How to remove Raila Odinga virus

[Odinga Raila pop up and Kibaki Tosha Tena Virus]

How to solve Odinga Raila.gif and Kibaki Tosha Tena Virus?

You can't access your system folders and any kinds of sites with words such as “virus” or “security”? You can not install any antivirus? That may be Kibaki virus, also known as Kalonzo.

If your PC creates duplicates of folders and a popup picture “Odinga Raila” appears every hour and freezes your PC then you're in the right place. We have solution.

Problem description:

What is Raila Odinga virus?

It makes your pc running very slow, it uses 100% CPU time, Raila Odinga doesn't allow you to access system folders, control panel, hidden files or internet to find an antivirus. You aren't allowed to install any kinds of software and have problems with all removable drives inserted and it doesn't matter if you're in a safe mode or not!

How to fix O Reila (Nemesis) manually? For advanced users only

This problem can be solved manually by deleting all registry keys and files connected with this software, removing it from starup list and unregistering all corresponding DLLs. Additionally missing DLL's should be restored from distribution in case they are corrupted by Raila.gif. To fix this threat, you should:

1. Kill the following processes and delete the appropriate files:
• nemesis.exe
• nemesis.inf
• server.inf

Warning: you should delete only those files which checksums are listed as malicious. There may be valid files with the same names in your system. We recommend you to use True Sword for safe problem solution. If you can't find these files in your system, they are actively masking themselves! In suhc case you need special software to unver and kill them.

2. Delete the following malicious registry entries and\or values:

• Key: software\microsoft\windows\currentversion\run\coup onsandoffers

Value: @

• Key: software\microsoft\windows\currentversion\run\htaz pohvqs

Value: @

Warning: If value is listed for some registry entries, you should only clear these values and leave keys with such values untouched. We recommend you to use True Sword for safe problem solution.

[Shy]

Habari Kwanza Sio Kweli Kwamba Komputer Yako Inapokuwa Na Odinga Unashidwa Kuandika Tovuti Kama Ni Hivyo Pc Yako Itakuwa Ina Madhara Mengine Tofauti

Hiyo Software Iliyoandikwa Hapo Ina Utata Mkubwa Mimi Siamini Hata Kidogo

Njia Rahisi Ya Kuondoa Ondika Ni Kutumia Programu Ya Dup Killer Hiyo Ita Tafuta File Zote Za Odinga Za Kuzifuta Manually

Au Unaweza Kutumia Windows Search Ukifanya Search Ukipata Odinga Delele Kisha Bonyeza Control Alt Delete , Utaona Odinga Katika Process , Pale Click End Task Inabidi Uende Haraka Sana

[Invisible]

Well Shy,

I might be mistaken but I do believe if someone follows my instructions can get rid of it.

Technical details

This Trojan has a malicious payload. It is a Windows PE EXE file. The Trojan components may vary in size from 17KB to 286KB.

Installation

Once launched, the Trojan extracts a file with the following name from its body to the current user's desktop:

Raila Odinga.gif

and launches it. The user will see the following image:



The Trojan also copies its executable file to the following directory:
%System%\drivers\RailaOdinga.exe

It also extracts the following file from its body:
%Temp%\nswC.tmp\System.dll

In order to ensure that the Trojan is launched automatically each time the system is booted, the Trojan adds a link to its executable file in the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] @ = "%System%\drivers\RailaOdinga"

The Trojan also creates the following shortcut:
%Documents and Settings%\Start Menu \Programs\Autorun\RailaOdinga.lnk

When this shortcut is run, the Trojan executable file will be launched.


Payload

The Trojan copies its executable file to all removable media under the following name:

:\smss.exe

It also copies the extracted image:

:\Raila Odinga.gif

stands for the letter of the removable disk.

The Trojan creates an autorun.inf file in the root of the removable disk. This file will automatically launch the Trojan executable file when the user attempts to open the infected disk using Explorer.

The Trojan also recursively copies its executable file to all folders on the removable disk. These copies use the names of files which are located in these folders together with an .exe extension.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

* Use Task Manager to terminate the Trojan process.
* Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
* Delete the following system registry key parameter:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] @ = "%System%\drivers\RailaOdinga"

* Delete the following files:

%Temp%\nswC.tmp\System.dll %System%\drivers\RailaOdinga.exe %Documents and Settings%\ Start Menu \Programs\Autorun\RailaOdinga.lnk

* Delete the following file from the desktop:

Raila Odinga.gif

* Delete all copies of the Trojan from removable disks.
* Delete the autorun.inf file from the root directory of all removable disks.

[Invisible]

And as per McAfee:

	Quote:
	Virus Characteristics Detection was added to cover for a malicious 32 bit PE file originally called "Raila Odinga.exe" , having a filesize of 97.579 bytes. The file is a nullsoft installer file. Upon running, it drops and displays a picture file of "Raila Odinga", this is just an attention drawer. Apart from copying itself to the system Raila Odinga.gif is also placed on the desktop and repeatedly opened. In the meantime, the Raila Odinga.exe binary file is being copied silently copied to the windows directory and creates a registry entry to it: c:\WINDOWS\system32\drivers\Raila Odinga.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run "(Default)" Data: C:\WINDOWS\system32\drivers\Raila Odinga It drops an innocent file called "system.dll" having a filesize of 10240 bytes. c:\Documents and Settings\userxyz\Local Settings\Temp\nsf5.tmp\System.dll c:\Documents and Settings\userxyz\Local Settings\Temp\nsv3.tmp\System.dll A link file is added as: c:\Documents and Settings\userxyz\Start Menu\Programs\Startup\Raila Odinga.lnk Indications of Infection Presence of a malicious 32 bit PE file originally called "Raila Odinga.exe" , having a filesize of 97.579 bytes Picture file "Raila Odinga.gif" being placed on the desktop and repeatedly opened automatically in photo editor. Method of Infection Manual infection - there's no exploit associated to it Removal Instructions All Users: Use current engine and DAT files for detection and removal. Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher). Additional Windows ME/XP removal considerations Aliases DR/NSIS.Voter.A (H+Bedv), TROJ_VOTERAI.A (Trend), Trojan.NSIS.Voter.a (Kaspersky), W32/Voterai.worm.b, Worm/Generic.BQP (Grisoft)

[Kinyau]

invisible I followed the steps from your first post while attending a neighbours computer, it worked perfectly. Thanks.

[Invisible]

	Quote:	kinyau
	invisible I followed the steps from your first post while attending a neighbours computer, it worked perfectly. Thanks.

Thanks for your input on this.

Once two other comments will come with same outcome we'll close the topic and keep it as RESOLVED.

[Idimi]

I had that kind of virus (Raila Odinga) in my PC.
I cleaned it using Avira Antivirus and I no longer have such a nuisance.
May be other antivirus remove, but I have not tried them.


Regards

Idimi

[Richard]

Mkuu Invisible,

Umenielimisha kitu kimoja muhimu sana.

Nafikiri kumekuja mtindo wa hackers kujaribu kutumia websites ambazo zimezubaa katika masuala yote muhimu ya security.

Ni vulnerability hii ndio inasababisha websites hizi zitumiwe kuweka Trojans na harmful executable worms na kuharibu computer za watu.

Sasa naona ni vizuri kwamba tunaelimishana.

Weekend njema.

[Invisible]

	Quote:	Richard
	Weekend njema.

Thanks m8!

[Idimi]

I see no more questions pertaining to Raila Odinga virus, hope the remedies that we suggested here have solved the problem.

Long live JF