How to remove Raila Odinga virus


Invisible

Invisible

Admin
Joined
Feb 11, 2006
Messages
9,104
Likes
603
Points
280
Invisible

Invisible

Admin
Joined Feb 11, 2006
9,104 603 280
[Odinga Raila pop up and Kibaki Tosha Tena Virus]

How to solve Odinga Raila.gif and Kibaki Tosha Tena Virus?

[SIZE=-1]You can't access your system folders and any kinds of sites with words such as "virus" or "security"? You can not install any antivirus? That may be Kibaki virus, also known as Kalonzo.

[/SIZE]
If your PC creates duplicates of folders and a popup picture "Odinga Raila" appears every hour and freezes your PC then you're in the right place. We have solution.

[SIZE=+1][/SIZE]Problem description:

What is Raila Odinga virus?

It makes your pc running very slow, it uses 100% CPU time, Raila Odinga doesn't allow you to access system folders, control panel, hidden files or internet to find an antivirus. You aren't allowed to install any kinds of software and have problems with all removable drives inserted and it doesn't matter if you're in a safe mode or not!

How to fix O Reila (Nemesis) manually? For advanced users only

This problem can be solved manually by deleting all registry keys and files connected with this software, removing it from starup list and unregistering all corresponding DLLs. Additionally missing DLL's should be restored from distribution in case they are corrupted by Raila.gif. To fix this threat, you should:

1. Kill the following processes and delete the appropriate files:
• nemesis.exe
• nemesis.inf
• server.inf

Warning: you should delete only those files which checksums are listed as malicious. There may be valid files with the same names in your system. We recommend you to use True Sword for safe problem solution. If you can't find these files in your system, they are actively masking themselves! In suhc case you need special software to unver and kill them.

2. Delete the following malicious registry entries and\or values:

• Key: software\microsoft\windows\currentversion\run\couponsandoffers

Value: @

• Key: software\microsoft\windows\currentversion\run\htazpohvqs

Value: @

Warning: If value is listed for some registry entries, you should only clear these values and leave keys with such values untouched. We recommend you to use True Sword for safe problem solution.
 
Yona F. Maro

Yona F. Maro

R I P
Joined
Nov 2, 2006
Messages
4,235
Likes
51
Points
0
Yona F. Maro

Yona F. Maro

R I P
Joined Nov 2, 2006
4,235 51 0
Habari Kwanza Sio Kweli Kwamba Komputer Yako Inapokuwa Na Odinga Unashidwa Kuandika Tovuti Kama Ni Hivyo Pc Yako Itakuwa Ina Madhara Mengine Tofauti

Hiyo Software Iliyoandikwa Hapo Ina Utata Mkubwa Mimi Siamini Hata Kidogo

Njia Rahisi Ya Kuondoa Ondika Ni Kutumia Programu Ya Dup Killer Hiyo Ita Tafuta File Zote Za Odinga Za Kuzifuta Manually

Au Unaweza Kutumia Windows Search Ukifanya Search Ukipata Odinga Delele Kisha Bonyeza Control Alt Delete , Utaona Odinga Katika Process , Pale Click End Task Inabidi Uende Haraka Sana
 
Invisible

Invisible

Admin
Joined
Feb 11, 2006
Messages
9,104
Likes
603
Points
280
Invisible

Invisible

Admin
Joined Feb 11, 2006
9,104 603 280
Well Shy,

I might be mistaken but I do believe if someone follows my instructions can get rid of it.

Technical details

This Trojan has a malicious payload. It is a Windows PE EXE file. The Trojan components may vary in size from 17KB to 286KB.

Installation

Once launched, the Trojan extracts a file with the following name from its body to the current user's desktop:

Raila Odinga.gif

and launches it. The user will see the following image:

21780800.png


The Trojan also copies its executable file to the following directory:
%System%\drivers\RailaOdinga.exe

It also extracts the following file from its body:
%Temp%\nswC.tmp\System.dll

In order to ensure that the Trojan is launched automatically each time the system is booted, the Trojan adds a link to its executable file in the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] @ = "%System%\drivers\RailaOdinga"

The Trojan also creates the following shortcut:
%Documents and Settings%\Start Menu \Programs\Autorun\RailaOdinga.lnk

When this shortcut is run, the Trojan executable file will be launched.


