Quote Originally Posted by l2mfix
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avldr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"Asynchronous"=dword:00000001
"DLLName"="WlNotify.dll"
"Impersonate"=dword:00000001
"Lock"="SensLockEvent"
"Logoff"="SensLogoffEvent"
"Logon"="SensLogonEvent"
"MaxWait"=dword:00000258
"Safe"=dword:00000001
"Shutdown"="SensShutdownEvent"
"StartScreenSaver"="SensStartScreenSaverEvent"
"StartShell"="SensStartShellEvent"
"Startup"="SensStartupEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Unlock"="SensUnlockEvent"
"Disconnect"="SensDisconnectEvent"
"PostShell"="SensPostShellEvent"
"Reconnect"="SensReconnectEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,92,48,46,5e,59,9b,18,46,a0,1a,98,f7,1e,34,35,4e,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,b6,ff,d7,97,c6,2e,d1,6c,\
fd,d9,ca,b3,6e,b2,a9,a9,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,7c,\
44,a5,05,40,4b,00,18,41,d0,d6,af,a2,92,8f,e5,b0,01,00,00,06,7d,5a,fd,aa,e3,\
15,59,10,0d,9f,75,e4,eb,a4,4b,14,f5,44,79,1e,82,c9,03,b2,30,62,b7,1a,b3,55,\
13,be,d8,12,4f,4a,54,92,63,7b,a9,39,00,29,0c,a9,26,e4,f5,d7,9d,90,3a,21,07,\
87,3b,4c,d6,4b,04,6b,8a,3c,24,c2,64,9d,fb,04,88,07,db,ca,aa,ae,15,a5,a7,96,\
24,df,60,49,78,12,a1,98,40,e3,6a,b2,9e,3b,c0,97,2a,d5,17,aa,e0,fe,d7,dd,86,\
b6,e2,2f,8e,89,d8,da,80,3f,cb,bf,80,21,62,32,98,9e,89,57,f3,4f,fb,80,d4,01,\
f3,79,e4,5c,47,15,8c,61,18,40,7c,9d,36,96,e4,63,9e,bc,c7,ca,9c,76,dd,c9,5b,\
98,14,b3,67,6f,a1,1e,76,41,69,32,f8,3e,0d,ff,7b,fb,5b,30,c6,58,d0,75,38,81,\
c7,81,7b,10,c6,9e,52,90,19,dc,80,f1,71,ad,da,f9,a0,de,6a,a9,fe,7c,20,49,1d,\
08,3c,e3,11,77,e1,aa,b6,35,7d,1f,3d,06,2c,c5,42,dc,b6,0f,b1,ba,4d,e3,5e,a6,\
bd,22,dc,2c,47,bb,a4,eb,db,eb,61,9e,bf,e1,bc,04,b6,4d,06,b7,3a,1e,77,65,63,\
31,b5,c2,6b,ae,15,2d,35,f5,78,63,b8,3e,02,7f,d9,f6,b9,e1,3d,10,be,b1,4e,5d,\
3b,0c,f6,be,a4,d0,bd,26,a9,60,0b,7b,95,25,37,e3,55,b4,70,36,4c,d5,ff,60,1e,\
a4,9e,93,18,41,06,34,ca,8c,46,06,79,ea,fb,be,da,bc,57,bc,79,8d,76,2a,e8,ae,\
b5,22,52,dd,3a,7c,a5,7c,59,56,b1,46,d3,8b,30,59,1b,63,ee,fc,95,a7,2c,36,85,\
29,7f,0a,44,49,9a,fe,a4,dd,aa,cf,d0,25,fd,07,86,5a,e7,8d,48,af,7c,b5,6f,44,\
6c,0c,e4,83,d9,be,76,58,e7,ad,39,b6,6f,69,fe,7e,e8,01,1d,c5,60,5e,56,52,9b,\
3f,4e,36,57,d2,73,d1,47,7a,bf,a6,0f,97,aa,33,1f,2c,2e,a6,00,89,62,78,57,a9,\
e9,14,00,00,00,0f,9b,da,ea,43,1f,4d,cb,d2,c3,5c,39,e5,8f,b7,5e,24,6d,70,c0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
AVG found no rootkits.