Solved

Winlogon error, then bluescreen at every restart

Posted on 2006-10-19
5
1,009 Views
Last Modified: 2008-01-09
My laptop got hit with malware called "BraveSentry".  I have run all the utilities to remove it, and it is completely gone.  What is left, now, is a persistent winlogon error.  Whenever I shutdown/restart windows, I get the following errors in this screenshot:
www.songwave.com/ttemp/shutdown_error.jpg


then, upon restarting windows, I get a message that "Winlogon encountered a problem and needed to close" with an option to send an error report to microsoft.
DETAILS:
szAppName : winlogon.exe     szAppVer : 0.0.0.0     szModName : unknown    
szModVer : 0.0.0.0     offset : 3bf22d96  


an event is posted in my application log.  

Event 1004
Faulting application winlogon.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x3bf22d



I have already tried creating a new profile, but no avail.  What do you recommend I do at this point to fix a winlogon error?
Here is a HijackThis log of my system
www.songwave.com/ttemp/hijackthis.log

thanks!
0
Comment
Question by:arthurh88
  • 3
  • 2
5 Comments
 
LVL 66

Accepted Solution

by:
johnb6767 earned 500 total points
Comment Utility
Damn websense, blocked from your posts.....

Anyway, can you get to the registry, or even spybot if you haev it installed?
Would be interested to see if something is loaded with Winlogon..

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
All the subkeys are items that load with Winlogon when you boot.

Spybot just got to the tools menu, and look at startups and youll see them there.

If you have access to another system, you can slave teh drive to it, and run regedit from there, but this time File>Load Hive, and point to the bad systems drive\windows\system32\config\system and load that. Just name it anything...Then you can manipulate it like in the registry on the other machine.
0
 

Author Comment

by:arthurh88
Comment Utility
ok i found the problem, its a trojan dll called winsys2f.dll and i am unable to delete it since it starts with winlogon (being used, access denied).  I have a registry entry that initiates this trojan in the notify area of winlogon:
C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll

the problem is as soon as I delete this, it pops right back immediately.  best way to stop this DLL?
0
 

Author Comment

by:arthurh88
Comment Utility
cannot unlaod it using regsvr32 /u "C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll"  says access denied.  AVG detects it but cannot clean it
0
 

Author Comment

by:arthurh88
Comment Utility
finally got it with killbox then rebooting to safemode with command prompt.  thanks a bunch!!
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
YW, sorry it took so long to get back here...
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
There are 2 things you must have in order to connect to the internet behind a router, The "Gateway IP" of the router, which is usually something like 192.168.xxx.1, I've seen routers with default values of: 192.168.0.1, 192.168.1.1, 192.168.11.1, …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now