This virus has been infected my cybercafe server on 25/05/2009 not sure from where this virus coming from, it’s look like from my users flash disk in my cybercafe. After learn it surely this virus can be removed using manual technique.

This virus scripts almost same with bulubebek I think the creator is same person. Some people in forum said this virus is reincarnation of bulubebek. Badly, mostly antivirus company didn’t detected this virus, the only one can detect it only SMADAV but Norman detect it also as W32/VBTroj.AOQB.

Nadia Saphira virus characteristics:

  • File size 17kb and 69kb
  • File type “Application”
  • File extension .exe and .ini
  • Using folder icon
  • Created duplicated folder base on folder name and hiding the real folder
  • Remove folder options
  • Can’t used CD-rom
  • Can’t access command prompt
  • Can’t open registry editor

Same with bulubebek virus, Nadia Saphira virus has been created using visual basic. If virus success on infected your system it will created some file list:

  • autorun.inf (on all root drive)
  • NadiaSaphira.ini (on all root drive)
  • Documents and Settings\All User\Start Menu\Programs\Startup\lan.exe
  • Documents and Settings\%User%\NadiaSaphira.ini
  • WINDOWS\taskmgr.exe
  • WINDOWS\system32\.exe
  • WINDOWS\system32\allsys.exe
  • WINDOWS\system32\misconfig.exe
  • WINDOWS\system32\MS586.sys
  • WINDOWS\system32\System
  • WINDOWS\system32\wtoolsb.exe
  • WINDOWS\system32\dllcache\.exe
  • WINDOWS\system32\ dllcache\System

Same with bulubebek virus Nadia Saphira virus will hiding all your folder that already changed with “fake” folder to tricky some newbie out there to activate this virus. It also will blocking some windows function such as Folder Options, Registry Editor, Search/Find, and Command Prompt.

To make this virus more hard to removed his creator changed your registry and created autorun files when your computer start-up, the first file is lan.exe then it will calling another files to backup. take a look on picture…

nadia-saphira-virus

Infection Method:

As I said in the top articles this virus will using your flashdisk and hijacked windows autoplay function for infection method. Virus will created some autorun.inf files for make him spreading in your system.

nadia-saphira-virus-1

Alright enough let’s remove this sh*t *lol*

How to Remove Nadia Saphira Virus W32/VBTroj.AOQB

1. Disconnected your computer from networks

2. Turn off system restore when in cleaning process (Don’t forget to turn it on again when you already remove this virus)

3. Because this virus blocking your task manager you can use this 3rd tools CurrProcess Kill this process to stop active virus in your system:

  • Lan.exe
  • misconfig.exe
  • taskmgr.exe

nadia-saphira-virus-2

4. Repair your registry using code below and save as repair.inf or download repair.inf right click on it the choose “Install” (to make sure the new registry already proceeds you can kill explorer.exe then run it again but don’t restart your computer)

[[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKCR, batfile\shell\open\command,,,”””%1″” %*”
HKCR, comfile\shell\open\command,,,”””%1″” %*”
HKCR, exefile\shell\open\command,,,”””%1″” %*”
HKCR, piffile\shell\open\command,,,”””%1″” %*”
HKCR, lnkfile\shell\open\command,,,”””%1″” %*”
HKCR, scrfile\shell\open\command,,,”””%1″” %*”
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,
HKLM, SOFTWARE\Classes\exefile\DefaultIcon,,,””%1″”
HKLM, SOFTWARE\Classes\exefile,,,”Application”
HKLM, SOFTWARE\Classes\exefile,infotip,0, “prop:FileDescription;Company;FileVersion;Create;Size”
HKLM, SOFTWARE\Classes\exefile,TileInfo,0, “prop:FileDescription;Company;FileVersion”
HKCU, Software\Microsoft\Command Processor, AutoRun,0,
HKLM, SOFTWARE\Microsoft\Command Processor, AutoRun,0,
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, CheckedValue, 0x00010001,1
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, DefaultValue, 0x00010001,2

[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, nofind
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer, nofind
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sessmgr.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SPYXX.exe

5. Remove the virus children (joke hehe) Using your advanced search tools looking for virus with criteria:

  • Icon application/folder
  • File type apllication
  • File extension .exe
  • File size 69 kb & 17 kb
  • NadiaSaphira.ini (all drive)
  • Autorun.inf (all drive)

nadia-saphira-virus-3

WARNING!!! WARNING!!! WARNING!!! I believe mostly people are hard and false to follow this step, before you deleted wrong files and blame me…. make sure you know virus characteristic and show all hidden files first! take a look on picture first for virus sample!

If you’re not sure, go get ansav antivirus and using their “hidden revealer” plugins to show all hidden files back then search and terminate the virus child.

Another option read in the top article if virus success it will created file list bla bla that should removed before you restart your computer.

6. Get your hidden files and folders back, Start -> Run -> Type cmd -> In command prompt box type “ATTRIB –s –h –r /s /d” or you can use simple “hidden revealer” from ansav plugins.

7. Lastly checked with antivirus can detected this virus, I recommended norman (no promotion) then restart your computer, re-scan again to make sure no virus left in your system.

Done, have a good day 😀

Similar Posts:

Related Search Terms:

    Digg Del.icio.us StumbleUpon Reddit Twitter RSS

If you're new here, you may want to subscribe to my RSS feed. You may copy or publish this article to your blog or other site as long you give credit link back to this site article. Thanks for visiting my blog!