I thought Brontok virus from Indonesia was the most powerful, annoying and toughest virus to remove but now I have encountered another virus which is worst than Brontok. The virus will leave a HTML file which you can identify the virus name as JambanMu. In Malaysia, when say Jamban, it means toilet. But I have a Malay friend and he told me that jambanmu means “Your V@gina”. He also added that the word Jamban is used in Malaysia, so this virus might be originated from Malaysia!
Weirdly, antivirus company doesn’t identify the virus as JambanMu. I uploaded the virus file to VirusTotal and all antivirus is able to identify the file as Alman or Almanahe virus. Just like Brontok, some antivirus calls it Rontokbro.
Here are the symptoms of being infected by JambanMu, Alman or Almanahe virus and also how to easily removing this annoying virus.
1. You have a HELP ME!!.html file at your C:\ drive. When you open it, it has the title of W32.JambanMy.V2 which brings MESSEGE FROM HELL!! It insults and complain about KFC, McDONALD, 7 11, oil, water, electricity, azam, zawawi, kamal, dzulkifli, israel, bush and yahudi. At the bottom, it has a line that says “Reported by 666.JambanMu.V2″
2. Registry Editor (regedit) being disabled.
3. Command Prompt (cmd) being disabled.
4. Flash.10.exe and Macromedia.10.exe loaded in Windows Task Manager.
5. Folder Options missing
6. Search at Start Menu missing
7. You’re unable to access a lot of AntiVirus websites such as virustotal.com, symantec.com and etc because your HOSTS file has been modified to redirect antivirus websites to 127.0.0.1.
JambanMu virus spreads via mapped drives and also portable USB flash drive. When I plug in a USB flash drive on a computer that is infected by JambanMu virus, it automatically creates autorun.inf and Flash.10.Setup.exe. If I open the flash drive from My Computer, it’ll run Flash.10.Setup.exe and infects the computer. JambanMu virus reaches the computer in a file that has the icon of a flash file.
I also noticed another thing. When I insert a USB flash drive that is infected by JambanMu virus to a computer, I right click on the drive, there is a menu that says “Scan for Viruses“. I right click on local hard drives, but this menu didn’t appear.
Just as I’ve expected, there is an autorun.inf file at the root of my USB flash drive and gives this command. If I select this command, it’ll launch Scanner.exe which is also JambanMu virus.
At first I tried removing this virus using AIMfix, CaSIR, HijackThis and they all failed. After a little searching, I found a lot of research and testing, you only need to run 2 types of cleaners to easily and automatically remove JambanMu, Alman or Almanahe virus and also restoring the damages made by the virus. Do NOT run ComboFix and SDFix together simultaneously. Run ComboFix first, restart, then run SDFix.
Instructions: Do not mouseclick combofix’s window while it is running. That may cause it to stall.
[ Download ComboFix ]
Instructions: Download and run SDFIX.exe. Click install button to extract SDFix files. Restart your computer in Safe Mode. Once you’re booted into Safe Mode, go to C:\SDFix folder and launch RunThis.bat. Press Y and hit ENTER. It will start scanning your computer and removing JambanMu virus.
[ Download SDFix ]
Once you’ve completed running both ComboFix and SDFix, the JambanMu, Alman or Almanahe virus will be removed and your registry editor, command prompt, folder options and windows search will be restored.
When I was doing my research on this virus, I found other 2 files to clean JambanMu virus. First one is Virus Remover Tool for Win32/Alman from AVG. It is able to “clean” JambanMu virus but it does not restore the damage. You must download the following two files ( rmalman.exe, rmalman.nt ) and run the rmalman.exe file.
[ Download AVG Win32/Alman Removal Tool ]
The second one is called KillFlash1.0 which claims to kill Flash.10.exe. I’ve tried this tool and it is not effective.
[ Download KillFlash1.0 ]