I thought Brontok virus from Indonesia was the most powerful, annoying and toughest virus to remove but now I have encountered another virus which is worst than Brontok. The virus will leave a HTML file which you can identify the virus name as JambanMu. In Malaysia, when say Jamban, it means toilet. But I have a Malay friend and he told me that jambanmu means “Your V@gina”. He also added that the word Jamban is used in Malaysia, so this virus might be originated from Malaysia!
Weirdly, antivirus company doesn’t identify the virus as JambanMu. I uploaded the virus file to VirusTotal and all antivirus is able to identify the file as Alman or Almanahe virus. Just like Brontok, some antivirus calls it Rontokbro.
Here are the symptoms of being infected by JambanMu, Alman or Almanahe virus and also how to easily removing this annoying virus.
1. You have a HELP ME!!.html file at your C:\ drive. When you open it, it has the title of W32.JambanMy.V2 which brings MESSEGE FROM HELL!! It insults and complain about KFC, McDONALD, 7 11, oil, water, electricity, azam, zawawi, kamal, dzulkifli, israel, bush and yahudi. At the bottom, it has a line that says “Reported by 666.JambanMu.V2″
2. Registry Editor (regedit) being disabled.
3. Command Prompt (cmd) being disabled.
4. Flash.10.exe and Macromedia.10.exe loaded in Windows Task Manager.
5. Folder Options missing
6. Search at Start Menu missing
7. You’re unable to access a lot of AntiVirus websites such as virustotal.com, symantec.com and etc because your HOSTS file has been modified to redirect antivirus websites to 127.0.0.1.
JambanMu virus spreads via mapped drives and also portable USB flash drive. When I plug in a USB flash drive on a computer that is infected by JambanMu virus, it automatically creates autorun.inf and Flash.10.Setup.exe. If I open the flash drive from My Computer, it’ll run Flash.10.Setup.exe and infects the computer. JambanMu virus reaches the computer in a file that has the icon of a flash file.
I also noticed another thing. When I insert a USB flash drive that is infected by JambanMu virus to a computer, I right click on the drive, there is a menu that says “Scan for Viruses“. I right click on local hard drives, but this menu didn’t appear.
Just as I’ve expected, there is an autorun.inf file at the root of my USB flash drive and gives this command. If I select this command, it’ll launch Scanner.exe which is also JambanMu virus.
At first I tried removing this virus using AIMfix, CaSIR, HijackThis and they all failed. After a little searching, I found a lot of research and testing, you only need to run 2 types of cleaners to easily and automatically remove JambanMu, Alman or Almanahe virus and also restoring the damages made by the virus. Do NOT run ComboFix and SDFix together simultaneously. Run ComboFix first, restart, then run SDFix.
1. ComboFix
Instructions: Do not mouseclick combofix’s window while it is running. That may cause it to stall.
[ Download ComboFix ]
2. SDFix
Instructions: Download and run SDFIX.exe. Click install button to extract SDFix files. Restart your computer in Safe Mode. Once you’re booted into Safe Mode, go to C:\SDFix folder and launch RunThis.bat. Press Y and hit ENTER. It will start scanning your computer and removing JambanMu virus.
[ Download SDFix ]
Once you’ve completed running both ComboFix and SDFix, the JambanMu, Alman or Almanahe virus will be removed and your registry editor, command prompt, folder options and windows search will be restored.
When I was doing my research on this virus, I found other 2 files to clean JambanMu virus. First one is Virus Remover Tool for Win32/Alman from AVG. It is able to “clean” JambanMu virus but it does not restore the damage. You must download the following two files ( rmalman.exe, rmalman.nt ) and run the rmalman.exe file.
[ Download AVG Win32/Alman Removal Tool ]
The second one is called KillFlash1.0 which claims to kill Flash.10.exe. I’ve tried this tool and it is not effective.
[ Download KillFlash1.0 ]
actually, jamban means toilet.. lololol
Wow.. that virus maker must be full in panic and frustrated by whats happening in the world when making this virus.. xD
plez help me to clean up all the viruses at my pc..
plez..
thanks…..
now my pc is clean…
(+_<)..
i like it……
please help me,,my computer have so many viruses…i try to download combofix,,but then i dont know what to do??
suke sangt web nie..
u all must used tis..
tq..
I ran Combofix and I tried to download and run SDfix but I recieved the following error when I tried to run it:
“Windows can not find “C:\SDFIX\apps\\installed.text’. Make sure you typed the name correctly, and then try again.”
I don’t know what to do.
Thanks
thanks bro…
Thx raymond
yet, another frustrated skippie
thanks dude for this info.now i can remove mt pc from this jambanmu.thanks a lot.
