NTOS File Removal: Can't Login

[Guest]

I'm running Windows XP, SP2 on a Dell Inspiron 8200. It's a standalone
(Workgroup; not on a domain) machine that's PHYSICALLY connected to a Linksys
wireless router at my home. I read that an 'ntos' file is a virus. It was on
my laptop. I ran Hijackthis.exe (third party virus file remover) on my laptop
because I kept seeing this file called 'ntos.exe' in C:\Windows\System32. I
also ran Killdisk.exe (third party virus file remover) to remove the file
upon bootup. My OS continued to hum right along perfectly. The final thing I
did was go into 'regedit' (the registry) and systematically find/remove ALL
references of 'C:\Windows\System32\ntos.exe' from my registry. After
completely wiping out the file from my OS, I restarted my computer. Tried to
log in and it automatically looped and logged me off. No, it doesn't restart.
It just logs me right off within seconds of typing in my username/password
and takes me back to the Windows Login prompt. It doesn't even load my
profile (explorer.exe). I then resorted to logging into Safe Mode. Same
results. Profile will not load. Just loops Windows Login prompt. Also tried
selecting "Last Known Good Config..." and received the same 'looping' results
upon login. Is there a way to get into the OS? I have a Windows XP install CD
but do not have ANY Automated Recovery Disks...nor do I have a/the 'ntos.exe'
file to load in DOS when I come upon the 'Repair Windows' section of the
Windows XP Install CD. Is there a way to get into the OS/my profile so that I
can manage this from GUI mode instead of DOS? Thanks in advance for your
response(s)!!

 

[Guest]

Boot to the xp cd and run a repair install.

 

[John John]

This looks like yet another one of those pests that changes the userinit
value at the Winlogon key in the registry. Incorrectly changing the
userinit value typically results in the computer rebooting and returning
to the logon screen when it cannot find the associated userinit entries.
The Userinit entry is at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Here is the description of the value:

Specifies the programs that Winlogon runs when a user logs on. By
default, Winlogon runs Userinit.exe, which runs logon scripts,
reestablishes network connections, and then starts Explorer.exe, the
Windows user interface.

You can change the value of this entry to add or remove programs. For
example, to have a program run before the Windows Explorer user
interface starts, substitute the name of that program for Userinit.exe
in the value of this entry, then include instructions in that program to
start Userinit.exe. You might also want to substitute Explorer.exe for
Userinit.exe if you are working offline and are not using logon scripts.

[end quote]

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/12330.mspx?mfr=true

If you have removed the ntos.exe value data at the Winlogon Userinit key
then you will have to add a valid entry to the value and make sure that
the userinit.exe file is in the correct location. The key normally
contains the following entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Value name: Userinit

Value data: C:\WINDOWS\system32\userinit.exe,

*Note the comma at the end of the value string*

Windows Log on and Log off immediately.
http://support.microsoft.com/kb/555648

Being that you cannot boot the Windows installation you will have to use
other methods to edit the registry and correct the value. You can
access the registry remotely over a network, or you can mount the disk
to another Windows XP installation and use the Load Hive feature in
Regedit to edit the registry on the broken installation. You can also
use a live CD Like a Bart's PE disk or the UBCD for Windows with a
registry editor plugin.

If you have removed the ntos.exe file *without* changing the userinit
value you would follow the typical instructions here, substituting
"ntos.exe" for "Wsaupdater.exe".

You cannot log on to Windows XP after you remove Wsaupdater.exe
http://support.microsoft.com/kb/892893

Infostealer.Banker.C
http://www.symantec.com/en/uk/enter...writeup.jsp?docid=2007-040208-5335-99&tabid=2

John

 

[Guest]

Very detailed, thanks

This looks like yet another one of those pests that changes the userinit
value at the Winlogon key in the registry. Incorrectly changing the
userinit value typically results in the computer rebooting and returning
to the logon screen when it cannot find the associated userinit entries.
The Userinit entry is at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Here is the description of the value:

Specifies the programs that Winlogon runs when a user logs on. By
default, Winlogon runs Userinit.exe, which runs logon scripts,
reestablishes network connections, and then starts Explorer.exe, the
Windows user interface.

