Yahoo Password Stealer Infection – Remove infostealer pws-yahmali Virus

by on December 8th, 2009

McAfee detection center calls it pws-yahmali trojen and Symantec calls it infostealer.yahmali. It’s risk level is very low. And it’s only a password stealer. It attempts to steal the password of the yahoo messenger (whenever user logs in) and may send to ilam-mind-makers [dot] com.

System Infection

The Trojan may be downloaded or may arrive in spammed email as one of the following files:


Once executed, the Trojan creates one of the following file:
%CurrentFolder%[RANDOM FILENAME]

It also creates and modifies some registry keys.

The Trojan specifically checks for Yahoo! Messenger with the following text in the window title:

Yahoo! Messenger with Voice

Remove pws-yahmali – Solution

Run a thorough system scan with any antivirus software. After scanning with an antivirus, follow the instructions below to remove pws-yahmali completely:
Disable System Restore.
Clean all the temporary files on the system. Use CCleaner to clean your system.
Delete the following registry keys:
Go to Start –> Run –> regedit and find the following key and delete these
Run the following commands:
Go to Start –> Run and copy and paste the following commands one by one:
REG add HKCUsoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced /v HideFileExt /t REG_DWORD /d 1 /f
REG add HKCUsoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced /v ShowSuperHidden /t REG_DWORD /d 0 /f

That’s it.
Stay Clean.

Anti Virus Protection for any PC has been a growing need. Some people recommend cheap antivirus software solution and some suggest free virus protection software or virus removal software. Internet security software are different from antivirus and with standard scanning software you also need anti spam software sometimes. Explore TechMynd Recommendations for your PC security needs.