Nadia Saphira virus characteristics:
- File size 17kb and 69kb
- File type “Application”
- File extension .exe and .ini
- Using folder icon
- Created duplicated folder base on folder name and hiding the real folder
- Remove folder options
- Can’t used CD-rom
- Can’t access command prompt
- Can’t open registry editor
Same with bulubebek virus, Nadia Saphira virus has been created using visual basic. If virus success on infected your system it will created some file list:
- autorun.inf (on all root drive)
- NadiaSaphira.ini (on all root drive)
- Documents and Settings\All User\Start Menu\Programs\Startup\lan.exe
- Documents and Settings\%User%\NadiaSaphira.ini
- WINDOWS\taskmgr.exe
- WINDOWS\system32\.exe
- WINDOWS\system32\allsys.exe
- WINDOWS\system32\misconfig.exe
- WINDOWS\system32\MS586.sys
- WINDOWS\system32\System
- WINDOWS\system32\wtoolsb.exe
- WINDOWS\system32\dllcache\.exe
- WINDOWS\system32\ dllcache\System
Same with bulubebek virus Nadia Saphira virus will hiding all your folder that already changed with “fake” folder to tricky some newbie out there to activate this virus. It also will blocking some windows function such as Folder Options, Registry Editor, Search/Find, and Command Prompt.
To make this virus more hard to removed his creator changed your registry and created autorun files when your computer start-up, the first file is lan.exe then it will calling another files to backup. take a look on picture…
Infection Method:
As I said in the top articles this virus will using your flashdisk and hijacked windows autoplay function for infection method. Virus will created some autorun.inf files for make him spreading in your system.
Alright enough let’s remove this sh*t *lol*
How to Remove Nadia Saphira Virus W32/VBTroj.AOQB
1. Disconnected your computer from networks
2. Turn off system restore when in cleaning process (Don’t forget to turn it on again when you already remove this virus)
3. Because this virus blocking your task manager you can use this 3rd tools CurrProcess Kill this process to stop active virus in your system:
- Lan.exe
- misconfig.exe
- taskmgr.exe
4. Repair your registry using code below and save as repair.inf or download repair.inf right click on it the choose “Install” (to make sure the new registry already proceeds you can kill explorer.exe then run it again but don’t restart your computer)
[[Version]
Signature=”$Chicago$”
Provider=Nobody
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKCR, batfile\shell\open\command,,,”””%1?” %*”
HKCR, comfile\shell\open\command,,,”””%1?” %*”
HKCR, exefile\shell\open\command,,,”””%1?” %*”
HKCR, piffile\shell\open\command,,,”””%1?” %*”
HKCR, lnkfile\shell\open\command,,,”””%1?” %*”
HKCR, scrfile\shell\open\command,,,”””%1?” %*”
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,
HKLM, SOFTWARE\Classes\exefile\DefaultIcon,,,””%1?”
HKLM, SOFTWARE\Classes\exefile,,,”Application”
HKLM, SOFTWARE\Classes\exefile,infotip,0, “prop:FileDescription;Company;FileVersion;Create;Size”
HKLM, SOFTWARE\Classes\exefile,TileInfo,0, “prop:FileDescription;Company;FileVersion”
HKCU, Software\Microsoft\Command Processor, AutoRun,0,
HKLM, SOFTWARE\Microsoft\Command Processor, AutoRun,0,
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, CheckedValue, 0×00010001,1
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, DefaultValue, 0×00010001,2
[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, nofind
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer, nofind
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sessmgr.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SPYXX.exe
5. Remove the virus children (joke hehe) Using your advanced search tools looking for virus with criteria:
- Icon application/folder
- File type apllication
- File extension .exe
- File size 69 kb & 17 kb
- NadiaSaphira.ini (all drive)
- Autorun.inf (all drive)
WARNING!!! WARNING!!! WARNING!!! I believe mostly people are hard and false to follow this step, before you deleted wrong files and blame me…. make sure you know virus characteristic and show all hidden files first! take a look on picture first for virus sample!
If you’re not sure, go get ansav antivirus and using their “hidden revealer” plugins to show all hidden files back then search and terminate the virus child.
Another option read in the top article if virus success it will created file list bla bla that should removed before you restart your computer.
6. Get your hidden files and folders back, Start -> Run -> Type cmd -> In command prompt box type “ATTRIB –s –h –r /s /d” or you can use simple “hidden revealer” from ansav plugins.
7. Lastly checked with antivirus can detected this virus, I recommended norman (no promotion) then restart your computer, re-scan again to make sure no virus left in your system.
SILA DOWNLOAD ANTIVIRUS INDONESIA
SMADAV DI SINI
ATAU GUNA NORMAN CLEANER DI Norman Malware Cleaner
