CMD Error – Virus
August 3rd, 2016
I’m using a kaspersky internet security at the moment.
and it suddenly stopped updating a few days ago.
it gives the message “Update failed: Internal Error”.
The problem is kaspersky screams whenever i try to double-click a harddrive in “My computer”. gives this message
Riskware:
Trojan.generic
Running process (PID:1540)
c:\9.cmd
Action:
process is trying to register its copy as startup autorun object. This behaviour is typical of Trojans.
(quarantine/terminate/allow)
i picked quarantine and terminate many times before but it did not help, it only lets me “roll back”
what should i do except formatting?
any ideas how to fix this problem,
any softwares to recommend to clean this ~love~..
is formatting the only solution?
thank you, in advance
No to format the whole pc isnt the only solution. The easiest thing you could do now is to download hijackthis.
1.) Scan system
2.) Post logfile on http://www.hijackthis.de
3.) Delete corrupt files which are marked with a huge red X
After these steps you could try to update your Antivirus again and if it doesn’t work install it again, update it and scan ur System again
Download the avira rescue cd from here: http://www.avira.com/en/company_news/rescue_cd_.html
.
Burn it to CD and restart to boot into a GUI-less version of linux. Then yoyu can scan. BTW – the first thing it’ll do ask langauge. Move down using the down button and press Space Bar to select
No to format the whole pc isnt the only solution. The easiest thing you could do now is to download hijackthis.
1.) Scan system
2.) Post logfile on http://www.hijackthis.de
3.) Delete corrupt files which are marked with a huge red X
After these steps you could try to update your Antivirus again and if it doesn't work install it again, update it and scan ur System again
thank you for advice.
i downloaded hijacktis, scanned, post the file to the site.
it says that C:\WINDOWS\system32\ckvo.exe is a nasty file
im trying to delete it, but i cannot find it im kinda smiling but i m gonna search a little bit more:)
Download the avira rescue cd from here:
http://www.avira.com/en/company_news/rescue_cd_.html
.
Burn it to CD and restart to boot into a GUI-less version of linux. Then yoyu can scan. BTW - the first thing it'll do ask langauge. Move down using the down button and press Space Bar to select
im to noob to use linux but im gonna try this as the next step:)
thank you
CKVO.exe is somehow famous lol
Don’t worry about the virus it’s just a tiny trojan that spreads on removable drives. Nothing to be too concerned about.
I need a ComboFix log
- Disable your resident antivirus (Kaspersky)
- Download Combofix from the link below
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- Save it to your Desktop
- Close all running applications and run Combofix
- Agree to it’s terms and it will start scanning. Do not click anywhere or do anything until it’s done
- It might restart your computer. In any case it will present you with a log.
- Copy/paste the log in this thread inside a [code] box so I can give further instructions
I’m going to bed now but will check this post tomorrow. Or maybe someone like can check it too. For the time being follow these instructions only
search for the file in the windows file browser and if you try to delete it and it gives an error download the freeware tool unlocker and kill it
ComboFix 08-10-16.08 - Admin 2008-10-17 22:43:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1254.1.1055.18.346 [GMT 3:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
* Created a new restore point
[color=RED][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\n6t1h.cmd
C:\WINDOWS\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
C:\WINDOWS\IE4 Error Log.txt
C:\WINDOWS\system32\blphc1prj0e9c3.scr
C:\WINDOWS\system32\ckvo0.dll
C:\WINDOWS\system32\phc1prj0e9c3.bmp
F:\9.cmd
F:\n6t1h.cmd
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
((((((((((((((((((((((((( Files Created from 2008-09-17 to 2008-10-17 )))))))))))))))))))))))))))))))
.
