Virus / Worm poping up "VOTE RAILA ODINGA"

My PC infected by virus Raila Odinga how can I remove it?
http://au.answers.yahoo.com/question/index.php?qid=20071003112600AAVjbFE

As Per http://www.windowsbbs.com/showthread.php?t=67902 nay uptodate AV scan will detect and remove :)

PeteLong

I have tried all these tools but to no avail. Also tried to install Kaspersky but what it does is to kill the virus but does not restore the registry so that system tools are usable. I need a removal tool that would remove this virus and also clean and restore the registry. I have more the 100 machines affected.

Thanks

Also if you try and Launch any program on the machine, It just disappears withing seconds. All icons that are supposed to be displayed on the far right of the Taskbar are not displayed , e.g. time and date.

According to McAfee, it can be removed and the registry restored:

http://vil.nai.com/vil/content/v_142420.htm

Much more information here:

http://www.computing.net/security/wwwboard/forum/21612.html

Could you post a HijackThis scan log, please?

Boot your system under safemode with networking and run this online Trend Micro Online Scanner
http://housecall.trendmicro.com/

Phototropic
Here is a log from Hijack this


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:02 PM, on 10/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Administrator.238-212-PC-2\Start Menu\Programs\Startup\Startup .exe
C:\MSWord.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.microsoft.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.167.8.13:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *ub.bw;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\Fonts\smss.exe"
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [kb] C:\WINDOWS\system32\drivers\AUTO.TXT
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Startup .exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - http://nossop.ub.bw/jinitiator/jinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = education.sedudu.ub.bw
O17 - HKLM\Software\..\Telephony: DomainName = education.sedudu.ub.bw
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = education.sedudu.ub.bw
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = education.sedudu.ub.bw
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel(R) Active Management Technology LMS Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6563 bytes

this location looks suspicious to me.
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\Fonts\smss.exe"

see if u can reboot the machine in safe mode and delete the above file.

download process explorer from www.sysinternals.com 
smss is a critical system process and the genuine one resides in c:\windows\system32, but the one above is in the fonts folder, which is why i HIGHLY suspect it. using process explorer, kill the suspicious one.

dreamguy

Have tried that but couldn't delete it because the file is hidden. The virus has disabled the Folder Options where I can have hidden files unhidden.

Even the command prompt is disabled.

and so is this..
C:\Documents and Settings\Administrator.238-212-PC-2\Start Menu\Programs\Startup\Startup .exe

delete this one as well.

how about safe mode with command prompt?

if you cannot do anything on the system, try taking out the hard drive, hook it as a slave drive in another working system and run a scanner from there.

otherwise, try booting with UBCD to clean it
http://ubcd.sourceforge.net/

sheharyaar: do u suspect anything in the hijacklogs apart from what i found?

I have managed to delete "C:\WINDOWS\Fonts\smss.exe" and C:\Documents and Settings\Administrator.238-212-PC-2\Start Menu\Programs\Startup\Startup .exe.
Then booted the PC to normal mode but still there are no changes, nothing is running.

what happens if you doubleclick on command.com under c:\windows\system32, or does that not work either?

dreamguy.

When I try to open the command.com file, it ask me to choose the program that I want to open with

mmm im looking for a reg file that can fix all the file extensions and restore it to their defaults. what happens when you double click a .reg file?

I tried to run a .reg file and it asks if I am sure I want to edit the registry. But I didn't procede cause I was just testing. So please find me the .reg file, maybe it will help me.

do you get the run command when u bring up task manager and go to file-->run?

paste the below in notepad, save as a .reg file and import it into the registry. this should take care of the exe files.

-----------
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"

[HKEY_CLASSES_ROOT\exefile\shell]

[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas]

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

When I try to launch task manager, it just disappears within seconds

When I try and do anything concerning the registry, the machine just reboots.

try doing it in safe mode and see if it helps.

Managed to import into registry from safe mode but still getting the same behaviour

I would delete the following:

O4 - HKLM\..\Run: [kb] C:\WINDOWS\system32\drivers\AUTO.TXT
O4 - Startup: Startup .exe
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - http://nossop.ub.bw/jinitiator/jinit.exe

If you are able to, try downloading Combofix:

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

Double click combofix.exe and follow the prompts. Post the scan log here please...

I would also delete all .tmp files with Cleanup:

http://www.stevengould.org/index.php?option=com_content&task=view&id=29&Itemid=70

and disable/re-enable system restore.

phototropic...ummm...the author is unable to run any exe's or com files. the system's file associations are messed up. @_@

Well, earlier today nyathim managed to run HijackThis, so I was hoping that this might still be the case...

phototropic

I am failing to run combofix.exe. When I launch it, within a minute it will have disappeared. Tried also in safemode but still it disappears.

Ok try this....
do you have a similar machine that is working fine?
if so, then open the registry on that machine, and try to open the registry of the infected machine by going to file-->connect network registry.

Take a backup of the HKEY_LOCAL_MACHINE\SOFTWARE\Classes key on the infected machine and import the HKEY_LOCAL_MACHINE\SOFTWARE\Classes key from the good machine into the bad machine and then restart it.

try to run another online virus can in safe mode with networking from http://onecare.live.com/site/en-us/default.htm

I have been reading on this article on    http://ictnguru.blogspot.com/     about the W32rontokbro@mm worm. The way the virus manipulates the registry seem to be what is happening on my machine. If you check all the registry entries that the virus disables are exactly the scenario that I have. Unfortunately they is no solution provided on this site.

Hi,

Create a new account that has administrative previleges and install superantispyware and an antivirus (i.e. kaspersky) update them and do a full scan. I believe this will solve your problem.

Regards,

I have scanned the machine with "CleanBoot" from McAfee. IT scanned and deleted all the virus infected files and the machine seem to be back to life. Now the problem is that the registry is still set to hide all my system functionalities. How do I fix the registry problem. The following are still hidden : Control panel, system date, command line, system restore, system properties and many more that I may have not noticed by now,

Can I send the registry export.

Or Try some Manual registry Fixes by your self following instructions in the below link.
Control Panel Icons are Missing:
http://www.kellys-korner-xp.com/xp_c.htm#cpiconsmissing

For more Info check this..
http://www.kellys-korner-xp.com/xp_tweaks.htm

Or try downloading Tweak UI from Microsoft it has alot of options for enabling System applications.

Thanks a lot guys, I managed to fix the problem with CleanBoot form McAfee and MsnClean.

Thanks once again for your support.

that's great news!

remove raila odinga by mcafee antivirus ver 8.0 updated to date.

i removed it that way. 100%