Trojan.Siggen18.48265

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spyxx.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srwatch.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ss3edit.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\st2.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\supftrl.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\supporter5.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweep.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweepnet.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweepsrv.sys.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swnetsup.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symproxysvc.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symtray.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sysdoc32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\syshelp.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spider.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweep95.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sphinx.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup_flowprotector_us.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanpm.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\schedapp.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scrscan.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scvhosl.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sd.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdclt.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\serv95.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setupvameeval.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sofi.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sgssfw32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sh.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sharedaccess.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellspyinstall.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shn.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smc.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fwinstall.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spf.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds2-nt.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vettray.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taumon.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trjsetup.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trojantrap3.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\undoboot.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\update.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbcmserv.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbcons.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbust.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbwinntw.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vccmserv.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcleaner.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcontrol.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcsetup.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet95.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet98.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trjscan.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan95.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tracert.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds2-98.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tauscan.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbscan.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tc.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tca.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcm.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpsvs32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds2.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmon.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmntsrv.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds-3.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tfak.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tfak5.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tftpd.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tgbob.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\titanin.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\titaninxp.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tracerpt.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbwin9x.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rescue.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcciomon.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccmain.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccntmon.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccpfw.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccwin97.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccwin98.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcdsetup.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcip10117_0.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pfwadmin.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcscan.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcscanpdsetup.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\penis32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\periscope.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\persfw.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perswf.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pf2.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccguide.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcfwallicon.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccclient.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpostinstall.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwinst4.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwservice.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwtool16.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\offguard.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ogrc.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ostronet.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpost.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpostproinstall.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcc2002s902.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\padmin.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\panixk.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pathping.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavcl.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavproxy.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavsched.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavw.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcc2k_76_1436.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\processmonitor.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeweb.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\platin.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav7.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav7win.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav8win32eng.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\realmon.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rescue32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pingscan.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\route.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\routemon.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rrguard.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rshell.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscn95.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rulaunch.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rapapp.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sbserv.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qserver.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppvstop.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pop3trap.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\poproxy.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\popscan.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portdetective.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portmonitor.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppinupdt.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pptbc.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ping.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pview95.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexplorerv1.0.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\programauditor.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\proport.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protectx.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pspf.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\purge.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pview.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qconsole.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xscan.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\Software\Classes\https\shell\open\command] '' = '"%ProgramFiles(x86)%\Internet Explorer\IEXPLORE.EXE"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\virusmdpersonalfirewall.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avnotify.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avshadow.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avupgsvc.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcadmin.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfeann.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwsc.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shstat.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fact.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardhlp.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\licmgr.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwebloader.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kis8.0.0.506latam.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nd98spst.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ndntspst.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cclaw.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fslaunch.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regmon.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlh.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Netscape.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prckiller.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portmon.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Filemon.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Safari.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vir-help.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antigen.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SbieSvc.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SandboxieWUAU.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SandboxieBITS.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SandboxieCrypto.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SandboxieRpcSs.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashWebSv.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SbieCtrl.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pev.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hidec.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swreg.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\Software\Classes\http\shell\open\command] '' = '"%ProgramFiles(x86)%\Internet Explorer\IEXPLORE.EXE"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HiJackThis.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav8.0.0.357es.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcuimgr.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2servic.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpcmap.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmsrvc.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spysweeper.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\earthagent.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acs.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmlisten.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgemc.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UI0Detect.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPAVServer.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ewido.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clamauto.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuard.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvsvc32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2Fix.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GenericRenosFix.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vvstat.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w32dsm89.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w9x.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\watchdog.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscan.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webtrap.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wgfe95.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winrecon.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\whoswatchingme.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wimmun32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wingate.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winhlpp32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wink.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgm32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winppr32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswinperse.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wfindv32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswinntse.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vscan40.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vnlan300.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vnpc3000.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpc32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpc42.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpfw30s.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vptray.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vscan.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vscenu6.02d30.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsched.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsecomr.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vshwin32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsisetup.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmain.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmon.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsscan40.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswin9xe.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vfsetup.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VACFix.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winsfcm.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ChromeSetup.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HJTInstall.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdetect.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Process.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Restart.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumphive.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exit.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HostsChk.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winservices.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEDFix.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmitfraudFix.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SrchSTS.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Diskmon.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swxcacls.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swsc.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\unzip.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Opera_964_int_Setup.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UCCLSID.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleToolbarInstaller_download_signed.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpf202en.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmias.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmiav.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wnt.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wradmin.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wrctrl.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsbgate.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wyvernworksfirewall.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winroute.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapsetup3001.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zatutor.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zatutorzauinst.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zauinst.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalarm.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalm2601.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fa-setup.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SandboxieDcomLaunch.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvlaunch.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npscheck.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpd.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpdclnt.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf9x206.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpfnt206.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csinject.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csinsm32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\css1631.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cv.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dpf.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cwnb181.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cwntdwmo.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defalert.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defscangui.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defwatch.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deputy.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\doors.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\connectionmonitor.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctrl.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmon016.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccsetmgr.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccshtdwn.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cdp.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfgwiz.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiadmin.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiaudit.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfind.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95cf.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95ct.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clean.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleaner.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleaner3.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleanpc.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmgrdian.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\efinet32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drweb32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\evpn.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exantivirus-cnet.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\expert.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explored.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-agnt95.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fameh32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fast.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fih32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwatson.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\findviru.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firewall.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallControlPanel.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallSettings.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fix-it.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\flowprotector.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fnrb32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\etrustcipe.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccpxysvc.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\espwatch.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\edi.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dv95.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dv95_o.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95_0.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecls.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecmd.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecengine.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drvins32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanhnt.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\efpeadm.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHttpSrv.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ent.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\esafe.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanh95.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanv95.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fch32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccevtmgr.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bidserver.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apvxdwin.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atcon.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atguard.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atro55en.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atupdater.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atwatch.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aupdate.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autotrace.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgw.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoupdate.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ave32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcc32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgctrl.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv9.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aplica32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autodown.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apimonitor.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpm.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_findviru.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirus.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ahnsd.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alerter.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amon.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amon9x.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\anti-trojan.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ants.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpinst.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\callmsi.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkservice.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxmonitor9x.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxmonitornt.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxquar.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxw.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\azonealarm.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bd_professional.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bidef.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bipcp.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkserv.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bipcpevalsetup.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bisp.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blackd.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blackice.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bootwarn.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\borg2.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bs120.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwupd32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwinnt.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpexec.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkwcl9.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkwctl9.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avnt.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpcc.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpdos32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkpop.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avsynmgr.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpm.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpmon.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpnt.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avptc32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpupd.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avrescue.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avsched32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwin95.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlite40eng.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvarch16.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot95.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mu0311ad.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mwatch.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mxtask.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\n32scan.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\n32scanw.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nai_vs_stat.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nav32_loader.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navap.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navlu32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapsvc.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapw32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navauto-protect.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navdx.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naveng.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navengnavex15.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navex15.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mssmmc32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nav80try.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspatch.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monsysnt.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgavrtcl.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgavrte.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mghtml.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgui.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\minilog.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monitor.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monsys32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monwow.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\moolive.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpfagent.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpfservice.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpftray.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrflux.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msblast.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msn.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\neowatchlog.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot95.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navsched.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\normist.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\norton_internet_secu_3.0_407.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notstart.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npf40_tw_98_nt_me_2k.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfmessenger.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nprotect.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npssvc.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navrunr.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nsched32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntrtscan.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntxconfig.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nui.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nupdate.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nupgrade.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvapsvc.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nmain.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfweng3.02d30.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nisum.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\neomonitor.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navstub.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navwnt.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nc2000.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ncinst4.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ndd32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navnt.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netutils.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netarmor.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netcfg.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netinfo.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netmon.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netscanpro.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netspyhunter-1.2.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netstat.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nisserv.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvc95.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfw2en.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lucomserver.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gibe.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guard.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guarddog.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hacktracersetup.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htlog.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hwpe.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iamapp.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iamstats.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icsupp.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ibmasn.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ibmavsp.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icload95.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icloadnt.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icmon.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icmoon.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icssuppnt.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\generics.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iamserv.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbpoll.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530wtbyb.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win_trial.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frw.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsaa.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530stbyb.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav95.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fwenc.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsave32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsgk32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsm32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsma32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsmb32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fssm32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-stopw.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbmenu.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsshld.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iface.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\localnet.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lockdown.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lockdown2000.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lookout.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsetup.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luall.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luau.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luinit.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icsuppnt.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luspt.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcagent.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmnhdlr.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mctool.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdate.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsrte.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldscan.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mdll.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpromenu.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jedi.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ifw2000.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iomon98.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmor.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iris.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isrv95.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jammer.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jed.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icsupp95.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldnetmon.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavpers40eng.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-pf-213-en-win.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-wrl-421-en-win.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-wrp-421-en-win.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\killprocesssetup161.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpf.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpro.exe] 'Debugger' = '"%HOMEPATH%\27563757\winlogon.exe"'
[<HKLM>\Software\Classes\ftp\shell\open\command] '' = '"%ProgramFiles(x86)%\Internet Explorer\IEXPLORE.EXE"'

