Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Winlogon error, then bluescreen at every restart

Posted on 2006-10-19
5
Medium Priority
?
1,018 Views
Last Modified: 2008-01-09
My laptop got hit with malware called "BraveSentry".  I have run all the utilities to remove it, and it is completely gone.  What is left, now, is a persistent winlogon error.  Whenever I shutdown/restart windows, I get the following errors in this screenshot:
www.songwave.com/ttemp/shutdown_error.jpg


then, upon restarting windows, I get a message that "Winlogon encountered a problem and needed to close" with an option to send an error report to microsoft.
DETAILS:
szAppName : winlogon.exe     szAppVer : 0.0.0.0     szModName : unknown    
szModVer : 0.0.0.0     offset : 3bf22d96  


an event is posted in my application log.  

Event 1004
Faulting application winlogon.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x3bf22d



I have already tried creating a new profile, but no avail.  What do you recommend I do at this point to fix a winlogon error?
Here is a HijackThis log of my system
www.songwave.com/ttemp/hijackthis.log

thanks!
0
Comment
Question by:arthurh88
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 66

Accepted Solution

by:
johnb6767 earned 2000 total points
ID: 17767862
Damn websense, blocked from your posts.....

Anyway, can you get to the registry, or even spybot if you haev it installed?
Would be interested to see if something is loaded with Winlogon..

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
All the subkeys are items that load with Winlogon when you boot.

Spybot just got to the tools menu, and look at startups and youll see them there.

If you have access to another system, you can slave teh drive to it, and run regedit from there, but this time File>Load Hive, and point to the bad systems drive\windows\system32\config\system and load that. Just name it anything...Then you can manipulate it like in the registry on the other machine.
0
 

Author Comment

by:arthurh88
ID: 17768033
ok i found the problem, its a trojan dll called winsys2f.dll and i am unable to delete it since it starts with winlogon (being used, access denied).  I have a registry entry that initiates this trojan in the notify area of winlogon:
C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll

the problem is as soon as I delete this, it pops right back immediately.  best way to stop this DLL?
0
 

Author Comment

by:arthurh88
ID: 17768057
cannot unlaod it using regsvr32 /u "C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll"  says access denied.  AVG detects it but cannot clean it
0
 

Author Comment

by:arthurh88
ID: 17768178
finally got it with killbox then rebooting to safemode with command prompt.  thanks a bunch!!
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 17768433
YW, sorry it took so long to get back here...
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

cPanel is a Unix based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cPanel utilizes a 3 tier structure that provides functionality for administrators, rese…
We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question