PDA

View Full Version : System Startup: WinLogon undeactivable



Nicholas the Italian
2007-09-21, 00:18
Hello,
I had Spybot 1.4 , and under Tools > System startup I had deactivated all Winlogon voices (specifically: crypt32chain, cryptnet, cscdll, sccertprop, schedule, sclgntfy, senslogn, termsrv, wlballoon).
Then I upgraded to 1.5, and all of those voices now appear as checked (allowed). If I try to deselect them, as soon as I go to another page and back they are selected again. If I delete them, they reappear and are selected again.
Not sure if this is intended.

Zenobia
2007-09-21, 02:13
I don't know if that is intended,either,but that might be possible,since some people using Spybot 1.4 mistakenly disabled legitimate entries because they weren't sure what they were.

There is a further explanation about them here from bitman:
http://forums.spybot.info/showthread.php?t=2314

LonnyRJones posted a list of Winlogon startup entries that are normal to see on Windows XP Home and Pro.
http://forums.spybot.info/showpost.php?p=13193&postcount=2

And there is an explanation about some of them here from Prince_Serendip from Castlecops:
http://www.castlecops.com/t159607-Start_up_programs_System_ini.html

Nicholas the Italian
2007-09-21, 11:57
I understand, anyway it would be good to display them in some other way (also in green, like other legit entries) or let the user know they need to be there (i.e., don't let the user deactivate them).
Also, I was actually able to disable them in 1.4 with no apparent collateral effects, or weren't they really disabled, but just looked like they were?

Oh well, not that it makes a lot of difference anyway.
Thanks.

Zenobia
2007-09-21, 13:35
I understand, anyway it would be good to display them in some other way (also in green, like other legit entries) or let the user know they need to be there (i.e., don't let the user deactivate them).

Yes,I agree.I'm not sure why they aren't displayed in green,perhaps there is some reason,but I don't know why.

They would have really been disabled in your 1.4 Spybot,as far as I know.
Here is a thread where someone else disabled some of the legit winlogon startup entries:
http://forums.spybot.info/showthread.php?t=14251

The way I've always looked at it for myself,I leave the winlogon entries enabled (so long as they are legitimate entries and not malware),and I wouldn't disable them unless I looked them up and I knew for certain I could safely do that without any harm.Since the winlogon entries on my XP all seem to have a more or less legitmate reason for being there,I just leave them alone.Keeps me out of trouble. :D:

superichy
2008-07-01, 22:33
Thread: System Startup: WinLogon undeactivable

Hi Partners, did anybody fix this cuestion?
Thank you

md usa spybot fan
2008-07-02, 00:36
superichy:

I believe that it would have been better starting your own thread explaining what startup entry that you may/may not have deactivated or what specific startup entry your are questioning if it should be deactivated.

What Windows OS are you running?

What is the startup entry in question?

Note: If you did not delete that entry, go into Spybot > Mode > Advanced Mode > Tools > System Startup. Right click on the listing and select "Copy to Clipboard". Paste (Ctrl+V) those results to a new post editing out all information that is not related to the specific startup entry in question.

superichy
2008-07-02, 00:53
Hi md, in order:

• First of all I just continued this thread, because is the same question that "Nicholas the Italian" posted.

• It doesn't matter. I'm using Spybot - Search & Destroy 1.5.2 running under Windows XP PRO Service Pack 3 Spanish.

The Start entries whiches I want to delete are:

- crypt32.dll
- cryptnet.dll
- cscdll.dll
- dimsntfy.dll
- wlnotify.dll
- sclgntfy.dll
- WINotify.dll
- WInotify.dll

I'd want to delete them, because with SB 1.4 I was ever able to do it, and Windows runned better.


Thanks a lot, regards,

Richy.



PS: here you have the LOG:


--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-06-10 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-06-17 Includes\Adware.sbi
2008-06-18 Includes\AdwareC.sbi
2008-06-03 Includes\Cookies.sbi
2008-06-03 Includes\Dialer.sbi
2008-06-24 Includes\DialerC.sbi
2008-06-03 Includes\HeavyDuty.sbi
2008-06-16 Includes\Hijackers.sbi
2008-06-17 Includes\HijackersC.sbi
2008-06-25 Includes\Keyloggers.sbi
2008-06-24 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2008-06-24 Includes\Malware.sbi
2008-06-24 Includes\MalwareC.sbi
2008-06-17 Includes\PUPS.sbi
2008-06-24 Includes\PUPSC.sbi
2007-11-07 Includes\Revision.sbi
2008-06-10 Includes\Security.sbi
2008-06-18 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2008-06-17 Includes\Spyware.sbi
2008-06-17 Includes\SpywareC.sbi
2008-06-03 Includes\Tracks.uti
2008-06-24 Includes\Trojans.sbi
2008-06-25 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Located: HK_LM:Run, Babylon Client
command: C:\Archivos de programa\Babylon\Babylon-Pro\Babylon.exe -AutoStart
file: C:\Archivos de programa\Babylon\Babylon-Pro\Babylon.exe
size: 3551456
MD5: DDB78E613CF70A5DC50797E99A4ADB72

Located: HK_LM:Run, DrvIcon
command: C:\Archivos de programa\Vista Drive Icon\DrvIcon.exe
file: C:\Archivos de programa\Vista Drive Icon\DrvIcon.exe
size: 49152
MD5: DB90709B3EA5F42B1A5BF498C8902FD3

Located: HK_LM:Run, nod32kui
command: "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
file: C:\Archivos de programa\Eset\nod32kui.exe
size: 917504
MD5: 070EB3A91409F0E725666356659BF982

Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Archivos de programa\Java\jre1.6.0_06\bin\jusched.exe"
file: C:\Archivos de programa\Java\jre1.6.0_06\bin\jusched.exe
size: 144784
MD5: E8C086DA635EB410FEF106CB279ADFBF

Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-484763869-1563985344-725345543-1003...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: DAAE1CB1B1875B760496E7D3336DA1AD

Located: HK_CU:Run, SkinClock
where: S-1-5-21-484763869-1563985344-725345543-1003...
command: C:\Archivos de programa\Clock Tray Skins\ClockTraySkins.exe
file: C:\Archivos de programa\Clock Tray Skins\ClockTraySkins.exe
size: 1329664
MD5: 36095C6202D8147ADECFC399AB703287

Located: HK_CU:Run, TaskSwitchXP
where: S-1-5-21-484763869-1563985344-725345543-1003...
command: C:\Archivos de programa\TaskSwitchXP\TaskSwitchXP.exe
file: C:\Archivos de programa\TaskSwitchXP\TaskSwitchXP.exe
size: 106904
MD5: 432C56D18C514EBD7A6475F37A509CFA

Located: Inicio (común), TB-Tray.lnk
where: C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio...
command: C:\Archivos de programa\Mozilla Thunderbird\Thunderbird-Tray\TBTray.exe
file: C:\Archivos de programa\Mozilla Thunderbird\Thunderbird-Tray\TBTray.exe
size: 38912
MD5: CCC752860FBCBFE44CA85DEE8EBFE1BD

Located: Inicio (usuario), Stickypaper.lnk
where: C:\Documents and Settings\Pcxp\Menú Inicio\Programas\Inicio...
command: C:\stickypaper132\stickypaper132\Stickypaper.exe
file: C:\stickypaper132\stickypaper132\Stickypaper.exe
size: 1962496
MD5: 353337C0F07B539F9864BD54D8C9F19C

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

md usa spybot fan
2008-07-02, 07:38
superichy:

All of the entries you listed are legitimate and required entries for Windows XP. As Zenobia (http://forums.spybot.info/member.php?u=145) indicate the most likely reason that you can no longer disable or delete the entries in Spybot 1.5 or Spybot 1.6 is because of the errors made when the feature was available. If you disable/delete those entries you will no longer be able to do Windows updates. See what happened to donsears (http://forums.spybot.info/member.php?u=323) in this thread:
Windows Update Broken
http://forums.spybot.info/showthread.php?t=134
I suggest that you leave the entries alone.

__________

The entries are stored as sub-keys in the following registry key:


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
When the entries are disabled they are removed from the above registry key and placed in this registry key:


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify_Disabled]