Mahsa virus
Detailed solution coming soon… be in touch…
<this is 20-11-2007>
sorry for late posting…. (i was busy with my studies.. :)) here it is…
Mahsa / ‘New Folder.exe’ / ‘Top Pictures.exe’ / ‘Windows Explorer.exe’ virus
DOWNLOAD
Virus File
File Name: New Folder.exe (inside all folders)
File Name: Top Pictures.exe (shared documents)
File Name: Windows Explorer.exe (c:windows)
Icon: Looks like a Folder
Type: Application
Size: 104KB/112KB
FileVersion: 1.0.0.0
Internal Name: Mahsa
OriginalFileName: Mahsa.exe
Product Version: 1.00
Recognized by antivirus
Trojan.Win32.VB.aol
Worm.P2P.Generic
Symptoms
You wil find New Folder.exe inside every folders.
You cannot open system utilities like Task Manager, Regedit, Msconfig; it opens and suddenly closes.
You cannot open folders with names like antivirus, .exe, etc. it opens and suddenly closes.
Behind the Screen
Creates a file: C:windowsWindows Explorer.exe
Creates a file: C:Documents and SettingsAll UsersDocumentsTop Pictures.exe
Creates New Folder.exe in every folder you open
ModifyRegValue: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunExplorer
ModifyRegValue: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerCabinetStateFullPath
ModifyRegValue: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHideFileExt
Adds to the startup item
Path: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunExplorer
Value: C:WINDOWSWindows Explorer.exe
Solution
Thank god it doesnt disables the command prompt 😉
END TASK::
1. Start>Run
taskkill /f /t /im “New Folder.exe”
2. Start>Run
taskkill /f /t /im “Windows Explorer.exe”
3. Start>Run
taskkill /f /t /im “Top Pictures.exe”
(if you get some error like windows cannot find taskkill,.. blah blah…, copy the file taskkill to your X:windowssystem32 directory)
REGISTRIES::
1. Start>Run
reg delete HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun /v Explorer
2. Start>Run
reg add HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced /v HideFileExt /t REG_DWORD /d 0
DELETE FILES::
1. Start>Run>cmd
del /a /f C:windowsWindows Explorer.exe
2. Start>Run>cmd
del /a /f C:Documents and SettingsAll UsersDocumentsTop Pictures.exe
DELETE New Folder.exe : (updated on 28Jan,2008)
del “C:New Folder.exe” /a /s /f /p
DOWNLOAD
Heal for mahsa newfolder
Download Page for other heals
: : : Piyush Labs : : : 
18 March, 2008 at 3:02 pm |
Install “Trojan Remover” , update it , start windows in “Safe Mode” and run “Trojan Remover”. it will do the rest for you.
Then search each drive for exe files which have 603 kB file size. Delete them.
22 March, 2008 at 10:59 am |
SIVA
check theproperties of the folder virus, if it is any one whose solution is given on some of the pages, then go for the solution.
or else mail me the virus file
24 March, 2008 at 3:54 pm |
hello…. thanks foryour solutions….
but im struglin wit another “New folder” virus
and itz name is “Nhatghulan” and itz also in my flash drive
and in phone memory card….
wat should I do….?
Plz give me a solution as soon as possible….
1 April, 2008 at 2:00 pm |
NIZZA
check out my heal for pen drive,
a GUI version will be uploaded by today evening…
1 April, 2008 at 3:46 pm |
wat GUI version…..???
2 April, 2008 at 3:58 pm |
I have removed the link to that .bat file. now u can use the new version.. : )
Its available now. Download it.
6 April, 2008 at 12:01 am |
Thanks a lot Piyushlabs ….it was of immense help u have provided us to counter the virus … I thank u a lot …superb .great job ….
7 April, 2008 at 7:28 am |
one moe thing I cant open ma tsk manager and i cant see my hidden files and folder by this newfolder.exe virus
7 April, 2008 at 5:00 pm |
PATEL
which new folder virus is that. check its properties and reply back.
use heal for ssvichosst for enabling task manager and heal pen drive (1st part only ie fix registries) for enabling hidden folder visible.
13 April, 2008 at 3:29 pm |
thanks but my problem is not solved
14 April, 2008 at 8:46 pm |
BADRI
which problem is still persisting…?
16 April, 2008 at 6:22 am |
Hi Piyush,
Thanks for such informative posts, I am struggling with a virus which when double clicked,
1. If run from other systems such as laptops selective .exe files get deleted.
2. A folder called “new folder” (though showing executable properties) is getting copied to the individual partitions of the system.
3. Folder size is fixed 283 kb.
4. It disables the “run” from windows menu.
5. It disables the taskmgr too.
6. It creates a file called lssas.exe under c:\windows\system.
Please help
19 April, 2008 at 6:53 pm |
SOUVIK
tell me the complete details(properties) of those files New Folder.exe and lsass.exe
3 May, 2008 at 4:47 pm |
Please give me solutions for New floder.exe
5 May, 2008 at 5:55 pm |
Mr. Piyush your side is too good but i needed the boot.vbs removal
tool so can provide the tools
11 May, 2008 at 9:14 pm |
Hi
I am facing a very critical problem, my pc contains lot important docments. Recently i got one virus which creates MY PICTURE.EXE in a folder and changing word docment file type , it not showing the TaskManager, controlpanel, RUN and i am unable to resart my pc in safe mode also
I have tried all available antiviirus’s but noneof the dected it
please could help me by providing solution
12 May, 2008 at 1:21 pm |
ANIL
right click edit on the file boot.vbs and mail me the contents to piyushlabs@gmail.com
AVIS
send me the virus file
use processxp from sysinternals.com to end task the virus
run my heal_antivirus to repair registries after removing the virus
23 May, 2008 at 2:00 am |
thanx a lot dude ….. u rock !
17 June, 2008 at 3:01 am |
i have a problem..in my novell netware 5 server ,if i have a folder named kk,automatically a new file kk.exe is created
18 June, 2008 at 2:14 pm |
KOLLI
many viruses create such files..
like brontok, regsvr.exe, mahsa virus. etc..
try self troubleshooting ,
probably you will fix it urself,
if not then contac me again