Exterminate It! Antimalware

malpedia

Known threats:699,742 Last Update:November 20, 22:46

Testimonials

I consider myself pretty good with a computer, but after 10 hours of trying to do this myself, the sysguard.exe whipped me. I couldn't find all the files and when I thought I had them all, they would replicate and play hide and go seek I have never endorsed a product in a comment, but if you want to rid yourself of this stuff, pay the $24.99 and download Exterminate-It It fixed my system in 5 minutes!

Mike T.

Winlogon Shell- Registry Values List

This is a complete list of Winlogon Shell registry values collected by Exterminate It!. If you find any of these registry values on your PC, your computer is very likely to be infected with the Winlogon Shell - hijacker.

IMPORTANT: Because the registry is a core component of your Windows system, it is strongly recommended that you back up the registry before you begin deleting keys and values. For information about backing up the Windows registry, refer to the Registry Editor online help.
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\taskmgr\taskmgr.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe "[%WINDOWS%]\KesenjanganSosial.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe "[%WINDOWS%]\eksplorasi.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe "[%WINDOWS%]\eksplorasi.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%APPDATA%]\dd3cbb7d\CertEnrollCtrl.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\7737Kzd36oCdGeCH\KODGxKU5d5Qc.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\Winrar\E3gXYeh8nITN.exe",explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe regsvr.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%SYSTEM%]\hssad\ddfsf.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROGRAM_FILESX86%]\Netcraft\Launcher.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%PROFILE_TEMP%]\Skype.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe system3_.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O86068Z\TuxO86068Z.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%APPDATA%]\Winlauncher\Winlauncher.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\Skype\cssrss.exe,explorer.exe,[%APPDATA%]\WindowsUpdate\mobsync.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%APPDATA%]\ര⎪眮3143dxVsJqMwNfKnT\ര⎪眮3143dxVsJqMwNfKnT.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\CV76UIHv2p1C7LhD\rEawWE2GsN8K.exe" "[%APPDATA%]\CV76UIHv2p1C7LhD\rqplDkzCiIOB.exe" "[%APPDATA%]\CV76UIHv2p1C7LhD\cugpy4glo1yV.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\41aX1ohISxvAp87G\o0hUQTELBuaq.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%APPDATA%]\DE25E01C-A553-C0F0-1FF2-A9F4C346ED68\a7b0f190-da75-71cb-1ccb-ae35102fc239.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O18281Z\TuxO18281Z.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%PROFILE_TEMP%]\DE25E01C-A553-C0F0-1FF2-A9F4C346ED68\a7b0f190-da75-71cb-1ccb-ae35102fc239.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%APPDATA%]\fdf8700\SystemPropertiesProtection.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\Q72b3mECjZq12zf0\EJLr53qF4Bat.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\exploer.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\igxfpw.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%APPDATA%]\outlaw.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%APPDATA%]\DD8327BC-98B3-17A2-8A61-4C3B5E25409F\72c9b655-299a-741d-43c6-6de8275af19c.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\Intel\zVeKFmxqURuU.exe" "[%APPDATA%]\Intel\CodabqcRBJoN.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\Intel\pH2dpFBN82dQ.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\Intel\zVeKFmxqURuU.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\8v0e1VAIn1b6772E\vR7yJhDDZE6s.exe" "[%APPDATA%]\8v0e1VAIn1b6772E\F8NDO1veomHS.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\8v0e1VAIn1b6772E\FLv63H7Gs73p.exe" "[%APPDATA%]\8v0e1VAIn1b6772E\vR7yJhDDZE6s.exe" "[%APPDATA%]\8v0e1VAIn1b6772E\F8NDO1veomHS.exe",explorer.exe
  • [HKEY_USERS\[%USER_SID%]{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01112019225440888\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\8v0e1VAIn1b6772E\FLv63H7Gs73p.exe" "[%APPDATA%]\8v0e1VAIn1b6772E\vR7yJhDDZE6s.exe" "[%APPDATA%]\8v0e1VAIn1b6772E\F8NDO1veomHS.exe",explorer.exe
  • [HKEY_USERS\[%USER_SID%]{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-01112019225429430\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\8v0e1VAIn1b6772E\FLv63H7Gs73p.exe" "[%APPDATA%]\8v0e1VAIn1b6772E\vR7yJhDDZE6s.exe" "[%APPDATA%]\8v0e1VAIn1b6772E\F8NDO1veomHS.exe",explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O53636Z\TuxO53636Z.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%APPDATA%]\dhelper.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\31Z6D6O85TIiyDTm\r1me7djY6FlI.exe",explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O07170Z\TuxO07170Z.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe "[%WINDOWS%]\KesenjanganSosial.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\jsvbHw3Qva03cLfq\fTwhFzBErXU4.exe" "[%APPDATA%]\A3H126D4O8iGu484\rr5PVpH5VbDr.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\WindowsUpdate\mobsync.exe,explorer.exe
  • [HKEY_USERS\[%SVC_SYS_SID%]\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%SVC_SYS_APPDATA%]\amz.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\2r2nXTCt2gpqqJGw\5X3nBu5ASsiQ.exe",explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, wscript.exe //B "[%PROFILE_TEMP%]\System\smss-DoOoMs.vbs"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O85858Z\TuxO85858Z.exe"