2008-10-17 19:29 . 2008-10-17 19:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-16 01:34 . 1998-06-24 00:00 82,744 --a------ C:\WINDOWS\system32\PICCLP32.OCX
2008-10-16 01:33 . 2008-10-16 01:40 <DIR> d-------- C:\Learn To Speak French Demo V3.1
2008-10-16 00:45 . 2008-10-16 00:46 <DIR> d-------- C:\Program Files\The Rosetta Stone
2008-10-16 00:34 . 2008-10-16 00:43 <DIR> d-------- C:\rosetaF
2008-09-27 14:34 . 2008-09-27 14:34 <DIR> d-------- C:\Program Files\QO Labs
2008-09-27 14:34 . 2008-09-27 14:34 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll
2008-09-27 13:53 . 2008-09-27 13:53 <DIR> d-------- C:\Program Files\Common Files\DFX
2008-09-27 13:53 . 2008-09-27 13:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DFX
2008-09-26 21:59 . 2008-10-04 03:53 <DIR> d-------- C:\Program Files\MioNet
2008-09-26 21:58 . 2008-09-26 21:58 <DIR> d-------- C:\Program Files\Common Files\ArcSoft
2008-09-26 21:58 . 2004-12-07 10:11 258,352 --a------ C:\WINDOWS\system32\unicows.dll
2008-09-26 21:57 . 2008-09-26 21:57 <DIR> d-------- C:\Program Files\Philips
2008-09-26 21:39 . 2005-08-25 13:28 1,240,576 -ra------ C:\WINDOWS\system32\drivers\camdrv41.sys
2008-09-26 21:38 . 2004-08-04 00:45 43,008 --a------ C:\WINDOWS\system32\ksxbar.ax
2008-09-26 21:38 . 2004-08-04 00:45 43,008 --a--c--- C:\WINDOWS\system32\dllcache\ksxbar.ax
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-17 19:50 3,943,968 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-10-17 19:50 --------- d-----w C:\Documents and Settings\Admin\Application Data\Orbit
2008-10-17 19:48 968,312 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-10-17 19:48 72,006,176 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-10-17 19:48 372,836 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-10-12 01:11 --------- d-----w C:\Documents and Settings\Admin\Application Data\Babylon
2008-09-27 12:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-27 12:15 --------- d-----w C:\Program Files\Singles
2008-09-27 12:14 --------- d-----w C:\Program Files\BoontyGames
2008-09-27 11:48 --------- d-----w C:\Program Files\Common Files\Ahead
2008-09-27 11:48 --------- d-----w C:\Program Files\Ahead
2008-09-25 23:02 --------- d-----w C:\Program Files\Cool YouTube Downloader
2008-09-11 18:47 --------- d-----w C:\Program Files\Orbitdownloader
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-26 16:31 --------- d-----w C:\Program Files\mIRC
2008-08-07 01:13 72,748 ----a-w C:\WINDOWS\unins000.exe
2006-01-05 00:28 26,912 --sha-w C:\WINDOWS\fidbox.dat
2006-12-18 22:54 104 --sh--r C:\WINDOWS\system32\B09716C1E8.sys
2008-01-28 01:39 5,904 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kis"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" [2006-03-24 139367]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]
C:\Documents and Settings\All Users\Start Menu\Programlar\Ba�lang��\
Orbit.lnk - C:\Program Files\Orbitdownloader\orbitdm.exe [2007-04-30 1670336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2007-04-21 08:12 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.iac2"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\iac25_32.ax
"msacm.sl_anet"= C:\PROGRA~1\ACEMEG~1\SystemS\sl_anet.acm
"vidc.yv12"= C:\PROGRA~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL
"vidc.divx"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll
"msacm.msaudio1"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msaud32.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangı�^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programlar\Başlangı�\Adobe Reader Speed Launch.lnk
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangı�^Orbit.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programlar\Başlangı�\Orbit.lnk
backup=C:\WINDOWS\pss\Orbit.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 14:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\~ Disallowed ~]
-ra------ 2004-10-08 10:31 155648 C:\WINDOWS\system32\~ Disallowed ~.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-08-11 17:30 249856 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhiBtn]
--a------ 2005-08-25 19:41 155648 C:\WINDOWS\system32\drivers\PhiBtn.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-10-21 04:17 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Toshiba Hotkey Utility]
--a------ 2004-12-10 22:26 1089536 C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayMin900]
--a------ 2005-08-25 19:41 266240 C:\WINDOWS\system32\drivers\Tray900.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Adobe LM Service"=3 (0x3)
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"LiveUpdate"=3 (0x3)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"C-DillaCdaC11BA"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"MioNet"=2 (0x2)
"MDM"=2 (0x2)
"CLTNetCnService"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\SIERRA\\Half-Life\\hl.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\SIERRA\\Empire Earth\\Empire Earth.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\PPMate\\ppmate.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16142:TCP"= 16142:TCP:NortonAV
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
R1 SMBHC;Microsoft SM Yolu Ana Denetleyici S�r�c�s�;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 6784]
R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys [2004-12-10 30592]
R3 SMBBATT;Microsoft Akıllı Pil S�r�c�s�;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys [2004-08-04 16128]
