Skip to content
December 28, 2008 / technocrawl

How to Remove ‘Yannh.cmd Trojan’

TR0JAN

Tr0jan

yannh.cmd” is a Trojan that often spreads from external storage medias like USB, CD, DVD widely

by injecting into the autorun.inf file.

When i explored my autorun.inf, i found the few autorun entries made by “Yannh.cmd” like this,

open=yannh.cmd
shell\open\Command=yannh.cmd
shell\explore\Command=yannh.cmd

You can’t directly edit the autorun.inf file while it is currently running, another thing you have to notice is, this file attribute is set to read only mode, hence you have to revoke it first to proceed further.

How can i Identify whether my computer got infected ?

open up your command prompt and type

cd\
dir /a

yannh.cmd

dir /a – will clearly display all the hidden files in the drives.

This “Yannh.cmd” makes some registry entries in the following path…
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kamsoft
and has its source file in the system32 directory with the name Kamsoft.

Here are the ways that helps you get rid of this Trojan.

Step 1:

Its is always recommended to back-up your registry before touching it, after a successful backup,
goto the below path

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kamsoft
and delete Kamsoft.

Step 2:

Open up the command prompt and type the following

cd\
attrib -r -s -h yannh.cmd
del yannh.cmd

This will delete the yannh.cmd file.

Step 3:

Now you have to delete the kamsoft folder from your system32 directory, just type the below commands in the command prompt.

cd\
cd C:\WINDOWS\system32
attrib -r -s -h kamsoft.exe
del kamsoft.exe

Step 4:

Now you can edit the autorun.inf file to remove the entried added by yannh.cmd

cd\
attrib -r -h -s autorun.inf
edit attrib.inf

Now delete where ever it says yannh.cmd and save changes.
Now you are done with it.

Here are the similar files that you must be aware of,

refsanvn.inf
Zidan vs Tito.exe
desktop.exe
omsirutnarg.exe
Alisa.exe
blazzers.exe
burimi.exe
nfd.exe
repppp.exe
wax.exe
wny.exe
msv2008.exe
GETBOOTD.BAT
tbm9.bat
08dgu.com
1t6yxlxx.cmd
2h60k.cmd
3rl3lqbq.bat
ewatr.cmd
Maradona.exe
iw.bat
m2nl.bat
ov.cmd
pnt.com
t1ypkh.exe
grgarevn.inf
microsvn.inf
Installer.exe
fvbk.exe
snaoc9i.exe
bt8vuaw.com
wjlc.exe
6fnlpetp.exe
g8rruyw.exe
o1.com
Secret.exe
hupxj.bat
fphj6j31.bat
shell.exe

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: