I went to a real pig of a virus once, that I eventually traced to being loaded along with the winlogon process .. yes, the one that starts pretty much as soon as your PC goes into the GUI and before you even get the chance to log on.
There's a list of DLLs that it notifies of logon/logoff activity, but it's very easy to simply slot another one in there in the registry. Prime target for virus writers
I'm surprised there aren't more that exploit this.
While I'm here, without trying to take this thread off topic, but just for future reference, the winlogon registry stuff is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
The keys that are there on my WinXP SP2 machine with all updates applied are:
- crypt32chain
- cryptnet
- cscdll
- ScCertProp
- Schedule
- sclgntfy
- SensLogn
- termsrv
- WgaLogon
- wlballoon
If anything looks different to that, or there are extra ones, that might be your culprit.
I had to remove it using recovery console, and hoped that winlogon wouldn't have a hissy fit when it couldn't find one of its DLLs, which it didn't, fortunately. I was then able to remove the extra registry key and all was ok.
All that on a Celeron 600 ... it took a while ???