Solved

Winlogon error, then bluescreen at every restart

Posted on 2006-10-19
5
1,014 Views
Last Modified: 2008-01-09
My laptop got hit with malware called "BraveSentry".  I have run all the utilities to remove it, and it is completely gone.  What is left, now, is a persistent winlogon error.  Whenever I shutdown/restart windows, I get the following errors in this screenshot:
www.songwave.com/ttemp/shutdown_error.jpg


then, upon restarting windows, I get a message that "Winlogon encountered a problem and needed to close" with an option to send an error report to microsoft.
DETAILS:
szAppName : winlogon.exe     szAppVer : 0.0.0.0     szModName : unknown    
szModVer : 0.0.0.0     offset : 3bf22d96  


an event is posted in my application log.  

Event 1004
Faulting application winlogon.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x3bf22d



I have already tried creating a new profile, but no avail.  What do you recommend I do at this point to fix a winlogon error?
Here is a HijackThis log of my system
www.songwave.com/ttemp/hijackthis.log

thanks!
0
Comment
Question by:arthurh88
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 66

Accepted Solution

by:
johnb6767 earned 500 total points
ID: 17767862
Damn websense, blocked from your posts.....

Anyway, can you get to the registry, or even spybot if you haev it installed?
Would be interested to see if something is loaded with Winlogon..

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
All the subkeys are items that load with Winlogon when you boot.

Spybot just got to the tools menu, and look at startups and youll see them there.

If you have access to another system, you can slave teh drive to it, and run regedit from there, but this time File>Load Hive, and point to the bad systems drive\windows\system32\config\system and load that. Just name it anything...Then you can manipulate it like in the registry on the other machine.
0
 

Author Comment

by:arthurh88
ID: 17768033
ok i found the problem, its a trojan dll called winsys2f.dll and i am unable to delete it since it starts with winlogon (being used, access denied).  I have a registry entry that initiates this trojan in the notify area of winlogon:
C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll

the problem is as soon as I delete this, it pops right back immediately.  best way to stop this DLL?
0
 

Author Comment

by:arthurh88
ID: 17768057
cannot unlaod it using regsvr32 /u "C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll"  says access denied.  AVG detects it but cannot clean it
0
 

Author Comment

by:arthurh88
ID: 17768178
finally got it with killbox then rebooting to safemode with command prompt.  thanks a bunch!!
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 17768433
YW, sorry it took so long to get back here...
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question