S0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [ ]
S3 AVPsys;AVPsys;C:\WINDOWS\system32\drivers\tdi.sys [2004-08-04 18560]
S3 camvid40;Philips SPC 900NC PC Camera;C:\WINDOWS\system32\DRIVERS\camdrv41.sys [2005-08-25 1240576]
S3 IPN2220;INPROCOMM IPN2220 Wireless LAN Card Driver;C:\WINDOWS\system32\DRIVERS\i2220ntx.sys [2004-11-04 155392]
S3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys [2004-08-18 7552]
S3 Spet_dgs;Spet_dgs;C:\WINDOWS\system32\routemon.exe [2004-08-04 25600]
S4 MioNet;MioNet Service;C:\Program Files\MioNet\MioNetManager.exe [2005-07-15 139264]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{077c307f-926c-11db-8013-0012f0a090b5}]
\Shell\Auto\command - bittorrent.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17eacd40-f1ed-11dc-824e-0012f0a090b5}]
\Shell\AutoRun\command - G:\n6t1h.cmd
\Shell\explore\Command - G:\n6t1h.cmd
\Shell\open\Command - G:\n6t1h.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f2fc616-09fa-11dc-80ef-0012f0a090b5}]
\Shell\Auto\command - activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - activexdebugger32.exe f
\Shell\find\command - F:\Knight.exe open
\Shell\install\command - F:\Knight.exe open
\Shell\open\Command - activexdebugger32.exe f
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41cf5c51-e6b3-11dc-8245-0012f0a090b5}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4677b64a-0b84-11dc-80f6-0012f0a090b5}]
\Shell\Auto\command - bittorrent.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc950491-17e4-11dc-8111-0012f0a090b5}]
\Shell\Auto\command - F:\activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - F:\activexdebugger32.exe f
\Shell\open\Command - F:\activexdebugger32.exe f
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f412afa1-063d-11db-be57-eacbade0e052}]
\Shell\AutoRun\command - F:\autorun.exe
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Kaspersky - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
MSConfigStartUp-AVPCC - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
MSConfigStartUp-OfficeGuard RegChecker - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe
MSConfigStartUp-NDSTray - NDSTray.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\gwekwj2a.default\
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-17 22:50:15
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ... scanning hidden autostart entries ...
scanning hidden files ... scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Stardock\Object Desktop\WindowBlinds\tray.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-10-17 22:58:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-17 19:58:29
Pre-Run: 8.331.919.360 bayt boş
Post-Run: 11,770,679,296 bayt boş
216 --- E O F --- 2008-10-16 00:06:38
Hmm, TheDA appears to have vanished. Hello .
Now open a new notepad file.
Input this into the notepad file:
File::
G:\n6t1h.cmd
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{077c307f-926c-11db-8013-0012f0a090b5}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17eacd40-f1ed-11dc-824e-0012f0a090b5}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f2fc616-09fa-11dc-80ef-0012f0a090b5}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4677b64a-0b84-11dc-80f6-0012f0a090b5}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc950491-17e4-11dc-8111-0012f0a090b5}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f412afa1-063d-11db-be57-eacbade0e052}]
Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
This will open combofix.exe again, agree to it’s terms and allow it to run, it may want to reboot after it’s done. Post the resulting log back here.
and ^|^,
you are great _o_ respecto!
i ve searched many forums, sites but yours was the best solution
and it appears to be ok now.
thank you for your help
Hmm, TheDA appears to have vanished. Hello .
Now open a new notepad file.
Input this into the notepad file:
File::
G:\n6t1h.cmd
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{077c307f-926c-11db-8013-0012f0a090b5}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17eacd40-f1ed-11dc-824e-0012f0a090b5}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f2fc616-09fa-11dc-80ef-0012f0a090b5}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4677b64a-0b84-11dc-80f6-0012f0a090b5}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc950491-17e4-11dc-8111-0012f0a090b5}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f412afa1-063d-11db-be57-eacbade0e052}]
Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.
thank you again.
What will this script do?
and how do you know this much?
The script will remove leftovers of the infection, combofix caught the n6t1h.cmd in C and F, but not G, so the script will take that out.
And then will remove the mountpoints of the infection in the registry.
I’ve had more than 3yrs in this field, it’s second nature to me, so to speak.
[edit]
Missed your other post.
Please run this script, cause the infection will return if you don’t.
The script will remove leftovers of the infection, combofix caught the n6t1h.cmd in C and F, but not G, so the script will take that out.
And then will remove the mountpoints of the infection in the registry.
I've had more than 3yrs in this field, it's second nature to me, so to speak.
[edit]
Missed your other post.
Please run this script, cause the infection will return if you don't.
finally, i got sick of those virus stuff and formatted all my drives..
costed me some movies, series and games but im happier than ever:)