Payload

The Trojan copies its executable file to all removable media under the following name:

:\smss.exe

It also copies the extracted image:

:\Raila Odinga.gif

stands for the letter of the removable disk.

The Trojan creates an autorun.inf file in the root of the removable disk. This file will automatically launch the Trojan executable file when the user attempts to open the infected disk using Explorer.

The Trojan also recursively copies its executable file to all folders on the removable disk. These copies use the names of files which are located in these folders together with an .exe extension.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

* Use Task Manager to terminate the Trojan process.
* Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
* Delete the following system registry key parameter:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] @ = "%System%\drivers\RailaOdinga"

* Delete the following files:

%Temp%\nswC.tmp\System.dll %System%\drivers\RailaOdinga.exe %Documents and Settings%\ Start Menu \Programs\Autorun\RailaOdinga.lnk

* Delete the following file from the desktop:

Raila Odinga.gif

* Delete all copies of the Trojan from removable disks.
* Delete the autorun.inf file from the root directory of all removable disks.
 
Invisible

Invisible

Admin
Joined
Feb 11, 2006
Messages
9,104
Likes
603
Points
280
Invisible

Invisible

Admin
Joined Feb 11, 2006
9,104 603 280
And as per McAfee:
Virus Characteristics
Detection was added to cover for a malicious 32 bit PE file originally called "Raila Odinga.exe" , having a filesize of 97.579 bytes. The file is a nullsoft installer file.

Upon running, it drops and displays a picture file of "Raila Odinga", this is just an attention drawer. Apart from copying itself to the system Raila Odinga.gif is also placed on the desktop and repeatedly opened.

In the meantime, the Raila Odinga.exe binary file is being copied silently copied to the windows directory and creates a registry entry to it:

  • c:\WINDOWS\system32\drivers\Raila Odinga.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "(Default)"
    Data: C:\WINDOWS\system32\drivers\Raila Odinga
It drops an innocent file called "system.dll" having a filesize of 10240 bytes.

  • c:\Documents and Settings\userxyz\Local Settings\Temp\nsf5.tmp\System.dll
  • c:\Documents and Settings\userxyz\Local Settings\Temp\nsv3.tmp\System.dll
A link file is added as:
c:\Documents and Settings\userxyz\Start Menu\Programs\Startup\Raila Odinga.lnk

Indications of Infection

  • Presence of a malicious 32 bit PE file originally called "Raila Odinga.exe" , having a filesize of 97.579 bytes
  • Picture file "Raila Odinga.gif" being placed on the desktop and repeatedly opened automatically in photo editor.
Method of Infection

  • Manual infection - there's no exploit associated to it
Removal Instructions

All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations

Aliases

DR/NSIS.Voter.A (H+Bedv), TROJ_VOTERAI.A (Trend), Trojan.NSIS.Voter.a (Kaspersky), W32/Voterai.worm.b, Worm/Generic.BQP (Grisoft)
 
Kinyau

Kinyau

JF-Expert Member
Joined
Nov 24, 2006
Messages
828
Likes
167
Points
60
Kinyau

Kinyau

JF-Expert Member
Joined Nov 24, 2006
828 167 60
invisible I followed the steps from your first post while attending a neighbours computer, it worked perfectly. Thanks.
 
Invisible

Invisible

Admin
Joined
Feb 11, 2006
Messages
9,104
Likes
603
Points
280
Invisible

Invisible

Admin
Joined Feb 11, 2006
9,104 603 280
invisible I followed the steps from your first post while attending a neighbours computer, it worked perfectly. Thanks.
Thanks for your input on this.

Once two other comments will come with same outcome we'll close the topic and keep it as RESOLVED.
 
Idimi

Idimi

JF-Expert Member
Joined
Mar 18, 2007
Messages
11,391
Likes
3,141
Points
280
Idimi

Idimi

JF-Expert Member
Joined Mar 18, 2007
11,391 3,141 280
I had that kind of virus (Raila Odinga) in my PC.
I cleaned it using Avira Antivirus and I no longer have such a nuisance.
May be other antivirus remove, but I have not tried them.


Regards

Idimi
 
Richard

Richard

JF-Expert Member
Joined
Oct 23, 2006
Messages
9,778
Likes
6,481
Points
280
Richard

Richard

JF-Expert Member
Joined Oct 23, 2006
9,778 6,481 280
Mkuu Invisible,

Umenielimisha kitu kimoja muhimu sana.

