Winlogon Notify
The Winlogon Notify key is generally used by Look2Me infections. Hijack
This will list all Winlogon Notify keys that are non-standard so that
you can easily spot one that does not belong. You can recognize the
Look2Me infection key as it will have a DLL with a random filename
located in the %SYSTEM% directory. The name of the Notify key will have
a normal looking name even though it does not belong there.
Registry Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify
| Example Listing |
O20 - Winlogon Notify:
Extensions - C:\WINDOWS\system32\i042laho1d4c.dll |
When you fix this entry it will remove the key from
the registry but leave the file. You must reboot then manually delete
this file