?
Solved

Virus / Worm poping up "VOTE RAILA ODINGA"

Posted on 2007-10-12
42
Medium Priority
?
11,416 Views
Last Modified: 2013-12-04
I have machines runing on windows XP and recently I was attacked buy this virus / Worm. The worm pops up a message saying "Vote Raila Odinga, The Hummer (Nyundo) for president 2007". Now all my machines have the following programes disabled or not functional : Control Panel, Task manager, Run command, Command prompt. I can't run any executable files. Even if I try and restart in Safe mode, the problem is just the same. I hade Symantec installed and it was upto date but to my surprise, it is now disabled.

Please help me with a removal tool that can remove this virus or worm.

Thanks,  your help is much appreciated.
0
Comment
Question by:nyathim
  • 15
  • 15
  • 4
  • +5
42 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 20063584
My PC infected by virus Raila Odinga how can I remove it?
http://au.answers.yahoo.com/question/index.php?qid=20071003112600AAVjbFE
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 20063593
As Per http://www.windowsbbs.com/showthread.php?t=67902 nay uptodate AV scan will detect and remove :)
0
 

Author Comment

by:nyathim
ID: 20064028
PeteLong

I have tried all these tools but to no avail. Also tried to install Kaspersky but what it does is to kill the virus but does not restore the registry so that system tools are usable. I need a removal tool that would remove this virus and also clean and restore the registry. I have more the 100 machines affected.

Thanks
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 

Author Comment

by:nyathim
ID: 20064080
Also if you try and Launch any program on the machine, It just disappears withing seconds. All icons that are supposed to be displayed on the far right of the Taskbar are not displayed , e.g. time and date.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 20064153
According to McAfee, it can be removed and the registry restored:

http://vil.nai.com/vil/content/v_142420.htm

Much more information here:

http://www.computing.net/security/wwwboard/forum/21612.html

Could you post a HijackThis scan log, please?
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 20064268
Boot your system under safemode with networking and run this online Trend Micro Online Scanner
http://housecall.trendmicro.com/
0
 

Author Comment

by:nyathim
ID: 20064562
Phototropic
Here is a log from Hijack this


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:02 PM, on 10/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Administrator.238-212-PC-2\Start Menu\Programs\Startup\Startup .exe
C:\MSWord.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.microsoft.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 168.167.8.13:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *ub.bw;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\Fonts\smss.exe"
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [kb] C:\WINDOWS\system32\drivers\AUTO.TXT
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Startup .exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - http://nossop.ub.bw/jinitiator/jinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = education.sedudu.ub.bw
O17 - HKLM\Software\..\Telephony: DomainName = education.sedudu.ub.bw
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = education.sedudu.ub.bw
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = education.sedudu.ub.bw
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel(R) Active Management Technology LMS Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6563 bytes
0
 
LVL 9

Expert Comment

by:dreamyguy
ID: 20065667
this location looks suspicious to me.
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\Fonts\smss.exe"

see if u can reboot the machine in safe mode and delete the above file.
0
 
LVL 9

Expert Comment

by:dreamyguy
ID: 20065766
download process explorer from www.sysinternals.com 
smss is a critical system process and the genuine one resides in c:\windows\system32, but the one above is in the fonts folder, which is why i HIGHLY suspect it. using process explorer, kill the suspicious one.
0
 

Author Comment

by:nyathim
ID: 20065829
dreamguy

Have tried that but couldn't delete it because the file is hidden. The virus has disabled the Folder Options where I can have hidden files unhidden.

Even the command prompt is disabled.
0
 
LVL 9

Expert Comment

by:dreamyguy
ID: 20065870
and so is this..
C:\Documents and Settings\Administrator.238-212-PC-2\Start Menu\Programs\Startup\Startup .exe

delete this one as well.
0
 
LVL 9

Expert Comment

by:dreamyguy
ID: 20065919
how about safe mode with command prompt?
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 20065925
if you cannot do anything on the system, try taking out the hard drive, hook it as a slave drive in another working system and run a scanner from there.

otherwise, try booting with UBCD to clean it
http://ubcd.sourceforge.net/
0
 
LVL 9

Expert Comment

by:dreamyguy
ID: 20066352
sheharyaar: do u suspect anything in the hijacklogs apart from what i found?
0
 

Author Comment

by:nyathim
ID: 20066706
I have managed to delete "C:\WINDOWS\Fonts\smss.exe" and C:\Documents and Settings\Administrator.238-212-PC-2\Start Menu\Programs\Startup\Startup .exe.
Then booted the PC to normal mode but still there are no changes, nothing is running.
0
 
LVL 9

Expert Comment

by:dreamyguy
ID: 20066863
what happens if you doubleclick on command.com under c:\windows\system32, or does that not work either?
0
 

Author Comment

by:nyathim
ID: 20066963
dreamguy.

When I try to open the command.com file, it ask me to choose the program that I want to open with
0
 
LVL 9

Expert Comment

by:dreamyguy
ID: 20066984
mmm im looking for a reg file that can fix all the file extensions and restore it to their defaults. what happens when you double click a .reg file?
0
 

Author Comment

by:nyathim
ID: 20067088
I tried to run a .reg file and it asks if I am sure I want to edit the registry. But I didn't procede cause I was just testing. So please find me the .reg file, maybe it will help me.
0
 
LVL 9

Expert Comment

by:dreamyguy
ID: 20067153
do you get the run command when u bring up task manager and go to file-->run?
0
 
LVL 9

Expert Comment

by:dreamyguy
ID: 20067229
paste the below in notepad, save as a .reg file and import it into the registry. this should take care of the exe files.

-----------
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"

[HKEY_CLASSES_ROOT\exefile\shell]

[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas]

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

0
 

Author Comment

by:nyathim
ID: 20067239
When I try to launch task manager, it just disappears within seconds
0
 

Author Comment

by:nyathim
ID: 20067376
When I try and do anything concerning the registry, the machine just reboots.
0
 
LVL 9

Expert Comment

by:dreamyguy
ID: 20067398
try doing it in safe mode and see if it helps.
0
 

Author Comment

by:nyathim
ID: 20067677
Managed to import into registry from safe mode but still getting the same behaviour
0
 
LVL 23

Expert Comment

by:phototropic
ID: 20068647
I would delete the following:

O4 - HKLM\..\Run: [kb] C:\WINDOWS\system32\drivers\AUTO.TXT
O4 - Startup: Startup .exe
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - http://nossop.ub.bw/jinitiator/jinit.exe

If you are able to, try downloading Combofix:

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

Double click combofix.exe and follow the prompts. Post the scan log here please...

0
 
LVL 23

Expert Comment

by:phototropic
ID: 20068666
I would also delete all .tmp files with Cleanup:

http://www.stevengould.org/index.php?option=com_content&task=view&id=29&Itemid=70

and disable/re-enable system restore.
0
 
LVL 9

Expert Comment

by:dreamyguy
ID: 20068728
phototropic...ummm...the author is unable to run any exe's or com files. the system's file associations are messed up. @_@
0
 
LVL 23

Expert Comment

by:phototropic
ID: 20068800
Well, earlier today nyathim managed to run HijackThis, so I was hoping that this might still be the case...
0
 

Author Comment

by:nyathim
ID: 20070359
phototropic

I am failing to run combofix.exe. When I launch it, within a minute it will have disappeared. Tried also in safemode but still it disappears.
0
 
LVL 9

Expert Comment

by:dreamyguy
ID: 20070388
Ok try this....
do you have a similar machine that is working fine?
if so, then open the registry on that machine, and try to open the registry of the infected machine by going to file-->connect network registry.

Take a backup of the HKEY_LOCAL_MACHINE\SOFTWARE\Classes key on the infected machine and import the HKEY_LOCAL_MACHINE\SOFTWARE\Classes key from the good machine into the bad machine and then restart it.
0
 
LVL 9

Expert Comment

by:dreamyguy
ID: 20070411
try to run another online virus can in safe mode with networking from http://onecare.live.com/site/en-us/default.htm
0
 

Author Comment

by:nyathim
ID: 20070503
I have been reading on this article on    http://ictnguru.blogspot.com/     about the W32rontokbro@mm worm. The way the virus manipulates the registry seem to be what is happening on my machine. If you check all the registry entries that the virus disables are exactly the scenario that I have. Unfortunately they is no solution provided on this site.

0
 
LVL 10

Expert Comment

by:yasserd
ID: 20070686
Hi,

Create a new account that has administrative previleges and install superantispyware and an antivirus (i.e. kaspersky) update them and do a full scan. I believe this will solve your problem.

Regards,
0
 
LVL 24

Accepted Solution

by:
Mohammed Hamada earned 900 total points
ID: 20072809
Have you Tried any of these Temporary operating systems such as knoppix or winternal...
Winternal is a temp XP on a CD that would let you reach your Files and clean them too if you were able to copy all these cleaning tools on a USB stick and run it from winternal..
I'm not sure if winternal is copyrighted software I'll ask if it is, if not i'll post a link here for you to download it will be the best and most fast way to clean all these infected clients.

Download and try using this tool, it enables task mgr, msconfig, and regedit.
http://upload-il.com/file/61637/MsnCleaner-eng.zip.html
the extension is exe but give it a shot it may work .
0
 

Author Comment

by:nyathim
ID: 20077841
I have scanned the machine with "CleanBoot" from McAfee. IT scanned and deleted all the virus infected files and the machine seem to be back to life. Now the problem is that the registry is still set to hide all my system functionalities. How do I fix the registry problem. The following are still hidden : Control panel, system date, command line, system restore, system properties and many more that I may have not noticed by now,
0
 

Author Comment

by:nyathim
ID: 20077998
Can I send the registry export.
0
 
LVL 9

Assisted Solution

by:dreamyguy
dreamyguy earned 600 total points
ID: 20078107
nyathim: did you try the msncleaner utility mentioned by moh10ly? it has a checkbox to enable control panel, task manager, etc.
in case the above link doesn't work, try http://www.forospyware.com/Msncleaner/MsnCleaner.zip
0
 
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 20078411
Or Try some Manual registry Fixes by your self following instructions in the below link.
Control Panel Icons are Missing:
http://www.kellys-korner-xp.com/xp_c.htm#cpiconsmissing

For more Info check this..
http://www.kellys-korner-xp.com/xp_tweaks.htm

Or try downloading Tweak UI from Microsoft it has alot of options for enabling System applications.
0
 

Author Comment

by:nyathim
ID: 20084276
Thanks a lot guys, I managed to fix the problem with CleanBoot form McAfee and MsnClean.

Thanks once again for your support.
0
 
LVL 9

Expert Comment

by:dreamyguy
ID: 20084341
that's great news!
0
 

Expert Comment

by:zaheerabbas_8
ID: 20326172
remove raila odinga by mcafee antivirus ver 8.0 updated to date.

i removed it that way. 100%
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
If you are like me and like multiple layers of protection, read on!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question