Hi there… before that, thanks… after i followed you instruction of remove the jambanmu virus… finally my pc is working just fine.. but need to ask a question.. why my registry editor still Jambanmu.com?how to rename back?thnx…i see many post like this but no respons thnx
Hi, Raymond,,..I’ve problem with my notebook,..very slow response booting, I’ve also problem accessing to internet eventhough using the 3G modems..I have scan via kaspersky antivirus, have also run combofix & SDfix…run all brontok blaster no worm or trojan been detectect….need help!!!!!
TQ
Ok, try dowbkiad SuoerAntiSpyware and run repair in preferences
Raymond, I can\’t see all my hidden files. Even the folder option missing. What shud I do?
thanks a lot raymond. It solved my problem. However, my C prompt is still being \”disabled by the administrator\” . Does that mean the virus is still in my computer?
thanks man! it’s really work. I finally can solve the problem after a year.
use trojan remover
I am a new member from cambodia.
I thought this blog is helpful with my work.
Thank to all of member and thank alot to raymond.
I had a problem my computer effected by virus but i dont know what is it name.It is like a star stick flying around my desktop.Pls help me how to clean or remove it.
what anti virus clean files exe infacted by Win32/Alman.A virus?
i dont know how to remove massage from hell
JambanMu is very different from the other virus…actually this virus is very unique and very hard to remove it…even though using a latest or powerful AV like Kapersky,but still cannot detect it….thanks so much raymond for your info..hope you can find a suitable and easy step to remove this virus…terima kasih(thank you)..
hey man i used this combofix and sdfix but my pc is still giving that taskmanager has been disabled by the administrator and even the command prompt is not opening.
i first of all ran combofix.exe and then run and installed sdfix.exe and after that i restarted my pc in safe mode and run run this bat.exe
even then when i returned to normal it was still giving the same problems.
so can u help me??
was i wrong somewhere in the procedure.
Reply:
Yo man..why don’t u use kaspersky 2007 AV?..it will help u to solve ur problem..u know what?i also face the same prob and i’ve scanned my computer using Kaspersky AV 2007..do not use free edition la bro..use the full version..and my task manager can be restored..so try it..;)
Thanx for ur info bro..i will try it as soon as possible as my computer been ‘hit’ by this kind of virus..hope in the future u can provide us more useful info on how to remove ‘super2′ viruses..thanx again bro..:)
huhu. Its crazy and i think its more better we alert. Thanks for sharing with us this problem and tell us too how to handle it.
erm..one more think…after use virus remover(combofix dan SDFIX)..my laptop still weak.. to shutdown take a long time..another way to solve this problem???
i allready use this kind of virus remover(combofix dan SDFIX)..ya my have back my foder option and search at start menu but if i right click on my My COMPUTER icon my Laptop still register by JAMBANMU V2 and DIE!DIE!DIE!….how can i solve this problem….
thanx man!!!! whenever u are in malaysia give me a call if u need anything im in construction
merci pour tous!
hey man i used this combofix and sdfix but my pc is still giving that taskmanager has been disabled by the administrator and even the command prompt is not opening.
i first of all ran combofix.exe and then run and installed sdfix.exe and after that i restarted my pc in safe mode and run run this bat.exe
even then when i returned to normal it was still giving the same problems.
so can u help me??
was i wrong somewhere in the procedure.
thanx man, now my pc is clean. nice job! =)
to enable ur infected regedit
Just type following in RUN dialog box and press :
REG add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
or
How to enable registry whe infected by virus
When your registry is being disabled:
First, maybe the administrator disabled it for some restriction purposes
Second, due to virus. Most of the virus disabled the regedit for you to unable to stop the execution of its program.
Here are the solutions for enabling the regedit again.
Use the gpedit.msc to enable the registry editor.
Step 1: Hit the window or click start button then press “r” or simply click the run
Step 2: type gpedit.msc
Step 3: Click on Administrative Templates
Step 4: Click the System and locate the Prevent access to registry editing tools and double click on it
Step 5: Select the enabled on the optionbutton the click apply.
This will make a policy to prevent access to the registry editing tools, The computer will automatically made the policy.
Step 6: After clicking on apply select the disabled in the option button then click the apply again then click ok button when finished.
The disabled button will make the policy into default, the computer will automatically configured it and becomes a default comfig which is the registry editor can be access by the user.
please help me to remove Narixa virus. I try to run the combofix, but cannot run properly. it Looks like blocking by the virus. But SDFix can run successfully. Please reply me as soon as possible. TQ
Hi Raymond. I’ve try this solution n it work!! thank a lot. But after i’ve tried to my friend PC, the registry name for the PC is still JambanMu Die!Die!die….why ah?
Hi there… before that, thanks… after i followed you instruction of remove the jambanmu virus… finally my pc is working just fine.. but need to ask a question.. why my registry editor still Jambanmu.com? seek for you assist…
Good day!
First all i would like to thank you for all your email. I really learn a lot from you.