  • [HKEY_USERS\[%SVC_SYS_SID%]\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%SVC_SYS_APPDATA%]\dhelper.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROFILE%]\WINDOWS\explorer.exe, [%PROFILE%]\windows\system\explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe system3_.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe [%WINDOWS%]\winlogon.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%APPDATA%]\19c6137b\dvdplay.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%APPDATA%]\71423145\FlashPlayerApp.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%SYSTEM%]\clientmonitor.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\QyM9M68sIGyRT6FB\Y0rSmW6ef8nI.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROFILE_TEMP%]\Windows\HxD.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O75857Z\TuxO75857Z.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%APPDATA%]\bottleo.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe [%SYSTEM%]\fservice.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%PERSONAL%]\clientmonitor.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\igfxMODULE.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROGRAM_FILES%]\windowsactivate\windowsactivate.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe SCVVHSOT.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%USER_RECYCLE_BIN%]\6sex6.exe,[%USER_RECYCLE_BIN%]\6sexdq6.exe,explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe SCVHSOT.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\clientaudiomgnse.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, wscript.exe "[%PROFILE_TEMP%]\YRCJQV0PUQ.wsf"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\Skype\cssrss.exe,[%APPDATA%]\WindowsUpdate\mobsync.exe,[%APPDATA%]\WindowsUpdate\VGA.exe,explorer.exe,[%APPDATA%]\WindowsUpdate\MSupdate.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%APPDATA%]\prosenchyma.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\Skype\cssrss.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\hssad\ddfsf.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\lulDD0xGZdtgQx1Y\4HCqw1pti1ql.exe" "[%APPDATA%]\lulDD0xGZdtgQx1Y\vPcGA562tyPA.exe" "[%APPDATA%]\lulDD0xGZdtgQx1Y\ktXcxnyC8mXy.exe" "[%APPDATA%]\lulDD0xGZdtgQx1Y\7POfj8y6jUs8.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\WindowsUpdate\mobsync.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\Q72b3mECjZq12zf0\LFsUYwOn1E0S.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\Skype\cssrss.exe,Explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\skype.dat
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, wscript.exe "[%PROFILE_TEMP%]\LAKRDGGY6S.wsf"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe [%SYSTEM%]\fdisk.com
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O74747Z\TuxO74747Z.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\template.xml
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%LOCAL_APPDATA%]\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\SpinatClient b 13.4.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%LOCAL_APPDATA%]\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\SpinatClient b 13.4.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%APPDATA%]\tombolo.exe
  • [HKEY_USERS\[%USER_SID%]{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03032018120035481\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\clientmonitor.exe"
  • [HKEY_USERS\[%USER_SID%]{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-03032018120000250\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\clientmonitor.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe regsvr.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%APPDATA%]\A34AEF3A-A6AF-CD02-C887-3A517CAB0E15\70de7228-0fdf-2241-19a4-b3765d18970a.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, wscript.exe "[%PROFILE_TEMP%]\ZXU36IGUCT.wsf"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe "[%SYSTEMX86%]\svchost.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%PROFILE_TEMP%]\.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\winlogoms.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%APPDATA%]\WindowsC\Spoolcvd.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\Q72b3mECjZq12zf0\ahIVtrNZ0DP7.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\Skype\cssrss.exe,explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\F8gcptKb\UGDwSOg.exe,explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe csrcs.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%APPDATA%]\53fc600f\OptionalFeatures.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O63636Z\TuxO63636Z.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\deN3OQXP448ClE2M\RQdGcr3ZEtAE.exe",explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe [%SYSTEM%]\WinSit.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\z294jnE3\OAxqLI9.exe,explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\sysconfig.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\w1E9BkVor4F8fnhW\FOPKTJ4IqOGM.exe" "[%APPDATA%]\w1E9BkVor4F8fnhW\41bhAKSNe28N.exe" "[%APPDATA%]\w1E9BkVor4F8fnhW\vHsE4agzlNGg.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%APPDATA%]\6d31d71a\RpcPing.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%APPDATA%]\33e5557d\replace.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, wscript.exe "[%PROFILE_TEMP%]\MICROS~1.JS"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, wscript.exe "[%PROFILE_TEMP%]\colis-suivi-client.vbs_.wsf"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%APPDATA%]\81e2d54a\WerFault.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%APPDATA%]\abfb4366\msinfo32.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O28282Z\TuxO28282Z.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe rundll32.exe gxiu.nio cunwnq
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\WNAP.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O74857Z\TuxO74857Z.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, killer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe rundll32.exe rius.jko obbbq
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%LOCAL_APPDATA%]\Microsoft\Windows\Explorer\Private\explorers.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O52525Z\TuxO52525Z.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%USER_RECYCLE_BIN%]\8dqa00.exe,Explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\clientmonitor.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\cache.dat
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe SSVICHOSST.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe RVHOST.exe
  • [HKEY_USERS\S-1-5-21-1202660629-492894223-682003330-1003\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\WindowsUpdate\mobsync.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\z7WJ0VV41XJKVUuN\8jXjdJeoQU3A.exe",explorer.exe
  • [HKEY_USERS\S-1-5-21-894762131-2007920149-2359870390-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\z7WJ0VV41XJKVUuN\8jXjdJeoQU3A.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\system\rYCIN2ZNZqOv.exe",explorer.exe
  • [HKEY_USERS\S-1-5-21-1007386651-2444938265-4289692952-1002\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\system\rYCIN2ZNZqOv.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\WindowsUpdate\mobsync.exe,EXPLORER.EXE
  • [HKEY_USERS\S-1-5-21-3282484173-3646239071-3972406066-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\WindowsUpdate\mobsync.exe,Explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%PROFILE%]\AppData\winini.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\backupstartup.exe"
  • [HKEY_USERS\S-1-5-21-3935424133-4140110953-1101678577-1002\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\backupstartup.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\U4WSIiEUZ5BTBk3g\CLUV18a7HkDq.exe",explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O06170Z\TuxO06170Z.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%WINDOWS%]\explorer.exe, [%PROFILE_TEMP%]\cmiadapter.exe
  • [HKEY_USERS\S-1-5-21-3019592160-3773571271-42648779-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\WindowsUpdate\mobsync.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\Microsoft\taskmgr\taskmgr.exe
  • [HKEY_USERS\S-1-5-21-1948469607-3629777737-2531913225-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\Microsoft\taskmgr\taskmgr.exe
  • [HKEY_USERS\S-1-5-21-42203825-3345355002-3698938305-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\WindowsUpdate\mobsync.exe,explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\dwm.exe
  • [HKEY_USERS\S-1-5-21-71818745-2470025805-386508788-1003\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\dwm.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%LOCAL_APPDATA%]\API32\dllhost86.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROGRAM_FILES%]\WindowsLicenseUpdate\error.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe SSCVIHOST.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O18282Z\TuxO18282Z.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\helpful.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROFILE_TEMP%]\FolderName\file.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\HelpDesk.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O41414Z\TuxO41414Z.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\avv.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\wininit.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\Intel\yRXZBGaRKErh.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%APPDATA%]\wserver.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%APPDATA%]\wserver.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O64747Z\TuxO64747Z.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%PROFILE_TEMP%]\wdisplay.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\AsammU8v1AsnI0RQ\tFKJWlUymWZk.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\WindowsUpdate\mobsync.exe,explorer.exe,[%APPDATA%]\WindowsUpdate\MSupdate.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, wscript.exe "[%PROFILE_TEMP%]\worm.vbs_Cleaned.js"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\m6PMkdU0koLIGgg5\KNUDDDIf7oVl.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\7O4yu5WX2LvG1MF8\r1nWIlPgnY5F.exe" "[%APPDATA%]\7O4yu5WX2LvG1MF8\N4uKRjtf6i1q.exe" "[%APPDATA%]\7O4yu5WX2LvG1MF8\PbtQcKJxt1mX.exe" "[%APPDATA%]\7O4yu5WX2LvG1MF8\t7pTzoVc6WgR.exe" explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O30413Z\TuxO30413Z.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\Update\MSupdate.exe,explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe, wscript.exe //B "[%PROFILE_TEMP%]\2\lan.vbs"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\Q72b3mECjZq12zf0\2281b6tuIF4E.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\WindowsUpdate\MSupdate.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%PROFILE_TEMP%]\Microsoft .NET 5.1.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe gphone.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O18281Z\TuxO18281Z.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\mo6Jq5Ue9bWKryQ5\UGS5jvF8nJKZ.exe",explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe chrome9.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\Q72b3mECjZq12zf0\D4liXdpzggQ1.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%PROFILE_TEMP%]\qohsaRqP.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%PROFILE_TEMP%]\jPJzvxJP.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\4C214\BE9E8.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\558965\SbieSvc.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\Other.res
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\MudbpPFeUPdLWhoC\RdYTDPxC1iyP.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\MudbpPFeUPdLWhoC\FiEHlUo5dGGe.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%LOCAL_APPDATA%]\MFTCompilerData\mscorsvcw.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\35931415623593141562.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe rundll32.exe ijao.wto bqaoutd
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROFILE_TEMP%]\GEdYgUeR\YRYDDbgC.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\43083WZPx5wky5vO\hbHiXCUGpAuu.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\clientmon.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O31413Z\TuxO31413Z.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\winservises.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\7O4yu5WX2LvG1MF8\TiWkaf3PtWgD.exe" "[%APPDATA%]\7O4yu5WX2LvG1MF8\EegDfwctLAZ7.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\aa6kaeK5tkFsuRu3\30Wu0LlMvnqt.exe",explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe rundll32.exe hjdt.qto etmbw
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%PROFILE_TEMP%]\help.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\xavgup32.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\Q72b3mECjZq12zf0\7JesHmwMPBHZ.exe",Explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\793396\repair.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe rundll32.exe calc.ifo beforemain
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe "[%WINDOWS%]\o4275527.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\7O4yu5WX2LvG1MF8\t3DpK3JdVdsN.exe" "[%APPDATA%]\7O4yu5WX2LvG1MF8\Mdb4P0ggKxSy.exe" "[%APPDATA%]\7O4yu5WX2LvG1MF8\TPk6rYS8N2fS.exe" "[%APPDATA%]\7O4yu5WX2LvG1MF8\YGoLJGhYT0EU.exe" "[%APPDATA%]\7O4yu5WX2LvG1MF8\OlK5JFxXdZP4.exe" "[%APPDATA%]\7O4yu5WX2LvG1MF8\e84w56uap6IK.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%LOCAL_APPDATA%]\35a70559\X
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\wintasks.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\7O4yu5WX2LvG1MF8\TBEiB35aORpf.exe" "[%APPDATA%]\7O4yu5WX2LvG1MF8\pE1lLEPKcvKv.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\GuXrrRkOUnQrJdRp\xOM73CY12w6O.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\cms.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\Antivirus.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%USER_RECYCLE_BIN%]\nissan.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\Svchost.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\SmsoCFXn\6TPI40s.exe,explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%PROFILE_TEMP%]\Realtek-RTL8188CJ.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\086LM2Jwpkg11OpJ\DzsAqcK1x15n.exe" "[%APPDATA%]\086LM2Jwpkg11OpJ\l078QdY3qBzd.exe" "[%APPDATA%]\086LM2Jwpkg11OpJ\T6MiwEZCWIPT.exe" "[%APPDATA%]\086LM2Jwpkg11OpJ\YiY6IXaIn8Zb.exe" "[%APPDATA%]\086LM2Jwpkg11OpJ\D6XvsPaf36BN.exe" "[%APPDATA%]\086LM2Jwpkg11OpJ\I6uI1jYh5vTg.exe" explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe [%SYSTEM%]\SysMax\postgres.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\Java.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\vTcwQct62f.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\windows32.exe"
  • [HKEY_USERS\[%USER_SID%]{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\backupstartup.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\Q72b3mECjZq12zf0\11M56tyfBNGj.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%WINDOWS%]\explorer.exe, [%PROFILE_TEMP%]\VaultCmd.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\XFVIO7HV2JBOw9YD\RWfrvKLzMEW3.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%WINDOWS%]\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\Q72b3mECjZq12zf0\XYNQm5YYr6cR.exe",Explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\0xF24mYFCMLRG7hr\wAjsCyVCn4NG.exe",explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O31414Z\TuxO31414Z.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%LOCAL_APPDATA%]\Microsoft\Windows Mail\supercopier.exe",Explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe [%WINDOWS%]\InstallDir\sound.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O42525Z\TuxO42525Z.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\826037\sysmon.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\sysmon.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\Adobe Synapse\LroZxqeE66sX.exe" explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\focus.3ds
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe [%WINDOWS%]\system\lsass.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\NVIDIA Settings Driver.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\chrrome.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe rundll.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\35g32y5325325.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\23w4s2Yv0pX1qCc9\w0ztnuDNs3lp.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\Realtek HDD Audio Manager.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O20302Z\TuxO20302Z.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\WindowsUpdate\mobsync.exe,[%APPDATA%]\WindowsUpdate\VGA.exe,explorer.exe,[%APPDATA%]\WindowsUpdate\MSupdate.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\WindowsUpdate\VGA.exe,explorer.exe,[%APPDATA%]\WindowsUpdate\mobsync.exe,Explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROFILE_TEMP%]\Mozzillaa\csrsss.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROGRAM_FILES%]\Power Update\fatalerror.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,wscript.exe //B "[%APPDATA%]\Updater.vbs"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\WindowsUpdate\VGA.exe,explorer.exe,[%APPDATA%]\WindowsUpdate\MSupdate.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROGRAM_FILES%]\Video CodeC X\Video CodeC X\bsoderror.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\syslink.