The favourite branches to think about into include HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE.
If the virus has a specific name like blaster.worm or 32heur and a lot more., you will find processes followed by such name extensions in addition to the weird names. http://Silverbardgames.com/wiki/doku.php/cause_of_hai_loss_in_women_-_the_ole_of_dht_sebum