By the way Raymond i have a problem with the laptop of my cousin which i repaired. It is running in XP SP2. It has an AVG installed in it and was infected with virus.. a virus which denies access to Registry, task manager, folder option. (the one which displays “disable by administrator” when access). i tried a solution which i read from the internet. It prompts me to run an entry to enable registry but it only leads to opening a notepad with a garbled message when i ran regedit. so, when i read about this program COMBOFIX and SDFIX, i tried it and it works. Registry access was restored. After reboot i scan it again with avg, it detected certain file viruses and quarantined it. Unfurtunately i deleted all the files quarantined by avg and it affected internet explorer and certain program. Not a problem with other program, i did just reinstalled it. Unlike Internet Explorer, when i click internet explorer, the file cannot longer be located. What should i do to restore internet explorer without reinstalling windows?
Thank you very much
Hello, charlie.
I\’ve the same problem as you. I search the internet and found something very useful. Download restriction removal tool (RRT.exe). use google to search. It will restore all your problems. It will renable folder options, run, task manager and internet explorer.
Good day!
First all i would like to thank you for all your email. I really learn a lot from you.
By the way Raymond i have a problem with the laptop of my cousin which i repaired. It is running in XP SP2. It has an AVG installed in it and was infected with virus.. a virus which denies access to Registry, task manager, folder option. (the one which displays “disable by administrator” when access). i tried a solution which i read from the internet. It prompts me to run an entry to enable registry but it only leads to opening a notepad with a garbled message when i ran regedit. so, when i read about this program COMBOFIX and SDFIX, i tried it and it works. Registry access was restored. After reboot i scan it again with avg, it detected certain file viruses and quarantined it. Unfurtunately i deleted all the files quarantined by avg and it affected internet explorer and certain program. Not a problem with other program, i did just reinstalled it. Unlike Internet Explorer, when i click internet explorer, the file cannot longer be located. What should i do to restore internet explorer without reinstalling windows?
Thank you very much
This is terrible. I can’t even search now… btw, jambanmu means ‘your toilet’. It’s a Malay word.
another way to remove jambanmu is use procexp from Sysinternals Process Explorer
hahaha, PCMAV that’s a good AV Maybe, use an AV Database from other AV???, what ashame!!!, PCMAV Suck and it’s very slow and detected by foreign AV as a threat, this can be a problems too, PCMAV Sucks
Thanks for your tutorial. Several virus from Indonesia can’t detect by antivirus foreign but I have a weapon to solve the problem. I use PCMAV to clean the virus. This free and integration with ClamAV Database. Several antivirus detect PCMAV as threat but I guarantee that false alarm. You can get PCMAV at maseko.com
why so hard to kill brontok variants, i’m from indonesia and all local virus scanned and cleaned with Ansav, just double click it’s close all unclose program and use the plugins for recover Document, Hidden Files, Registry, and Uncloseable programs, it’s simple than u’r method
tK9 Tech Team
Anybody interested in cleaning difficult virus/Trojan should look into this video. It is long but it is very well done, intended for experts, and the speaker is no other than the famous Mark Russinovich. (yes, he is pushing his tools, but they are excellent and I use them anyway all the time)
This is not a tool, but methodology.
microsoft.com/emea/spotlight/sessionh.aspx?videoid=359
This video need another video player to be installed, it seems Microsoft is pushing this player these days.
How does it spread (other than USB autoruns?)
Once again, thanks ray for the infos… it seems that this one is alot tougher than brontok. btw, allow me to interpret, JambanMu is ” Your Ass ” not ” Your V@gina ”. sorry I don’t mean your ass but the real meaning of the virus… kudos bro.
no problems as of yet. will put thisfix in with my otheres iad if i ever need it its there. Thanks raymond
Cheers ! Wow another nasty bug ?? Thanks u got the solution …
Forgot to add that this virus also duplicates itself into folders that it finds.
good job, man. I’ve been killing viruses/worms since 1991 and this looks very nasty to me too.
notice that in task manager there are two files: flash.10.exe and macromedia.exe. if you kill any of these process in Task Manager, Windows will get restarted. use “kill process tree” in sysinternal process explorer instead.
after the processes is killed, you are free to delete the registy entries.
i only use procexp, autoruns, and regedit to remove this virus and its registry leftovers, but i can’t recall it now since I accidentally deleted the virus that I intend to keep >_<”
personally i think brontok is more annoying since it duplicates itself into all folders
does this work with any other viruses? I’ve got a virus that i cant seem to get rid off and i use the latest version of Kaspersky
thx for the info raymond
When I found this virus, I was really frustrated because the method that I use to clean Brontok doesn’t work at all! After a lot of testing, combofix and sdfix is able to clean it.
OMG..another Brontok variant. Looks like cleaning this one will be more tougher than BrontokBro. Again, nice tutorial Raymond. :D