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROFILE_TEMP%]\7C1B7AB629475547.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%USER_RECYCLE_BIN%]\eirebdq00.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROGRAM_FILES%]\SMARTL~1\SMARTL~1.7\Client\Client.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\Java_shoudler.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\Drivers\Drivers.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\UpzC8cBv3q3Yc9mb\1Kh0C2GY0v2N.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROFILE_TEMP%]\8076AEDE456A556F.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\WindowsUpdate\tcpview.exe,explorer.exe,[%APPDATA%]\WindowsUpdate\mobsync.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROGRAM_FILES%]\JMC player\JMC player\fatalerror.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\276671\System32.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\sqlwriter.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%USER_RECYCLE_BIN%]\zaberg.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O42524Z\TuxO42524Z.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O75858Z\TuxO75858Z.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O64746Z\TuxO64746Z.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROGRAM_FILES%]\windowsactivate\windowsactivate.exe
  • [HKEY_USERS\[%USER_SID%]{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROGRAM_FILES%]\windowsactivate\windowsactivate.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\41U8PJy0CmWE3jua\EAcqz1ErylX0.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%PROFILE_TEMP%]\Rar$EX50.472\Office.2010- 2013.Toolkit.and.EZ-Activator.2.2.9.exe"
  • [HKEY_USERS\[%SVC_SYS_SID%]\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\Microsoft\Windows\shell.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O53635Z\TuxO53635Z.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\WindowsUpdate\VGA.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\Microsoft\svwkep.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\dfsshgjdh\svrghost.exe,explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROGRAM_FILES%]\Update\activate.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROGRAM_FILES%]\Update\activate.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%PROFILE_TEMP%]\437573314\437573314.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\clientel.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%PROFILE_TEMP%]\3\TDIcduxz.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROGRAM_FILES%]\WindowsLicenseUpdate\error.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%COMMON_DOCUMENTS%]\updator.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROFILE_TEMP%]\MIIABCFI.EXE
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%APPDATA%]\windowstart.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%APPDATA%]\windowstart.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\msconfig.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\U3mon.exe"
  • [HKEY_USERS\[%USER_SID%]{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\clientmonitor.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\FWngtXMs0A3t6EYC\GejzWfhsuiuB.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\TUklSK2K1USj9Ey8\t81mImsxJ21F.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\wkNT6AA760e59dJ8\6FMtMOUricm3.exe",explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O52635Z\TuxO52635Z.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\598343\helper.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\systemmonitor.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\msysinfo.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe , 71135.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\System Host.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\foikn.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\Security\rlDBTMUPN45I.exe" "[%APPDATA%]\Security\4v6ShXFFo2CF.exe" "[%APPDATA%]\Security\KLDu7Xw7k1jV.exe" "[%APPDATA%]\Security\gGLOcHicIFPA.exe",explorer.exe
  • [HKEY_USERS\[%USER_SID%]{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\taskmgr\taskmgr.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe [%SYSTEM%]\drivers\svchost.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\windows.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\5TfQ3GPH16iBg16I\AJMOe0gmKCZT.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\Q72b3mECjZq12zf0\0LUgJFm3DoOt.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\WindowsUpdate\mobsync.exe,explorer.exe,[%APPDATA%]\WindowsUpdate\VGA.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\GFT4w5mF6XMGS4h5\1MvPvWXyAjCG.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%PROFILE_TEMP%]\diltuwrziz.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\841837\system.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\WindowsUpdate\MSupdate.exe,Explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\734550\sysmon.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROFILE_TEMP%]\75981786CD6F5A78.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\Q72b3mECjZq12zf0\BD7DBbFHF3lV.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\169597\spoolsvs.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\796573\winlogon64.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe SCVHOST.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe rundll32.exe jiuh.mjo mirop
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROFILE_TEMP%]\5E88BE9912BFCF23.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROFILE_TEMP%]\153AC1E6D1876980.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROFILE_TEMP%]\FAE82EDA9BA41298.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROFILE_TEMP%]\B1A7982C72C20BF7.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\FNcG07ncyb6v4XTo\Rd72SJ7YnuoE.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"\clientmonitor.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\Update\MSupdate.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe [%APPDATA%]\calc\calc.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\winlogon.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROFILE_TEMP%]\temporary\file.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\862539\taskhost.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\986059\repair.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe [%WINDOWS%]\csrss.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROGRAM_FILES%]\CCPCLI~1\CCPSHELL.EXE
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe [%PROFILE_TEMP%]\82856Wsmi.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%PROFILE%]\???????\O64746Z\TuxO64746Z.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\880311\repair.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROFILE_TEMP%]\54B48969C653125D.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\486641\repair.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\cq32rl48wr2dir6X\ggCVDSjCtYbh.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\WindowsUpdate\VGA.exe,Explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROFILE_TEMP%]\1912361316142283225.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\WindowsUpdate\MSupdate.exe,explorer.exe,[%APPDATA%]\Update\MSupdate.exe,Explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O86060Z\TuxO86060Z.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O41524Z\TuxO41524Z.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\Microsoft\slrvmu.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%APPDATA%]\csrrs.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\WindowsUpdate\System32.exe,[%APPDATA%]\WindowsUpdate\MSupdate.exe,explorer.exe,[%APPDATA%]\Update\MSupdate.exe
  • [HKEY_USERS\[%SVC_SYS_SID%]\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%SVC_SYS_APPDATA%]\WindowsUpdate\System32.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\4yFAOR9z\k52UhdE.exe,explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\Q72b3mECjZq12zf0\JdwPIP6AYLyz.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\318558\Fishing_bot.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe rundll32.exe ejqg.qqo aqlppml
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\546477\sysmon.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\Q72b3mECjZq12zf0\BKljt0jkBKCg.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%PROFILE_TEMP%]\IXP000.TMP\LUM11C~1.EXE"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\Q72b3mECjZq12zf0\k4JCUYbMD01B.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%PROFILE_TEMP%]\system.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\data.dat
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%LOCAL_APPDATA%]\Microsoft\Internet Explorer\StikyNot.exe" "[%LOCAL_APPDATA%]\Microsoft\Internet Explorer\55708114657577354" //E:JScript //B
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%USER_RECYCLE_BIN%]\nissan.exe,explorer.exe,[%USER_RECYCLE_BIN%]\nissan.exe
  • [HKEY_USERS\[%USER_SID%]{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\WindowsUpdate\MSupdate.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%PROFILE_TEMP%]\wusa.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\480767\helper.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\Windows\winmgr158.exe,explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\545149\sysmon.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\173908\helper.exe"
  • [HKEY_USERS\[%SVC_SYS_SID%]\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\173908\helper.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\WindowsUpdate\MSupdate.exe,explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\loadit.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe Win-boot.EXE
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\3A8DE\B664A.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\ongzc2d00dNm5YUU\j1l2K5tqAHnV.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\0daUnb0796CWt3UT\4UcVEwgnsdlC.exe",explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe rundll32.exe etmbw
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%APPDATA%]\war.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%APPDATA%]\war.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%PROFILE_TEMP%]\svchost.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%PROFILE_TEMP%]\winini.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%USER_RECYCLE_BIN%]\abbb311.exe,explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\938088\sysmon.exe"
  • [HKEY_USERS\[%SVC_SYS_SID%]\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%SVC_LOC_APPDATA%]\WindowsUpdate\MSupdate.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\369400\helper.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\lOVQ47qP\AmjbxtU.exe,explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\Folder\folder.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O17281Z\TuxO17281Z.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\Windows.exeexplorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe [%APPDATA%]\navigate\cache1.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\718050\winlogon64.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe rundll32.exe yise.ero mpgyjp
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\FolderName\svhost.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\gz1oei1IsTzmVBzH\ttbpLdaLW2U7.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\620255\SbieSvc.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe [%APPDATA%]\Microsoft\taskmgr.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe,[%APPDATA%]\WinZip Computing\WinZip Computing.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\703932\sysmon.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=,svchostd.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%WINDOWS%]\explorer.exe, [%PROFILE_TEMP%]\wdisplay.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\957493\sysmon.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\925122\helper.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\821940\sysmon.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROFILE_TEMP%]\_tc\Cheat.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\858205\sysmon.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%PROFILE_TEMP%]\sysmon.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\1Es0FF26Nb8JFU2y\6ZjJgqOlIOZd.exe" "[%SYSTEM%]\clientsvr.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROFILE_TEMP%]\992901\svhost.exe,explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%PROFILE_TEMP%]\rgtpHsts.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%APPDATA%]\winlogon.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, [%APPDATA%]\winlogon.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe , 629c3.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROFILE_TEMP%]\Temp\file.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROFILE_TEMP%]\svhost\svhost.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\Microsoft\Windows\shell.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\msconfig.dat
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\y7oA8g2C8C536lUl\pUhordGvVbqq.exe" "[%APPDATA%]\z51H9ClwmHuCI3ii\CCBXzJuLD0Bo.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%LOCAL_APPDATA%]\e44ff8c5\X
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\891029\svchost.exe"
  • [HKEY_USERS\[%SVC_SYS_SID%]\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\891029\system.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%PROFILE_TEMP%]\cYjOXVJf.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%PROFILE_TEMP%]\HCdjAWhq.exe
  • [HKEY_USERS\[%USER_SID%]{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%PROFILE_TEMP%]\HCdjAWhq.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe , 2a9e0.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\Microsoft\FIxF8zUbCWYa.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\WindowsUpdate\MSupdate.exe,[%USER_RECYCLE_BIN%]\38847654x.exe,explorer.exe,[%USER_RECYCLE_BIN%]\3847654x.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="explorer.exe", "[%APPDATA%]\E5B58464\Leep.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%APPDATA%]\Microsoft\Windows\conhost.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\Windows\winmgr45.exe,explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\224660\sysmon.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="explorer.exe", "[%PROFILE_TEMP%]\A8D0CF21\Fade.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\WindowsUpdate\System32.exe,explorer.exe,[%APPDATA%]\WindowsUpdate\MSupdate.exe,Explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O83021Z\TuxO83021Z.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\853660\windows32.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\vgdoqo.exe,[%USER_RECYCLE_BIN%]\yv8g67.exe,explorer.exe,[%APPDATA%]\lwtwfl.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%PROFILE_TEMP%]\zIGxjVzq.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%PROFILE_TEMP%]\agrsmsvc.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\MicrosoftServices\MicrosoftServices\Filename.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%LOCAL_APPDATA%]\8d16c7b4\X
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\0XUEFLpM8Qu47yqU\jFcuyoh5ZMRK.exe",explorer.exe
  • [HKEY_USERS\[%SVC_SYS_SID%]\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\Control Commander\ccmain.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\WindowsUpdate\System32.exe,explorer.exe,[%APPDATA%]\WindowsUpdate\MSupdate.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, maxkiller.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\Intel\Orfa06uUIKob.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\WindowsUpdate\MSupdate.exe,explorer.exe,[%APPDATA%]\Update\MSupdate.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\Microsoft.NET\scvhost.exe,explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%LOCAL_APPDATA%]\5e09af63\X
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\WindowsUpdate\MSupdate.exe,explorer.exe,[%APPDATA%]\WindowsUpdate\Win.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\Q72b3mECjZq12zf0\ocrGutNJh8UL.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\Dn2lWdvcL69RL1ei\H6bL1GPuQDTf.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\Ad8G4vmHdjHpknK6\yieZZ4JIm5wm.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\yIsCYTnvbaVyzgXT\8Mx2kfOre6Sq.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%USER_RECYCLE_BIN%]\and3mew2.exe,explorer.exe,[%USER_RECYCLE_BIN%]\andmew2.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\4ihhV7t7XB2SXiK6\qcipm5Mbbe4y.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\avgmfapx\ccL63nEiM3Cm.exe","[%APPDATA%]\avgmfapx\7vzrLs7gjb8D.exe",explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%APPDATA%]\PeAeVDnH.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell="[%APPDATA%]\PB3B9MSUXZybtNKD\MF7yN2d6Cnnq.exe",explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe [%WINDOWS%]\Temp\Keyboard\services.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\Update\MSupdate.exe,explorer.exe,[%RECYCLE_BIN%]\mscinet.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, wscript.exe //B "[%APPDATA%]\System\smss-DoOoMs.vbs"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe [%APPDATA%]\System.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe [%APPDATA%]\lsass.exe
