Today I got a mail from John stating that he wanted to remove pws-yahmali virus. So I have researched on the removal of this virus. McAfee detection center calls it pws-yahmali trojen and Symantec calls it infostealer.yahmali. It’s risk level is very low. And it’s only a password stealer. It attempts to steal the password of the yahoo messenger (whichever user logs in) and sends to hxxp://www.ilam-mind-makers.com.
How It Infects The System
The Trojan may be downloaded or may arrive in spammed email as one of the following files:
- %Temp%\services.exe
- %Temp%\LSASS.EXE
- %Temp%\SMSS.EXE
- %Temp%\CSRSS.EXE
- %Temp%\WINLOGON.EXE
Once executed, the Trojan creates one of the following file:
%CurrentFolder%\[RANDOM FILENAME]
It also creates and modifies some registry keys.
The Trojan specifically checks for Yahoo! Messenger with the following text in the window title:
Yahoo! Messenger with Voice (BETA)
How to remove pws-yahmali
First of all I would strongly suggest that all the users should have a good antivirus installed in their systems so that chance of malware is as less as possible. Here is my article of how to get a 6 months trial of Kaspersky Internet Security.
After scanning with an antivirus, follow the instructions below to remove pws-yahmali completely:
- Disable System Restore (How to disable system restore)
- Clean all the temporary files on the system. Use CCleaner to clean your system. You can use the third method of cleaning which is described in the following article (How To Edit Run Command History)
- Delete the following registry keys: (Go to Start –> Run –> regedit and find the following key and delete it)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”shell” = “explorer.exe “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\[ORIGINAL TROJAN FILENAME].exe [RANDOM CHARACTERS]“ - Run the following commands: (Go to Start –> Run and copy and paste the following commands one by one):
REG add HKCU\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f
REG add HKCU\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
This is all you have to do. If you are still having problems, please let me know. Also share your experiences in comments
No comments:
Post a Comment