feedburner
Enter your email address:

Delivered by FeedBurner

feedburner count

How To Remove infostealer pws-yahmali Virus

Labels:

How It Infects The System

The Trojan may be downloaded or may arrive in spammed email as one of the following files:

  • %Temp%\services.exe
  • %Temp%\LSASS.EXE
  • %Temp%\SMSS.EXE
  • %Temp%\CSRSS.EXE
  • %Temp%\WINLOGON.EXE

Once executed, the Trojan creates one of the following file:
%CurrentFolder%\[RANDOM FILENAME]

It also creates and modifies some registry keys.

The Trojan specifically checks for Yahoo! Messenger with the following text in the window title:
Yahoo! Messenger with Voice (BETA)

How to remove pws-yahmali

First of all I would strongly suggest that all the users should have a good antivirus installed in their systems so that chance of malware is as less as possible.

After scanning with an antivirus, follow the instructions below to remove pws-yahmali completely:

  1. Disable System Restore (How to disable system restore)
  2. Clean all the temporary files on the system. Use CCleaner to clean your system.
  3. Delete the following registry keys: (Go to Start –> Run –> regedit and find the following key and delete it)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”shell” = “explorer.exe “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\[ORIGINAL TROJAN FILENAME].exe [RANDOM CHARACTERS]“
  4. Run the following commands: (Go to Start –> Run and copy and paste the following commands one by one):

REG add HKCU\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 1 /f

REG add HKCU\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f

This is all you have to do. If you are still having problems, please let me know. Also share your experiences in comments

References:

Symantec
McAfee

0 comments:

Post a Comment