Today I got a mail from John stating that he wanted to remove pws-yahmali virus. So I have researched on the removal of this virus. McAfee detection center calls it pws-yahmali trojen and Symantec calls it infostealer.yahmali. It’s risk level is very low. And it’s only a password stealer. It attempts to steal the password of the yahoo messenger (whichever user logs in) and sends to hxxp://www.ilam-mind-makers.com.
How It Infects The System
The Trojan may be downloaded or may arrive in spammed email as one of the following files:
- %Temp%services.exe
- %Temp%LSASS.EXE
- %Temp%SMSS.EXE
- %Temp%CSRSS.EXE
- %Temp%WINLOGON.EXE
Once executed, the Trojan creates one of the following file:
%CurrentFolder%[RANDOM FILENAME]
It also creates and modifies some registry keys.
The Trojan specifically checks for Yahoo! Messenger with the following text in the window title:
Yahoo! Messenger with Voice (BETA)
How to remove pws-yahmali
First of all I would strongly suggest that all the users should have a good antivirus installed in their systems so that chance of malware is as less as possible. Here is my article of how to get a 6 months trial of Kaspersky Internet Security.
After scanning with an antivirus, follow the instructions below to remove pws-yahmali completely:
- Disable System Restore (How to disable system restore)
- Clean all the temporary files on the system. Use CCleaner to clean your system. You can use the third method of cleaning which is described in the following article (How To Edit Run Command History)
- Delete the following registry keys: (Go to Start –> Run –> regedit and find the following key and delete it)
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon”shell” = “explorer.exe “C:DOCUME~1ADMINI~1LOCALS~1Temp[ORIGINAL TROJAN FILENAME].exe [RANDOM CHARACTERS]“ - Run the following commands: (Go to Start –> Run and copy and paste the following commands one by one):
REG add HKCUsoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced /v HideFileExt /t REG_DWORD /d 1 /f
REG add HKCUsoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
This is all you have to do. If you are still having problems, please let me know. Also share your experiences in comments
References:
Got computer/technical problems? Get FREE help from Technize Forums
hi
i just want to know which anitvirus is best nod 32 or any other
i use ur smart antivirus but some time use it can detect virus but it cant remove why this problem
adnan, it’s up to your satisfaction whichever antivirus you like. Anyways, you can see my article about how to get 6 months trial of kaspersky internet security.
http://www.technize.com/2008/0.....hs-trials/
And please note that smart antivirus can only detect and remove a few well known viruses. It should not be used as a regular antivirus.
Hmm, thats all a bit confusing. I got to the part of finding shell or whatever but confused from there. Any help appreciated. Thanks