We help IT Professionals succeed at work.

Winlogon error, then bluescreen at every restart

arthurh88
arthurh88 asked
on
Medium Priority
1,035 Views
Last Modified: 2008-01-09
My laptop got hit with malware called "BraveSentry".  I have run all the utilities to remove it, and it is completely gone.  What is left, now, is a persistent winlogon error.  Whenever I shutdown/restart windows, I get the following errors in this screenshot:
www.songwave.com/ttemp/shutdown_error.jpg


then, upon restarting windows, I get a message that "Winlogon encountered a problem and needed to close" with an option to send an error report to microsoft.
DETAILS:
szAppName : winlogon.exe     szAppVer : 0.0.0.0     szModName : unknown    
szModVer : 0.0.0.0     offset : 3bf22d96  


an event is posted in my application log.  

Event 1004
Faulting application winlogon.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x3bf22d



I have already tried creating a new profile, but no avail.  What do you recommend I do at this point to fix a winlogon error?
Here is a HijackThis log of my system
www.songwave.com/ttemp/hijackthis.log

thanks!
Comment
Watch Question

CERTIFIED EXPERT
Most Valuable Expert 2011
Top Expert 2011
Commented:
Damn websense, blocked from your posts.....

Anyway, can you get to the registry, or even spybot if you haev it installed?
Would be interested to see if something is loaded with Winlogon..

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
All the subkeys are items that load with Winlogon when you boot.

Spybot just got to the tools menu, and look at startups and youll see them there.

If you have access to another system, you can slave teh drive to it, and run regedit from there, but this time File>Load Hive, and point to the bad systems drive\windows\system32\config\system and load that. Just name it anything...Then you can manipulate it like in the registry on the other machine.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
ok i found the problem, its a trojan dll called winsys2f.dll and i am unable to delete it since it starts with winlogon (being used, access denied).  I have a registry entry that initiates this trojan in the notify area of winlogon:
C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll

the problem is as soon as I delete this, it pops right back immediately.  best way to stop this DLL?

Author

Commented:
cannot unlaod it using regsvr32 /u "C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll"  says access denied.  AVG detects it but cannot clean it

Author

Commented:
finally got it with killbox then rebooting to safemode with command prompt.  thanks a bunch!!
CERTIFIED EXPERT
Most Valuable Expert 2011
Top Expert 2011

Commented:
YW, sorry it took so long to get back here...
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.