This virus has been infected my cybercafe server on 25/05/2009 not sure from where this virus coming from, it’s look like from my users flash disk in my cybercafe. After learn it surely this virus can be removed using manual technique.
This virus scripts almost same with bulubebek I think the creator is same person. Some people in forum said this virus is reincarnation of bulubebek. Badly, mostly antivirus company didn’t detected this virus, the only one can detect it only SMADAV but Norman detect it also as W32/VBTroj.AOQB.
Nadia Saphira virus characteristics:
- File size 17kb and 69kb
- File type “Application”
- File extension .exe and .ini
- Using folder icon
- Created duplicated folder base on folder name and hiding the real folder
- Remove folder options
- Can’t used CD-rom
- Can’t access command prompt
- Can’t open registry editor
Same with bulubebek virus, Nadia Saphira virus has been created using visual basic. If virus success on infected your system it will created some file list:
- autorun.inf (on all root drive)
- NadiaSaphira.ini (on all root drive)
- Documents and Settings\All User\Start Menu\Programs\Startup\lan.exe
- Documents and Settings\%User%\NadiaSaphira.ini
- WINDOWS\taskmgr.exe
- WINDOWS\system32\.exe
- WINDOWS\system32\allsys.exe
- WINDOWS\system32\misconfig.exe
- WINDOWS\system32\MS586.sys
- WINDOWS\system32\System
- WINDOWS\system32\wtoolsb.exe
- WINDOWS\system32\dllcache\.exe
- WINDOWS\system32\ dllcache\System
Same with bulubebek virus Nadia Saphira virus will hiding all your folder that already changed with “fake” folder to tricky some newbie out there to activate this virus. It also will blocking some windows function such as Folder Options, Registry Editor, Search/Find, and Command Prompt.
To make this virus more hard to removed his creator changed your registry and created autorun files when your computer start-up, the first file is lan.exe then it will calling another files to backup. take a look on picture…
Infection Method:
As I said in the top articles this virus will using your flashdisk and hijacked windows autoplay function for infection method. Virus will created some autorun.inf files for make him spreading in your system.
Alright enough let’s remove this sh*t *lol*
How to Remove Nadia Saphira Virus W32/VBTroj.AOQB
1. Disconnected your computer from networks
2. Turn off system restore when in cleaning process (Don’t forget to turn it on again when you already remove this virus)
3. Because this virus blocking your task manager you can use this 3rd tools CurrProcess Kill this process to stop active virus in your system:
- Lan.exe
- misconfig.exe
- taskmgr.exe
4. Repair your registry using code below and save as repair.inf or download repair.inf right click on it the choose “Install” (to make sure the new registry already proceeds you can kill explorer.exe then run it again but don’t restart your computer)
[[Version]
Signature=”$Chicago$”
Provider=Nobody
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKCR, batfile\shell\open\command,,,”””%1″” %*”
HKCR, comfile\shell\open\command,,,”””%1″” %*”
HKCR, exefile\shell\open\command,,,”””%1″” %*”
HKCR, piffile\shell\open\command,,,”””%1″” %*”
HKCR, lnkfile\shell\open\command,,,”””%1″” %*”
HKCR, scrfile\shell\open\command,,,”””%1″” %*”
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,
HKLM, SOFTWARE\Classes\exefile\DefaultIcon,,,””%1″”
HKLM, SOFTWARE\Classes\exefile,,,”Application”
HKLM, SOFTWARE\Classes\exefile,infotip,0, “prop:FileDescription;Company;FileVersion;Create;Size”
HKLM, SOFTWARE\Classes\exefile,TileInfo,0, “prop:FileDescription;Company;FileVersion”
HKCU, Software\Microsoft\Command Processor, AutoRun,0,
HKLM, SOFTWARE\Microsoft\Command Processor, AutoRun,0,
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, CheckedValue, 0x00010001,1
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, DefaultValue, 0x00010001,2
[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, nofind
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer, nofind
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sessmgr.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SPYXX.exe
5. Remove the virus children (joke hehe) Using your advanced search tools looking for virus with criteria:
- Icon application/folder
- File type apllication
- File extension .exe
- File size 69 kb & 17 kb
- NadiaSaphira.ini (all drive)
- Autorun.inf (all drive)
WARNING!!! WARNING!!! WARNING!!! I believe mostly people are hard and false to follow this step, before you deleted wrong files and blame me…. make sure you know virus characteristic and show all hidden files first! take a look on picture first for virus sample!
If you’re not sure, go get ansav antivirus and using their “hidden revealer” plugins to show all hidden files back then search and terminate the virus child.
Another option read in the top article if virus success it will created file list bla bla that should removed before you restart your computer.
6. Get your hidden files and folders back, Start -> Run -> Type cmd -> In command prompt box type “ATTRIB –s –h –r /s /d” or you can use simple “hidden revealer” from ansav plugins.
7. Lastly checked with antivirus can detected this virus, I recommended norman (no promotion) then restart your computer, re-scan again to make sure no virus left in your system.
Done, have a good day 😀
Similar Posts:
- Remove W32/VBWorm.QXE (bulubebek)
- Remove Sandra Dewi Bugil Virus W32/Sadra.A
- Remove virus AMBURADUL (all varian)
- Remove MaHaDeWa VBS.Autorun.AM
RELATED SEARCH TERMS:
- misconfig
- misconfig
- nadia saphira virus
- nadia saphira virus
- was ist savira virus
- download anti virus savira
- cara mengatasi not valid win32 application
- antivirus nadiasaphira
- cara menghilangkan blocked startup program
- antivirus nadia saphira
- was ist savira virus
- antivirus nadia saphira
- cara mengatasi not valid win32 application
- download anti virus savira
- antivirus nadiasaphira
- cara menghilangkan blocked startup program
- virus nadia saphira
- Cara membersihkan CD Rom
- sphyra anti-virus
- cara efektif membersihkan file or folder nadia shapira
- basmi manual virus lan
- saphira worm
- allsys exe
- cara menghilangkan mail forex
- cara menghilangkan virus di pc
- cara mengatasi its not valid win32 application
- basmi sysfake logout
- virus bulu bebek
- Cara membersihkan CD Rom
- memperbaiki sysfake
- atasi virus hidden
- cara menghapuskan nadia saphira
- basmi sysfake logout
- cara mengatasi its not valid win32 application
- cara menghilangkan virus di pc
- cara menghilangkan mail forex
- basmi manual virus lan
- cara menghapuskan nadia saphira
- virus nadia saphira
- allsys exe
- cara efektif membersihkan file or folder nadia shapira
- saphira worm
- virus bulu bebek
- sphyra anti-virus
- memperbaiki sysfake
- atasi virus hidden
my kompi kena virus 32 tlg cara menghilangkanx makasih
remover shemale by cry