Creates or modifies the following files

%APPDATA%\microsoft\windows\start menu\programs\startup\windows anytime upgrade.exe

Creates the following files on removable media

<Drive name for removable media>:\f4eb14bd8b9959f09d88\desktop.ini
<Drive name for removable media>:\f4eb14bd8b9959f09d88\s-1-3-01-4631041401--102853460-464015834-1505\desktop.ini
<Drive name for removable media>:\f4eb14bd8b9959f09d88\s-1-3-01-4631041401--102853460-464015834-1505\9da3334c91b756bfca.exe
<Drive name for removable media>:\f4eb14bd8b9959f09d88\e6e3656284cf25c295.exe
<Drive name for removable media>:\autorun.inf
<Drive name for removable media>:\f4eb14bd8b9959f09d88\41bb0bff50ee1d4328.ico

Malicious functions

To bypass firewall, removes or modifies the following registry keys

[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DisableNotifications' = '00000001'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DoNotAllowExceptions' = '00000000'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'EnableFirewall' = '00000000'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
[<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DisableNotifications' = '00000001'
[<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'DoNotAllowExceptions' = '00000000'
[<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'EnableFirewall' = '00000000'
[<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DisableNotifications' = '00000001'
[<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'DoNotAllowExceptions' = '00000000'
[<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%HOMEPATH%\27563757\winlogon.exe' = '%HOMEPATH%\27563757\winlogon....
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%HOMEPATH%\27563757\winlogon.exe' = '%HOMEPATH%\27563757\winlogon.exe:...
[<HKLM>\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%HOMEPATH%\27563757\winlogon.exe' = '%HOMEPATH%\27563757\winlogon.exe:...
[<HKLM>\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%HOMEPATH%\27563757\winlogon.exe' = '%HOMEPATH%\27563757\winlogon.exe:...

To complicate detection of its presence in the operating system,

forces the system hide from view:

hidden files
file extensions

blocks execution of the following system utilities:

Command Prompt (CMD)
Windows Task Manager (Taskmgr)
Registry Editor (RegEdit)
Windows Security Center

blocks the following features:

System Restore (SR)
User Account Control (UAC)
Windows Security Center
Windows Action Center

modifies the following system settings:

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoRun' = '00000001'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFolderOptions' = '00000000'
[<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'NoFolderOptions' = '00000000'

Injects code into

the following user processes:

winlogon.exe

Modifies settings of Windows Internet Explorer

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Associations] 'LowRiskFileTypes' = '.exe'
[<HKCU>\Software\Microsoft\Internet Explorer\Download] 'CheckExeSignatures' = 'no'
[<HKCU>\Software\Microsoft\Internet Explorer\Download] 'RunInvalidSignatures' = '00000001'

Sets a new unauthorized home page for Windows Internet Explorer.

Modifies file system

Creates the following files

%HOMEPATH%\27563757\winlogon.exe
%APPDATA%\microsoft\windows\start menu\fax y escГЎner de windows.exe
%APPDATA%\microsoft\windows\start menu\programs\internet explorer.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\windows dvd maker.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\windows media center.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\startup\windows update.exe

Sets the 'hidden' attribute to the following files

<Drive name for removable media>:\f4eb14bd8b9959f09d88\desktop.ini
<Drive name for removable media>:\f4eb14bd8b9959f09d88\s-1-3-01-4631041401--102853460-464015834-1505\desktop.ini
<Drive name for removable media>:\f4eb14bd8b9959f09d88\s-1-3-01-4631041401--102853460-464015834-1505\9da3334c91b756bfca.exe
<Drive name for removable media>:\f4eb14bd8b9959f09d88\e6e3656284cf25c295.exe
<Drive name for removable media>:\autorun.inf
<Drive name for removable media>:\f4eb14bd8b9959f09d88\41bb0bff50ee1d4328.ico

Deletes the following files

<DRIVERS>\etc\hosts

Modifies the following files

%APPDATA%\mozilla\firefox\profiles\gn7ryp3k.default\prefs.js
%APPDATA%\mozilla\firefox\profiles\gn7ryp3k.default\search.json

Substitutes the HOSTS file.

Network activity

Connects to

'wh##.amung.us':80
'cn##########891c6pj30sy9h9j77x.ipcheker.com':80
'wi####s.amung.us':80

TCP

HTTP GET requests

http://wh##.amung.us/swidget/243dr2pd8x85
http://wi####s.amung.us/small/00/3.png
http://cn##########891c6pj30sy9h9j77x.ipcheker.com/
http://cn##########891c6pj30sy9h9j77x.ipcheker.com/1

UDP

DNS ASK cn##########891c6pj30sy9h9j77x.ipcheker.com
DNS ASK wh##.amung.us
DNS ASK wi####s.amung.us
DNS ASK 66##########d7d5ku14ew5360174k.ipgreat.com

Miscellaneous

Creates and executes the following

'%HOMEPATH%\27563757\winlogon.exe'
'%WINDIR%\syswow64\svchost.exe' ' (with hidden window)
'%HOMEPATH%\27563757\winlogon.exe' ' (with hidden window)

Executes the following

'%WINDIR%\syswow64\svchost.exe'

Технології

Терміни

Навчання

Міфи

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней