tool provided by Symantec. This program can help remove any presence of W32.Queshare. To start scanning the computer with this free tool, begin the download from this link.
Technical Details and Additional Information:
Other functionalities of this Worm:
- W32.Queshare will create its own registry entries that allow automatic start-up.
- This worm can steal information for World of Warcraft game such as username and password.
- It will also steal email account data stored on your Internet browser.
Malicious Files Added by W32.Queshare:
%ProgramFiles%\NVIDIA Corporation\PhysX\Common\nwizs.exe
%ProgramFiles%\NVIDIA Corporation\PhysX\Common\nvwdmcpl.dll
%SystemDrive%\recycle.[UID]\recycle.exe
%SystemDrive%\autorun.inf
Associated Windows Registry Entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”nwizs” = “%ProgramFiles%\NVIDIA Corporation\PhysX\Common\nwizs.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\”nwizs” = “%ProgramFiles%\NVIDIA Corporation\PhysX\Common\nwizs.exe”
HKEY_LOCAL_MACHINE\SAM\”SAMP” = “%ProgramFiles%\NVIDIA Corporation\PhysX\Common\nwizs.exe”
Alternative Removal Method for W32.Queshare
Option 1 : Use Windows System Restore to return Windows to previous state
If W32.Queshare enters the computer, there is a big chance that Windows files, registry entries and other essential components are also infected. System Restore can reinstate clean system files by restoring the configuration to an earlier date. The method also replaces compromised files with a clean version. If you have a saved restore point before W32.Queshare infiltrates the PC, we highly encourage you to execute this procedure if none of the above works. You may proceed with Windows System Restore, click here to see the full procedure.