Mahsa virus

Detailed solution coming soon… be in touch… 

<this is 20-11-2007>

sorry for late posting…. (i was busy with my studies.. :))  here it is…

Mahsa / ‘New Folder.exe’ / ‘Top Pictures.exe’ / ‘Windows Explorer.exe’ virus

DOWNLOAD

Heal for mahsa newfolder 

 

Virus File
File Name: New Folder.exe  (inside all folders)
File Name: Top Pictures.exe  (shared documents)
File Name: Windows Explorer.exe (c:windows)

Icon:  Looks like a Folder
Type:  Application
Size:  104KB/112KB
FileVersion: 1.0.0.0
Internal Name: Mahsa
OriginalFileName: Mahsa.exe
Product Version: 1.00

Recognized by antivirus
Trojan.Win32.VB.aol 
Worm.P2P.Generic

Symptoms
You wil find New Folder.exe inside every folders.
You cannot open system utilities like Task Manager, Regedit, Msconfig; it opens and suddenly closes.
You cannot open folders with names like antivirus, .exe, etc. it opens and suddenly closes.

Behind the Screen
Creates a file: C:windowsWindows Explorer.exe
Creates a file: C:Documents and SettingsAll UsersDocumentsTop Pictures.exe
Creates New Folder.exe in every folder you open

ModifyRegValue: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunExplorer
ModifyRegValue: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerCabinetStateFullPath
ModifyRegValue: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHideFileExt

Adds to the startup item
Path: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunExplorer
Value: C:WINDOWSWindows Explorer.exe

Solution
Thank god it doesnt disables the command prompt 😉

END TASK::
1. Start>Run
taskkill /f /t /im “New Folder.exe”
2. Start>Run
taskkill /f /t /im “Windows Explorer.exe”
3. Start>Run
taskkill /f /t /im “Top Pictures.exe”
(if you get some error like windows cannot find taskkill,.. blah blah…, copy the file taskkill to your X:windowssystem32 directory)

REGISTRIES::
1. Start>Run
reg delete HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun /v Explorer
2. Start>Run
reg add HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced /v HideFileExt /t REG_DWORD /d 0

DELETE FILES::
1. Start>Run>cmd
del /a /f C:windowsWindows Explorer.exe
2. Start>Run>cmd
del /a /f C:Documents and SettingsAll UsersDocumentsTop Pictures.exe

DELETE New Folder.exe : (updated on 28Jan,2008)
del “C:New Folder.exe” /a /s /f /p

DOWNLOAD
Heal for mahsa newfolder
Download Page for other heals

48 Responses to “Mahsa virus”

  1. pradeep Says:

    Thank you so much………. Your Antivirus softwares, i called them warriors…….are really great!

  2. Mirza Says:

    THANK YOU SO MUCH!!

    The new folder thing was bugging me so much….Really though, i wanna thank whoever made this….Lifesavers!

  3. aenna Says:

    hello sir.. i really appreciate your help for all of us…..
    i had this viru new folder.exe and regsvr.exe ….. in my pc through my
    flash drive….. first i opened task manager.. and ended these(folder.exe and regsvr.exe).. from there… then happen to find ur heal s/w.. nd used them….
    will they b removed completely????

  4. aenna Says:

    and sir… i also formatted my flash drive…… before using your heal s/w….nd after ending the “folder.exe and regsvr.exe” from the task manager…..
    nd now my flash drive is completely empty but… it shows 4kb of used space.. which was not so earlier… what is this sir??? can u plz help me out..at viola_orra@yahoo.com???

  5. ajay Says:

    hello i followed the steps but when i try to delete with command del /a /f “C:\windows\Windows Explorer.exe”
    i get Acces Denied msg

    help me ! plz

  6. pratipal Says:

    u r genious…man …thanks…i was wondering that there is win32.sality but after removing new folder.exe i can install antivirus and can open antivirus web sites

  7. basilis Says:

    dont work for my

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: