This virus has been infected my cybercafe server on 25/05/2009 not sure from where this virus coming from, it’s look like from my users flash disk in my cybercafe. After learn it surely this virus can be removed using manual technique.
This virus scripts almost same with bulubebek I think the creator is same person. Some people in forum said this virus is reincarnation of bulubebek. Badly, mostly antivirus company didn’t detected this virus, the only one can detect it only SMADAV but Norman detect it also as W32/VBTroj.AOQB.
Nadia Saphira virus characteristics:
- File size 17kb and 69kb
- File type “Application”
- File extension .exe and .ini
- Using folder icon
- Created duplicated folder base on folder name and hiding the real folder
- Remove folder options
- Can’t used CD-rom
- Can’t access command prompt
- Can’t open registry editor
Same with bulubebek virus, Nadia Saphira virus has been created using visual basic. If virus success on infected your system it will created some file list:
- autorun.inf (on all root drive)
- NadiaSaphira.ini (on all root drive)
- Documents and Settings\All User\Start Menu\Programs\Startup\lan.exe
- Documents and Settings\%User%\NadiaSaphira.ini
- WINDOWS\taskmgr.exe
- WINDOWS\system32\.exe
- WINDOWS\system32\allsys.exe
- WINDOWS\system32\misconfig.exe
- WINDOWS\system32\MS586.sys
- WINDOWS\system32\System
- WINDOWS\system32\wtoolsb.exe
- WINDOWS\system32\dllcache\.exe
- WINDOWS\system32\ dllcache\System
Same with bulubebek virus Nadia Saphira virus will hiding all your folder that already changed with “fake” folder to tricky some newbie out there to activate this virus. It also will blocking some windows function such as Folder Options, Registry Editor, Search/Find, and Command Prompt.
To make this virus more hard to removed his creator changed your registry and created autorun files when your computer start-up, the first file is lan.exe then it will calling another files to backup. take a look on picture…
Infection Method:
As I said in the top articles this virus will using your flashdisk and hijacked windows autoplay function for infection method. Virus will created some autorun.inf files for make him spreading in your system.
Alright enough let’s remove this sh*t *lol*
How to Remove Nadia Saphira Virus W32/VBTroj.AOQB
1. Disconnected your computer from networks
2. Turn off system restore when in cleaning process (Don’t forget to turn it on again when you already remove this virus)
3. Because this virus blocking your task manager you can use this 3rd tools CurrProcess Kill this process to stop active virus in your system:
- Lan.exe
- misconfig.exe
- taskmgr.exe
4. Repair your registry using code below and save as repair.inf or download repair.inf right click on it the choose “Install” (to make sure the new registry already proceeds you can kill explorer.exe then run it again but don’t restart your computer)
[[Version]
Signature=”$Chicago$”
Provider=Nobody
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKCR, batfile\shell\open\command,,,”"”%1″” %*”
HKCR, comfile\shell\open\command,,,”"”%1″” %*”
HKCR, exefile\shell\open\command,,,”"”%1″” %*”
HKCR, piffile\shell\open\command,,,”"”%1″” %*”
HKCR, lnkfile\shell\open\command,,,”"”%1″” %*”
HKCR, scrfile\shell\open\command,,,”"”%1″” %*”
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,
HKLM, SOFTWARE\Classes\exefile\DefaultIcon,,,”"%1″”
HKLM, SOFTWARE\Classes\exefile,,,”Application”
HKLM, SOFTWARE\Classes\exefile,infotip,0, “prop:FileDescription;Company;FileVersion;Create;Size”
HKLM, SOFTWARE\Classes\exefile,TileInfo,0, “prop:FileDescription;Company;FileVersion”
HKCU, Software\Microsoft\Command Processor, AutoRun,0,
HKLM, SOFTWARE\Microsoft\Command Processor, AutoRun,0,
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, CheckedValue, 0×00010001,1
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, DefaultValue, 0×00010001,2
[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, nofind
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer, nofind
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sessmgr.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SPYXX.exe
5. Remove the virus children (joke hehe) Using your advanced search tools looking for virus with criteria:
- Icon application/folder
- File type apllication
- File extension .exe
- File size 69 kb & 17 kb
- NadiaSaphira.ini (all drive)
- Autorun.inf (all drive)
WARNING!!! WARNING!!! WARNING!!! I believe mostly people are hard and false to follow this step, before you deleted wrong files and blame me…. make sure you know virus characteristic and show all hidden files first! take a look on picture first for virus sample!
If you’re not sure, go get ansav antivirus and using their “hidden revealer” plugins to show all hidden files back then search and terminate the virus child.
Another option read in the top article if virus success it will created file list bla bla that should removed before you restart your computer.
6. Get your hidden files and folders back, Start -> Run -> Type cmd -> In command prompt box type “ATTRIB –s –h –r /s /d” or you can use simple “hidden revealer” from ansav plugins.
7. Lastly checked with antivirus can detected this virus, I recommended norman (no promotion) then restart your computer, re-scan again to make sure no virus left in your system.
Done, have a good day 
SIMILAR POST :
- Remove W32/VBWorm.QXE (bulubebek)
- Remove virus AMBURADUL (all varian)
- Remove MaHaDeWa VBS.Autorun.AM
- Remove Sandra Dewi Bugil Virus W32/Sadra.A
Incoming search terms:
- misconfig
- nadia safira
- virus w32 en task manager
- eliminar virus savira
- membasmi virus sysfake logoff
- cara menghilangkan blocked startup program
- cara menghilangkan virus di memory card
- nadia saphira virus
- download anti virus savira
- savira virus pc
- sysfake logoff
- nadia saphira
- virus apa sysfake logoff
- antivirusprogram saphira
- lan exe virus
- antivirus savira
- virus sysfake logoff
- antivirus nadiasaphira
- was ist savira virus
- virus lan exe autorun
- antivirus nadia saphira
- virus lan exe
- langkah attrib
- menghilangkan virus sysfake
- memperbaiki wrong filesize
- memperbaiki sysfake
- cara menghilangkan policy registry setting menu help
- sysfake logoff virus removal tool
- nadia bugil
- virus nadia saphira
- virus bulu bebek
- atasi virus hidden
- sphyra anti-virus
- saphira worm
- saphira shemal
- nadiasaphira poli
- nadia virus
- how to delete nadia shavira virus
- hapus manual sysfake
- Cara membersihkan CD Rom
- cara instal mycybercafe
- cara efektif membersihkan file or folder nadia shapira
- bulubek nedır
- Basmi virus SysFake logoff
- basmi sysfake logout
- basmi manual virus lan
- bagaimana untuk menghilangkan file eror msiexec exe
- atasi virus nadia saphira
- atasi kesalahan msiexec exe
- antivirus saphira
- antivirus nadia safira
- cara mengatasi its not valid win32 application
- cara mengatasi not valid win32 application
- gimana cara menghilangkan virus sality
- eliminar savira
- eliminar lan exe
- clean sysfake wscript
- cara virus recycler di flashdisk
- cara perbaiki is not a valid win32 application
- Cara menghilangkan virus nadir saphira
- cara menghilangkan virus di pc
- cara menghilangkan mail forex
- cara menghilangkan autorun
- cara menghapuskan nadia saphira
- cara mengatasi windows image valid
- allsys exe
If you're new here, you may want to subscribe to my RSS feed. You may copy or publish this article to your blog or other site as long you give credit link back to this site article. Thanks for visiting my blog!
Did you know?
Tag cloud
Blogs Statistic
Subscribe my feed
November 27th, 2009 at 3:59 AM
my kompi kena virus 32 tlg cara menghilangkanx makasih
January 13th, 2010 at 2:49 AM
remover shemale by cry