  • [HKEY_USERS\[%SVC_SYS_SID%]\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%USER_RECYCLE_BIN%]\z666du0.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROFILE_TEMP%]\HD-LogRotatorService\HD-LogRotatorService.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe "[%PROFILE_TEMP%]\services.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe "[%SVC_LOC_APPDATA%]\hmulxnt2ketyozwg3py2bbrraj3qwjj2\csrss.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe rundll32.exe bfky.ojo bwapp
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=%APPDATA%\Microsoft\cmdagant.exe,explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROFILE_TEMP%]\xaJgiXSNWE\zHVRbhBaOu,explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O85068Z\TuxO85068Z.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROFILE_TEMP%]\file.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe В rundll32.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%USER_RECYCLE_BIN%]\zy126d0107.exe,[%USER_RECYCLE_BIN%]\7da854sa1.exe,explorer.exe,[%USER_RECYCLE_BIN%]\7d854sa1.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%RECYCLE_BIN%]\webhost.exe,[%USER_RECYCLE_BIN%]\hbweaaa.exe,explorer.exe,[%USER_RECYCLE_BIN%]\a111a1a9.exe
  • [HKEY_USERS\[%SVC_SYS_SID%]\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%USER_RECYCLE_BIN%]\1d17r8.exe,[%USER_RECYCLE_BIN%]\1p1117r8.exe,explorer.exe,[%USER_RECYCLE_BIN%]\1d167r8.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROFILE_TEMP%]\FolderName\manager.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%USER_RECYCLE_BIN%]\v9oh3a8.exe,[%USER_RECYCLE_BIN%]\a6y485.exe,explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\Update\MSupdate.exe,[%USER_RECYCLE_BIN%]\131095411.exe,[%USER_RECYCLE_BIN%]\1319461.exe,[%USER_RECYCLE_BIN%]\1349561.exe,explorer.exe,[%USER_RECYCLE_BIN%]\178wfb731.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe rundll32.exe dwtt.mro bpqvc
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe [%WINDOWS%]\InstallDir\Server.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%USER_RECYCLE_BIN%]\hdav.exe,[%USER_RECYCLE_BIN%]\hdav.exe,explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe [%WINDOWS%]\Config\csrss.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\svchost.exe\dllhost,explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%USER_RECYCLE_BIN%]\ababbdq.exe,[%RECYCLE_BIN%]\winmode.exe,[%RECYCLE_BIN%]\barcode.exe,[%RECYCLE_BIN%]\wivsys.exe,[%USER_RECYCLE_BIN%]\and3mew2.exe,explorer.exe,[%USER_RECYCLE_BIN%]\andmew2.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%RECYCLE_BIN%]\mscinet.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROFILE_TEMP%]\abc.exe
  • [HKEY_USERS\[%SVC_SYS_SID%]\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%USER_RECYCLE_BIN%]\absprox.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%USER_RECYCLE_BIN%]\proxzy129.exe,explorer.exe,[%USER_RECYCLE_BIN%]\cafef9.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%USER_RECYCLE_BIN%]\psyjo32.exe,[%USER_RECYCLE_BIN%]\fresdg.exe,[%USER_RECYCLE_BIN%]\psyjo3.exe,[%USER_RECYCLE_BIN%]\psysnew3.exe,[%USER_RECYCLE_BIN%]\psysnew2.exe,explorer.exe,[%USER_RECYCLE_BIN%]\fjidg.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O07170Z\TuxO07170Z.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%USER_RECYCLE_BIN%]\sysdate.exe,[%USER_RECYCLE_BIN%]\sysdate.exe,explorer.exe,[%USER_RECYCLE_BIN%]\MsMxEng.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%USER_RECYCLE_BIN%]\7ty1q.exe,[%APPDATA%]\Update\MSupdate.exe,[%USER_RECYCLE_BIN%]\7t11y1q.exe,explorer.exe,[%USER_RECYCLE_BIN%]\73d835q.exe,Explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe rundll32.exe vrlo.kdo rcujvp
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%PROFILE_TEMP%]\adobeset.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\id.cff,explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O30303Z\TuxO30303Z.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%TEMPLATES%]\O07171Z\TuxO07171Z.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%PROFILE_TEMP%]\iexplorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%LOCAL_APPDATA%]\KB9339923\KB9339923.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%PROFILE_TEMP%]\qmime.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%PROFILE_TEMP%]\update.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%USER_RECYCLE_BIN%]\dq61aa.exe,[%USER_RECYCLE_BIN%]\a77700j.exe,explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%USER_RECYCLE_BIN%]\a77700j.exe,explorer.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%USER_RECYCLE_BIN%]\proxzy129.exe,[%USER_RECYCLE_BIN%]\main10xz.exe,[%USER_RECYCLE_BIN%]\w7rggr.exe,[%USER_RECYCLE_BIN%]\24naq.exe,explorer.exe
  • [HKEY_USERS\[%USER_SID%]{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%USER_RECYCLE_BIN%]\proxzy129.exe,[%USER_RECYCLE_BIN%]\main10xz.exe,[%USER_RECYCLE_BIN%]\w7rggr.exe,[%USER_RECYCLE_BIN%]\24naq.exe,explorer.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe "[%WINDOWS%]\SpyNet\Server.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%PROFILE_TEMP%]\system32.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%USER_RECYCLE_BIN%]\twain_x86.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe rundll32.exe hyli.igo atkhnt
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,[%USER_RECYCLE_BIN%]\winlogon.exe
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=[%APPDATA%]\pc\pc.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe rundll32.exe drhg.ipo iedtcbo
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe SSCVIIHOST.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe, "[%LOCAL_APPDATA%]\KB7059507\KB7059507.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=Explorer.exe rundll32.exe syce.xto nqxwp
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Shell=explorer.exe,"[%COMMON_APPDATA%]\Desktop Window Manager\dwm.exe"