Computer Virus: May 2010

Today I was copying some of the new songs from my brother's computer to my pen drive. When I opened the pen drive in windows explorer, I noticed that a new file called USBcillin in the pen drive. My brother told me that he had installed the program but was unable to uninstall it since it was not shown in the Add or Remove Programs from the control panel. He told me it was not virus. Even though I was suspicious about the reliability of the program I didn't tell him anything. I just removed the program from the start up options in the msconfig file.

Now let me give a small information about USBcillin. USBcillin is said to be a software that protects your computer from malware when you plug in infected USB drives. However, it is just another rogue application. USBcillin is unable to protect your computer form any possible infections. The rogue modifies registry entries and drops various malicious files onto your computer.

Removal:

1. Kill processes

13882768.EXE
64080532.EXE
82215601.EXE
USBcillin.exe
QWE.TXT.EXE

For killing a process, open task manager and then choose the process tab. From the process shown select the above process and click on the end now button. A warning will be displayed. Click OK button. For more details about killing malware process click here.

2. Delete the registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoPropertiesMyComputer” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\”DisableTaskMgr” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoSetFolders” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoNetHood” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoFolderOptions” = “0″
# HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoDesktop” = “0″
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\”DisableCMD” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoPrinters” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoSetFolders” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network\”NoNetSetup” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\”Window Title” = “Windows Internet Explorer”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\”NoAddPage” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoFind” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify\”PastIconsStream” = “hex:14,00,00,00,05,00,00,00,01,00,01,00,b6,00,00,00,14,00,00,00,49,4c,00,06,b6,00,ba,00,04,00,10,00,10,00,ff,ff,ff,ff,21,00…”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Userinit” = “C:\WINDOWS\system32\userinit.exe,”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoRun” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\”DisableRegistryTools” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoViewContextMenu” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\”NoAddRemovePrograms” = “0″
# HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network\”NoNetSetup” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoFileMenu” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”USBcillin” = “C:\WINDOWS\system32\USBcillin.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoPropertiesMyComputer” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoViewContextMenu” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”DisableRegistryTools” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoActiveDesktop” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\”NoAddRemovePrograms” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoFolderOptions” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoDesktop” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Shell” = “explorer.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\”NoDispCPL” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoPrinters” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoControlPanel” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\”NoRemovePage” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\”NoAddPage” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoFind” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\”NoActiveDesktop” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoRun” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoNetHood” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\”NoRemovePage” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoControlPanel” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”DisableTaskMgr” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”NoDispCPL” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoFileMenu” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\”Order” = “hex:08,00,00,00,02,00,00,00,00,02,00,00,01,00,00,00,03,00,00,00,d2,00,00,00,00,00,00,00,c4,00,00,00,41,75,67,4d,02

To know about deleting registry values, click here.

3. Delete files