**************************************************************************** I-Worm.Zafi.b I-Worm.Bagle.at,au,cx-dw Virus.Win32.Implinker.a Not-a-virus.AdWare.Visiter Trojan.Win32.Krotten Email-Worm.Win32.Brontok.n Backdoor.Win32.Allaple.a Trojan-Spy.Win32.Goldun.mg Email-Worm.Win32.Warezov Virus.Win32.VB.he IM-Worm.Win32.Sohanad.as P2P-Worm.Win32.Malas.b Virus.Win32.AutoRun.acw Worm.Win32.VB.jn Trojan.Win32.KillAV.nj Worm.Win32.AutoRun.cby Trojan.Win32.Agent.aec Trojan-Downloader.Win32.Todon.an Trojan-Downloader.Win32.Losabel.ap Worm.Win32.AutoRun.czz,daa,dhq,dfx Net-Worm.Win32.Rovud.a-c Trojan.Win32.ConnectionServices.x-aa Worm.Win32.AutoRun.dtx Worm.Win32.AutoRun.hr Backdoor.Win32.Agent.lad not-a-virus:FraudTool.Win32.UltimateDefender.cm Trojan-Downloader.Win32.Agent.wbu Backdoor.Win32.Small.cyb not-a-virus:FraudTool.Win32.XPSecurityCenter.c not-a-virus:Downloader.Win32.VistaAntivirus.a not-a-virus:FraudTool.Win32.UltimateAntivirus.an not-a-virus:FraudTool.Win32.UltimateAntivirus.ap Trojan-Spy.Win32.Zbot.dlh Trojan-Downloader.Win32.Small.abpz Rootkit.Win32.Ressdt.br Worm.Win32.AutoRun.lsf Worm.Win32.AutoRun.epo Worm.Win32.AutoRun.enw Backdoor.Win32.UltimateDefender.a Version 12.0.0.20 Copyright (C) Kaspersky Lab, Antropov Alexey, Vitaly Kamluk, Boris Yampolsky 2000-2008. All rights reserved. **************************************************************************** Command line: /s - to force scanning of hard drives. Program will scan hard drives for infection in any case. /n - to force scanning of mapped network drives. /path - to force scanning specified path /y - end program without pressing any key. /i - show command line info. /nr - do not reboot system automatically in any case. /Rpt[ao][=] - create report file a - add report file o - report only (do not cure/delete infected files) Return codes: 0 - nothing to clean 1 - virus was deleted and system restored 2 - to finalize removal of virus you should reboot system 3 - to finalize removal of virus you should reboot system and start program the second time 4 - program error. **************************************************************************** WARNING: this utility do detect ONLY listed in this ReadMe.txt file viruses **************************************************************************** If program finds any processes in memory, infected by these viruses, it will try to unhook virus hooks and patch needed processes to stop reinfection or stop them and delete/cure their files on hard drive and delete links to their files from system registry and other startup places. If program finds any infected processes in memory it will start scanning of your hard drives. It will check only infection by these viruses. If you specify /s key in command line, the program will scan your hard drives in all cases. In case program can not delete or rename any files (it may be used at the moment) it adds these files to the queue to delete or rename during next bootup process and offer user to reboot system. The program can restore next startup links used by viruses: autoexec.bat win %virus file path and name% win.ini section [Windows] run= system.ini section [boot] shell= registry keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows values: AppInit_DLLs Run HKEY_CLASSES_ROOT\txtfile\shell\open\command (txt association) restoring to link to notepad.exe program HKEY_CLASSES_ROOT\exefile\shell\open\command (exe association) restoring to "%1" %* HKEY_CLASSES_ROOT\comfile\shell\open\command (com association) restoring to "%1" %* HKEY_CLASSES_ROOT\batfile\shell\open\command (bat association) restoring to "%1" %* HKEY_CLASSES_ROOT\piffile\shell\open\command (pif association) restoring to "%1" %* HKEY_CLASSES_ROOT\cmdfile\shell\open\command (cmd association) restoring to "%1" %* HKEY_CLASSES_ROOT\scrfile\shell\open\command (scr association) restoring to "%1" /S HKEY_CLASSES_ROOT\scrfile\shell\config\command (scr association) restoring to "%1" HKEY_CLASSES_ROOT\regfile\shell\open\command (reg association) restoring to regedit.exe "%1" installed NT services mIRC start scripts \Mirc\script.ini \Mirc32\script.ini Pirch start scripts \Pirch98\events.ini