Remove MaHaDeWa VBS.Autorun.AM

Look… Another lame virus maker… this virus not dangerous at all but it surelly can make you a little anger when your computers slow down and some configuration changed. Mahadewa virus has been created using visual basic scripting (not visual basic) it can simple deactivated by easily rename/deleted wscript.exe in your system32 folders.

This lame virus maker really noob hehehe.. he’s created a BIG size virus, LOL! usually virus has small size to help them spreaded fast but this one really crazy he have a BIG size that make me laugh really hard today.


Wait! I think I know this virus creator here’s him!


Hahaha… I just joking don’t take it seriously people…

How to know your computer infected by mahadewa virus:

1. Your internet explorer header changed.


2. Your internet explorer start page changed to “https://webkom”

3. Your computer name and organization changed.


Mahadewa Virus Master:

Because this virus using visual basic scripting surelly he will need supported files wscript.exe, when virus active he will try to created files %systemroot%\system32\WinXp.vbs and \MaHaDeWa.dll.vbs (in all root drive)

Virus will changed your registry and make them start each time your computer active, beside that virus will created and using autorun.inf files to help him spreading.


This virus will make your system restore suspended


How to Remove MaHaDeWa VBS.Autorun.AM using manual technique:

1. Kill wscript.exe from your computer process. you can use any 3rd party tools to doing this if your task manager disabled by virus. Here is one free currprocess.


2. Repair your registry using this code bellow or download repair.inf



HKLM, Software\CLASSES\batfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”””%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKCU, Software\Microsoft\Internet Explorer\Main, Start Page,0, “About:blank”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOrganization,0, “Organization”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOwner,0, “Owner”
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,0x00010001,255
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,0x00010001,255

HKCU, Software\Microsoft\Internet Explorer\Main, Window Title
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Ageia
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Systemdir
HKCU, Software\Microsoft\Internet Explorer\Main, Window Title
HKLM, Software\Microsoft\Windows\CurrentVersion\Winlogon, LegalNoticeCaption
HKLM, Software\Microsoft\Windows\CurrentVersion\Winlogon, LegalNoticeText
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\MRUList, a
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU, a
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop, NoChangingWallpaper
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoClose
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoControlPanel
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFind
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoRun
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoStartMenuMorePrograms
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoTrayContextMenu
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoViewOnDrive
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoWinKeys
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Advanced, Hidden
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableMsConfig
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer, NoControlPanel
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer, NoLogOff

3. Deleted virus master, before doing this make sure you showing all hidden files back, then use search function to help you find them faster. Then deleted this files:

  • \MaHaDeWa.dll.vbs (all drive)
  • \autorun.inf (all drive)
  • \Windows\system32\WinXP.dll.vbs

4. Scan with your best antivirus, I recommended to use norman because norman can detected this virus.


5. Done… 😀

Similar Posts:


1 thought on “Remove MaHaDeWa VBS.Autorun.AM”

  1. komis komputerowy

    Excellent publish. I’d been checking out continually this web site exactly what amazed! Invaluable info especially the left over component 🙂 I actually contend with similarly info very much. I’m trying to get the following specific data for your long time. Appreciate it and finest connected with good fortune.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.