Nafikiri kumekuja mtindo wa hackers kujaribu kutumia websites ambazo zimezubaa katika masuala yote muhimu ya security.

Ni vulnerability hii ndio inasababisha websites hizi zitumiwe kuweka Trojans na harmful executable worms na kuharibu computer za watu.

Sasa naona ni vizuri kwamba tunaelimishana.

Weekend njema.
 
Idimi

Idimi

JF-Expert Member
Joined
Mar 18, 2007
Messages
11,391
Likes
3,141
Points
280
Idimi

Idimi

JF-Expert Member
Joined Mar 18, 2007
11,391 3,141 280
I see no more questions pertaining to Raila Odinga virus, hope the remedies that we suggested here have solved the problem.

Long live JF
 
Invisible

Invisible

Admin
Joined
Feb 11, 2006
Messages
9,104
Likes
603
Points
280
Invisible

Invisible

Admin
Joined Feb 11, 2006
9,104 603 280
I see no more questions pertaining to Raila Odinga virus, hope the remedies that we suggested here have solved the problem.

Long live JF
I can see someone from Kaspersky recommended this article. It's nice to share experiences thru forums.
 
SnEafer

SnEafer

Senior Member
Joined
Apr 1, 2009
Messages
154
Likes
0
Points
0
SnEafer

SnEafer

Senior Member
Joined Apr 1, 2009
154 0 0
Who wouldn't?

REMEMBER :-
after those steps and everythin scan your registries and give a quick scan with trojan remover ***just to make sure you ar clean****
and use spybot ***If you need help fixingup your registries***
 
MziziMkavu

MziziMkavu

JF-Expert Member
Joined
Feb 3, 2009
Messages
39,977
Likes
5,350
Points
280
MziziMkavu

MziziMkavu

JF-Expert Member
Joined Feb 3, 2009
39,977 5,350 280
How to solve Odinga Raila.gif and Kibaki Tosha Tena Virus? First Turn off System Restore Steps to turn off System Restore 1. Click Start, right-click My Computer, and then click Properties. 2. In the System Properties dialog box, click the System Restore tab. 3. Click to select the Turn off System Restore check box. Or, click toselect the Turn off System Restore on all drives check box. 4. Click OK. 5. When you receive the following message, click Yes to confirm that youwant to turn off System Restore.Then After Restart you Computer Safe Mode With Networking how to Restart?1. Log out and reboot your machine.2. When the machine starts the reboot sequence, press the F8 key
repeatedly.3. Select Safe Mode with Networking from the resulting menu.4. When the log in screen comes up, log in as Administrator. By default,Administrator has no password.5. The machine will continue booting, but the Windows desktop will lookdifferent. In The Safe Mode With Networking Then Download and Scan By Using Norman Malware To Un-locker Odinga Raila.gif and Kibaki Tosha Tena Virus Press here MajorGeeks.com - Download Freeware and Shareware Computer Utilities.. To Remove Odinga Raila.gif and Kibaki Tosha Tena Virus in you Computer Download and Scan By Using Both Super Anti-Spyware Press here SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware! Malwarebytes' Anti-Malware Press here Thank you for downloading Malwarebytes Anti-Malware from Download.com
7. After Remove Odinga Raila.gif and Kibaki Tosha Tena Virus in you Computer Turn On system Restore Steps to turn onSystem Restore 1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab. 3. Click to clear the Turn off System Restore check box on all drives checkbox. 4. Click OK. After a few moments, the System Properties dialog box closes ThenRestart you Computer.
 
LIKE Niku ADD

LIKE Niku ADD

JF-Expert Member
Joined
Jul 21, 2014
Messages
3,984
Likes
2,257
Points
280
LIKE Niku ADD

LIKE Niku ADD

JF-Expert Member
Joined Jul 21, 2014
3,984 2,257 280
noma sana....
 
LIKE Niku ADD

LIKE Niku ADD

JF-Expert Member
Joined
Jul 21, 2014
Messages
3,984
Likes
2,257
Points
280
LIKE Niku ADD

LIKE Niku ADD

JF-Expert Member
Joined Jul 21, 2014
3,984 2,257 280
Only bumping or to increase # of post !
mind the post date bob !
Nafaham tarehe ya mtoa post.. but sikuwahi kufahamu hivyo virusi
 

Forum statistics

Threads 1,237,900
Members 475,774
Posts 29,305,385