We have analyzed nonessential and essential startups, as well as malware that installs a service and a rootkit. This time we will examine malware that uses a nontraditional startup method.

Look2Me is a highly intrusive adware program that displays pop-up advertisements and often redirects your Web browser. It also maintains an HTTP or FTP connection to download additional programs or components onto the infected computer. The Look2Me adware variant uses the WinLogon Notify key to install, so it runs whenever Windows starts. The DLL also hooks into explorer.exe, so it will run as long as a user is logged on to Windows. This makes removal difficult, even in safe mode.

Few legitimate DLLs use the WinLogon Notify loading mechanism. Therefore, it is easy to determine whether the DLL is friendly by examining the CastleCops WinlogonNotify and AppInit_DLLs databases (http://castlecops.com/_O20.html). Almost all of the legitimate DLLs and many malware DLLs are listed. If the DLL is malicious but is randomly named, it will be impossible to find an exact match for the specific DLL in question. Consequently, if there is an unknown DLL in the WinLogon Notify run key which does not exist in the database, this definitely does not rule out malware. In fact, it probably is malware related, especially if it has a name composed mostly of random consonants.

The best approach is to search Google for the entry and to upload the file to the Virus Total or Jotti multivirus scanners so that you can...