Solved

Winlogon error, then bluescreen at every restart

Posted on 2006-10-19
5
1,012 Views
Last Modified: 2008-01-09
My laptop got hit with malware called "BraveSentry".  I have run all the utilities to remove it, and it is completely gone.  What is left, now, is a persistent winlogon error.  Whenever I shutdown/restart windows, I get the following errors in this screenshot:
www.songwave.com/ttemp/shutdown_error.jpg


then, upon restarting windows, I get a message that "Winlogon encountered a problem and needed to close" with an option to send an error report to microsoft.
DETAILS:
szAppName : winlogon.exe     szAppVer : 0.0.0.0     szModName : unknown    
szModVer : 0.0.0.0     offset : 3bf22d96  


an event is posted in my application log.  

Event 1004
Faulting application winlogon.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x3bf22d



I have already tried creating a new profile, but no avail.  What do you recommend I do at this point to fix a winlogon error?
Here is a HijackThis log of my system
www.songwave.com/ttemp/hijackthis.log

thanks!
0
Comment
Question by:arthurh88
  • 3
  • 2
5 Comments
 
LVL 66

Accepted Solution

by:
johnb6767 earned 500 total points
ID: 17767862
Damn websense, blocked from your posts.....

Anyway, can you get to the registry, or even spybot if you haev it installed?
Would be interested to see if something is loaded with Winlogon..

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
All the subkeys are items that load with Winlogon when you boot.

Spybot just got to the tools menu, and look at startups and youll see them there.

If you have access to another system, you can slave teh drive to it, and run regedit from there, but this time File>Load Hive, and point to the bad systems drive\windows\system32\config\system and load that. Just name it anything...Then you can manipulate it like in the registry on the other machine.
0
 

Author Comment

by:arthurh88
ID: 17768033
ok i found the problem, its a trojan dll called winsys2f.dll and i am unable to delete it since it starts with winlogon (being used, access denied).  I have a registry entry that initiates this trojan in the notify area of winlogon:
C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll

the problem is as soon as I delete this, it pops right back immediately.  best way to stop this DLL?
0
 

Author Comment

by:arthurh88
ID: 17768057
cannot unlaod it using regsvr32 /u "C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll"  says access denied.  AVG detects it but cannot clean it
0
 

Author Comment

by:arthurh88
ID: 17768178
finally got it with killbox then rebooting to safemode with command prompt.  thanks a bunch!!
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 17768433
YW, sorry it took so long to get back here...
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
getting access to all the files on an NTFS drive from an old machine 3 132
Rebuilding Hive in Windows XP Pro. 17 95
Windows 7 and Pro update issues 5 90
Windows 7 Share with XP 22 181
Can you find a fax from a vendor you saved a decade ago in seconds? Have you ever cursed your PC under your breath during an audit because you couldn’t find the requested statement or driver history?  If you answered no to the first question or yes …
If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question