Look… Another lame virus maker… this virus not dangerous at all but it surelly can make you a little anger when your computers slow down and some configuration changed. Mahadewa virus has been created using visual basic scripting (not visual basic) it can simple deactivated by easily rename/deleted wscript.exe in your system32 folders.

This lame virus maker really noob hehehe.. he’s created a BIG size virus, LOL! usually virus has small size to help them spreaded fast but this one really crazy he have a BIG size that make me laugh really hard today.


Wait! I think I know this virus creator here’s him!


Hahaha… I just joking don’t take it seriously people…

How to know your computer infected by mahadewa virus:

1. Your internet explorer header changed.


2. Your internet explorer start page changed to “http://webkom”

3. Your computer name and organization changed.


Mahadewa Virus Master:

Because this virus using visual basic scripting surelly he will need supported files wscript.exe, when virus active he will try to created files %systemroot%\system32\WinXp.vbs and \MaHaDeWa.dll.vbs (in all root drive)

Virus will changed your registry and make them start each time your computer active, beside that virus will created and using autorun.inf files to help him spreading.


This virus will make your system restore suspended


How to Remove MaHaDeWa VBS.Autorun.AM using manual technique:

1. Kill wscript.exe from your computer process. you can use any 3rd party tools to doing this if your task manager disabled by virus. Here is one free currprocess.


2. Repair your registry using this code bellow or download repair.inf



HKLM, Software\CLASSES\batfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”””%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKCU, Software\Microsoft\Internet Explorer\Main, Start Page,0, “About:blank”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOrganization,0, “Organization”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOwner,0, “Owner”
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,0x00010001,255
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,0x00010001,255

HKCU, Software\Microsoft\Internet Explorer\Main, Window Title
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Ageia
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Systemdir
HKCU, Software\Microsoft\Internet Explorer\Main, Window Title
HKLM, Software\Microsoft\Windows\CurrentVersion\Winlogon, LegalNoticeCaption
HKLM, Software\Microsoft\Windows\CurrentVersion\Winlogon, LegalNoticeText
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\MRUList, a
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU, a
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop, NoChangingWallpaper
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoClose
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoControlPanel
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFind
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoRun
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoStartMenuMorePrograms
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoTrayContextMenu
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoViewOnDrive
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoWinKeys
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Advanced, Hidden
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableMsConfig
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer, NoControlPanel
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer, NoLogOff

3. Deleted virus master, before doing this make sure you showing all hidden files back, then use search function to help you find them faster. Then deleted this files:

  • \MaHaDeWa.dll.vbs (all drive)
  • \autorun.inf (all drive)
  • \Windows\system32\WinXP.dll.vbs

4. Scan with your best antivirus, I recommended to use norman because norman can detected this virus.


5. Done… 😀

Similar Posts:

Related Search Terms:

    Digg Del.icio.us StumbleUpon Reddit Twitter RSS

If you're new here, you may want to subscribe to my RSS feed. You may copy or publish this article to your blog or other site as long you give credit link back to this site article. Thanks for visiting my blog!