Guest a144mb Posted August 8, 2007 Posted August 8, 2007 I'm running Windows XP, SP2 on a Dell Inspiron 8200. It's a standalone (Workgroup; not on a domain) machine that's PHYSICALLY connected to a Linksys wireless router at my home. I read that an 'ntos' file is a virus. It was on my laptop. I ran Hijackthis.exe (third party virus file remover) on my laptop because I kept seeing this file called 'ntos.exe' in C:\Windows\System32. I also ran Killdisk.exe (third party virus file remover) to remove the file upon bootup. My OS continued to hum right along perfectly. The final thing I did was go into 'regedit' (the registry) and systematically find/remove ALL references of 'C:\Windows\System32\ntos.exe' from my registry. After completely wiping out the file from my OS, I restarted my computer. Tried to log in and it automatically looped and logged me off. No, it doesn't restart. It just logs me right off within seconds of typing in my username/password and takes me back to the Windows Login prompt. It doesn't even load my profile (explorer.exe). I then resorted to logging into Safe Mode. Same results. Profile will not load. Just loops Windows Login prompt. Also tried selecting "Last Known Good Config..." and received the same 'looping' results upon login. Is there a way to get into the OS? I have a Windows XP install CD but do not have ANY Automated Recovery Disks...nor do I have a/the 'ntos.exe' file to load in DOS when I come upon the 'Repair Windows' section of the Windows XP Install CD. Is there a way to get into the OS/my profile so that I can manage this from GUI mode instead of DOS? Thanks in advance for your response(s)!!
Guest sgopus Posted August 8, 2007 Posted August 8, 2007 RE: NTOS File Removal: Can't Login Boot to the xp cd and run a repair install. "a144mb" wrote: > I'm running Windows XP, SP2 on a Dell Inspiron 8200. It's a standalone > (Workgroup; not on a domain) machine that's PHYSICALLY connected to a Linksys > wireless router at my home. I read that an 'ntos' file is a virus. It was on > my laptop. I ran Hijackthis.exe (third party virus file remover) on my laptop > because I kept seeing this file called 'ntos.exe' in C:\Windows\System32. I > also ran Killdisk.exe (third party virus file remover) to remove the file > upon bootup. My OS continued to hum right along perfectly. The final thing I > did was go into 'regedit' (the registry) and systematically find/remove ALL > references of 'C:\Windows\System32\ntos.exe' from my registry. After > completely wiping out the file from my OS, I restarted my computer. Tried to > log in and it automatically looped and logged me off. No, it doesn't restart. > It just logs me right off within seconds of typing in my username/password > and takes me back to the Windows Login prompt. It doesn't even load my > profile (explorer.exe). I then resorted to logging into Safe Mode. Same > results. Profile will not load. Just loops Windows Login prompt. Also tried > selecting "Last Known Good Config..." and received the same 'looping' results > upon login. Is there a way to get into the OS? I have a Windows XP install CD > but do not have ANY Automated Recovery Disks...nor do I have a/the 'ntos.exe' > file to load in DOS when I come upon the 'Repair Windows' section of the > Windows XP Install CD. Is there a way to get into the OS/my profile so that I > can manage this from GUI mode instead of DOS? Thanks in advance for your > response(s)!!
Guest John John Posted August 8, 2007 Posted August 8, 2007 Re: NTOS File Removal: Can't Login This looks like yet another one of those pests that changes the userinit value at the Winlogon key in the registry. Incorrectly changing the userinit value typically results in the computer rebooting and returning to the logon screen when it cannot find the associated userinit entries. The Userinit entry is at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Here is the description of the value: Specifies the programs that Winlogon runs when a user logs on. By default, Winlogon runs Userinit.exe, which runs logon scripts, reestablishes network connections, and then starts Explorer.exe, the Windows user interface. You can change the value of this entry to add or remove programs. For example, to have a program run before the Windows Explorer user interface starts, substitute the name of that program for Userinit.exe in the value of this entry, then include instructions in that program to start Userinit.exe. You might also want to substitute Explorer.exe for Userinit.exe if you are working offline and are not using logon scripts. [end quote] http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/12330.mspx?mfr=true If you have removed the ntos.exe value data at the Winlogon Userinit key then you will have to add a valid entry to the value and make sure that the userinit.exe file is in the correct location. The key normally contains the following entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Value name: Userinit Value data: C:\WINDOWS\system32\userinit.exe, *Note the comma at the end of the value string* Windows Log on and Log off immediately. http://support.microsoft.com/kb/555648 Being that you cannot boot the Windows installation you will have to use other methods to edit the registry and correct the value. You can access the registry remotely over a network, or you can mount the disk to another Windows XP installation and use the Load Hive feature in Regedit to edit the registry on the broken installation. You can also use a live CD Like a Bart's PE disk or the UBCD for Windows with a registry editor plugin. If you have removed the ntos.exe file *without* changing the userinit value you would follow the typical instructions here, substituting "ntos.exe" for "Wsaupdater.exe". You cannot log on to Windows XP after you remove Wsaupdater.exe http://support.microsoft.com/kb/892893 Infostealer.Banker.C http://www.symantec.com/en/uk/enterprise/security_response/writeup.jsp?docid=2007-040208-5335-99&tabid=2 John a144mb wrote: > I'm running Windows XP, SP2 on a Dell Inspiron 8200. It's a standalone > (Workgroup; not on a domain) machine that's PHYSICALLY connected to a Linksys > wireless router at my home. I read that an 'ntos' file is a virus. It was on > my laptop. I ran Hijackthis.exe (third party virus file remover) on my laptop > because I kept seeing this file called 'ntos.exe' in C:\Windows\System32. I > also ran Killdisk.exe (third party virus file remover) to remove the file > upon bootup. My OS continued to hum right along perfectly. The final thing I > did was go into 'regedit' (the registry) and systematically find/remove ALL > references of 'C:\Windows\System32\ntos.exe' from my registry. After > completely wiping out the file from my OS, I restarted my computer. Tried to > log in and it automatically looped and logged me off. No, it doesn't restart. > It just logs me right off within seconds of typing in my username/password > and takes me back to the Windows Login prompt. It doesn't even load my > profile (explorer.exe). I then resorted to logging into Safe Mode. Same > results. Profile will not load. Just loops Windows Login prompt. Also tried > selecting "Last Known Good Config..." and received the same 'looping' results > upon login. Is there a way to get into the OS? I have a Windows XP install CD > but do not have ANY Automated Recovery Disks...nor do I have a/the 'ntos.exe' > file to load in DOS when I come upon the 'Repair Windows' section of the > Windows XP Install CD. Is there a way to get into the OS/my profile so that I > can manage this from GUI mode instead of DOS? Thanks in advance for your > response(s)!!
Guest sgopus Posted August 8, 2007 Posted August 8, 2007 Re: NTOS File Removal: Can't Login Very detailed, thanks "John John" wrote: > This looks like yet another one of those pests that changes the userinit > value at the Winlogon key in the registry. Incorrectly changing the > userinit value typically results in the computer rebooting and returning > to the logon screen when it cannot find the associated userinit entries. > The Userinit entry is at: > > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon > > Here is the description of the value: > > > > Specifies the programs that Winlogon runs when a user logs on. By > default, Winlogon runs Userinit.exe, which runs logon scripts, > reestablishes network connections, and then starts Explorer.exe, the > Windows user interface. > > You can change the value of this entry to add or remove programs. For > example, to have a program run before the Windows Explorer user > interface starts, substitute the name of that program for Userinit.exe > in the value of this entry, then include instructions in that program to > start Userinit.exe. You might also want to substitute Explorer.exe for > Userinit.exe if you are working offline and are not using logon scripts. > > [end quote] > > http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/12330.mspx?mfr=true > > If you have removed the ntos.exe value data at the Winlogon Userinit key > then you will have to add a valid entry to the value and make sure that > the userinit.exe file is in the correct location. The key normally > contains the following entry: > > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon > > Value name: Userinit > > Value data: C:\WINDOWS\system32\userinit.exe, > > *Note the comma at the end of the value string* > > Windows Log on and Log off immediately. > http://support.microsoft.com/kb/555648 > > Being that you cannot boot the Windows installation you will have to use > other methods to edit the registry and correct the value. You can > access the registry remotely over a network, or you can mount the disk > to another Windows XP installation and use the Load Hive feature in > Regedit to edit the registry on the broken installation. You can also > use a live CD Like a Bart's PE disk or the UBCD for Windows with a > registry editor plugin. > > If you have removed the ntos.exe file *without* changing the userinit > value you would follow the typical instructions here, substituting > "ntos.exe" for "Wsaupdater.exe". > > You cannot log on to Windows XP after you remove Wsaupdater.exe > http://support.microsoft.com/kb/892893 > > Infostealer.Banker.C > http://www.symantec.com/en/uk/enterprise/security_response/writeup.jsp?docid=2007-040208-5335-99&tabid=2 > > John > > a144mb wrote: > > I'm running Windows XP, SP2 on a Dell Inspiron 8200. It's a standalone > > (Workgroup; not on a domain) machine that's PHYSICALLY connected to a Linksys > > wireless router at my home. I read that an 'ntos' file is a virus. It was on > > my laptop. I ran Hijackthis.exe (third party virus file remover) on my laptop > > because I kept seeing this file called 'ntos.exe' in C:\Windows\System32. I > > also ran Killdisk.exe (third party virus file remover) to remove the file > > upon bootup. My OS continued to hum right along perfectly. The final thing I > > did was go into 'regedit' (the registry) and systematically find/remove ALL > > references of 'C:\Windows\System32\ntos.exe' from my registry. After > > completely wiping out the file from my OS, I restarted my computer. Tried to > > log in and it automatically looped and logged me off. No, it doesn't restart. > > It just logs me right off within seconds of typing in my username/password > > and takes me back to the Windows Login prompt. It doesn't even load my > > profile (explorer.exe). I then resorted to logging into Safe Mode. Same > > results. Profile will not load. Just loops Windows Login prompt. Also tried > > selecting "Last Known Good Config..." and received the same 'looping' results > > upon login. Is there a way to get into the OS? I have a Windows XP install CD > > but do not have ANY Automated Recovery Disks...nor do I have a/the 'ntos.exe' > > file to load in DOS when I come upon the 'Repair Windows' section of the > > Windows XP Install CD. Is there a way to get into the OS/my profile so that I > > can manage this from GUI mode instead of DOS? Thanks in advance for your > > response(s)!! > >
Guest John John Posted August 9, 2007 Posted August 9, 2007 Re: NTOS File Removal: Can't Login You're welcome. sgopus wrote: > Very detailed, thanks > > "John John" wrote: > > >>This looks like yet another one of those pests that changes the userinit >>value at the Winlogon key in the registry. Incorrectly changing the >>userinit value typically results in the computer rebooting and returning >>to the logon screen when it cannot find the associated userinit entries. >> The Userinit entry is at: >> >>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon >> >>Here is the description of the value: >> >> >> >>Specifies the programs that Winlogon runs when a user logs on. By >>default, Winlogon runs Userinit.exe, which runs logon scripts, >>reestablishes network connections, and then starts Explorer.exe, the >>Windows user interface. >> >>You can change the value of this entry to add or remove programs. For >>example, to have a program run before the Windows Explorer user >>interface starts, substitute the name of that program for Userinit.exe >>in the value of this entry, then include instructions in that program to >>start Userinit.exe. You might also want to substitute Explorer.exe for >>Userinit.exe if you are working offline and are not using logon scripts. >> >>[end quote] >> >>http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/12330.mspx?mfr=true >> >>If you have removed the ntos.exe value data at the Winlogon Userinit key >>then you will have to add a valid entry to the value and make sure that >>the userinit.exe file is in the correct location. The key normally >>contains the following entry: >> >>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon >> >>Value name: Userinit >> >>Value data: C:\WINDOWS\system32\userinit.exe, >> >>*Note the comma at the end of the value string* >> >>Windows Log on and Log off immediately. >>http://support.microsoft.com/kb/555648 >> >>Being that you cannot boot the Windows installation you will have to use >>other methods to edit the registry and correct the value. You can >>access the registry remotely over a network, or you can mount the disk >>to another Windows XP installation and use the Load Hive feature in >>Regedit to edit the registry on the broken installation. You can also >>use a live CD Like a Bart's PE disk or the UBCD for Windows with a >>registry editor plugin. >> >>If you have removed the ntos.exe file *without* changing the userinit >>value you would follow the typical instructions here, substituting >>"ntos.exe" for "Wsaupdater.exe". >> >>You cannot log on to Windows XP after you remove Wsaupdater.exe >>http://support.microsoft.com/kb/892893 >> >>Infostealer.Banker.C >>http://www.symantec.com/en/uk/enterprise/security_response/writeup.jsp?docid=2007-040208-5335-99&tabid=2 >> >>John >> >>a144mb wrote: >> >>>I'm running Windows XP, SP2 on a Dell Inspiron 8200. It's a standalone >>>(Workgroup; not on a domain) machine that's PHYSICALLY connected to a Linksys >>>wireless router at my home. I read that an 'ntos' file is a virus. It was on >>>my laptop. I ran Hijackthis.exe (third party virus file remover) on my laptop >>>because I kept seeing this file called 'ntos.exe' in C:\Windows\System32. I >>>also ran Killdisk.exe (third party virus file remover) to remove the file >>>upon bootup. My OS continued to hum right along perfectly. The final thing I >>>did was go into 'regedit' (the registry) and systematically find/remove ALL >>>references of 'C:\Windows\System32\ntos.exe' from my registry. After >>>completely wiping out the file from my OS, I restarted my computer. Tried to >>>log in and it automatically looped and logged me off. No, it doesn't restart. >>>It just logs me right off within seconds of typing in my username/password >>>and takes me back to the Windows Login prompt. It doesn't even load my >>>profile (explorer.exe). I then resorted to logging into Safe Mode. Same >>>results. Profile will not load. Just loops Windows Login prompt. Also tried >>>selecting "Last Known Good Config..." and received the same 'looping' results >>>upon login. Is there a way to get into the OS? I have a Windows XP install CD >>>but do not have ANY Automated Recovery Disks...nor do I have a/the 'ntos.exe' >>>file to load in DOS when I come upon the 'Repair Windows' section of the >>>Windows XP Install CD. Is there a way to get into the OS/my profile so that I >>>can manage this from GUI mode instead of DOS? Thanks in advance for your >>>response(s)!! >> >>
Recommended Posts