You can change the value of this entry to add or remove programs. For
example, to have a program run before the Windows Explorer user
interface starts, substitute the name of that program for Userinit.exe
in the value of this entry, then include instructions in that program to
start Userinit.exe. You might also want to substitute Explorer.exe for
Userinit.exe if you are working offline and are not using logon scripts.

[end quote]

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/12330.mspx?mfr=true

If you have removed the ntos.exe value data at the Winlogon Userinit key
then you will have to add a valid entry to the value and make sure that
the userinit.exe file is in the correct location. The key normally
contains the following entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Value name: Userinit

Value data: C:\WINDOWS\system32\userinit.exe,

*Note the comma at the end of the value string*

Windows Log on and Log off immediately.
http://support.microsoft.com/kb/555648

Being that you cannot boot the Windows installation you will have to use
other methods to edit the registry and correct the value. You can
access the registry remotely over a network, or you can mount the disk
to another Windows XP installation and use the Load Hive feature in
Regedit to edit the registry on the broken installation. You can also
use a live CD Like a Bart's PE disk or the UBCD for Windows with a
registry editor plugin.

If you have removed the ntos.exe file *without* changing the userinit
value you would follow the typical instructions here, substituting
"ntos.exe" for "Wsaupdater.exe".

You cannot log on to Windows XP after you remove Wsaupdater.exe
http://support.microsoft.com/kb/892893

Infostealer.Banker.C
http://www.symantec.com/en/uk/enter...writeup.jsp?docid=2007-040208-5335-99&tabid=2

John

I'm running Windows XP, SP2 on a Dell Inspiron 8200. It's a standalone
(Workgroup; not on a domain) machine that's PHYSICALLY connected to a Linksys
wireless router at my home. I read that an 'ntos' file is a virus. It was on
my laptop. I ran Hijackthis.exe (third party virus file remover) on my laptop
because I kept seeing this file called 'ntos.exe' in C:\Windows\System32. I
also ran Killdisk.exe (third party virus file remover) to remove the file
upon bootup. My OS continued to hum right along perfectly. The final thing I
did was go into 'regedit' (the registry) and systematically find/remove ALL
references of 'C:\Windows\System32\ntos.exe' from my registry. After
completely wiping out the file from my OS, I restarted my computer. Tried to
log in and it automatically looped and logged me off. No, it doesn't restart.
It just logs me right off within seconds of typing in my username/password
and takes me back to the Windows Login prompt. It doesn't even load my
profile (explorer.exe). I then resorted to logging into Safe Mode. Same
results. Profile will not load. Just loops Windows Login prompt. Also tried
selecting "Last Known Good Config..." and received the same 'looping' results
upon login. Is there a way to get into the OS? I have a Windows XP install CD
but do not have ANY Automated Recovery Disks...nor do I have a/the 'ntos.exe'
file to load in DOS when I come upon the 'Repair Windows' section of the
Windows XP Install CD. Is there a way to get into the OS/my profile so that I
can manage this from GUI mode instead of DOS? Thanks in advance for your
response(s)!!

 

[John John]

You're welcome.

Very detailed, thanks

:

This looks like yet another one of those pests that changes the userinit
value at the Winlogon key in the registry. Incorrectly changing the
userinit value typically results in the computer rebooting and returning
to the logon screen when it cannot find the associated userinit entries.
The Userinit entry is at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Here is the description of the value:

Specifies the programs that Winlogon runs when a user logs on. By
default, Winlogon runs Userinit.exe, which runs logon scripts,
reestablishes network connections, and then starts Explorer.exe, the
Windows user interface.

You can change the value of this entry to add or remove programs. For
example, to have a program run before the Windows Explorer user
interface starts, substitute the name of that program for Userinit.exe
in the value of this entry, then include instructions in that program to
start Userinit.exe. You might also want to substitute Explorer.exe for
Userinit.exe if you are working offline and are not using logon scripts.

[end quote]

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/12330.mspx?mfr=true

If you have removed the ntos.exe value data at the Winlogon Userinit key
then you will have to add a valid entry to the value and make sure that
the userinit.exe file is in the correct location. The key normally
contains the following entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Value name: Userinit

Value data: C:\WINDOWS\system32\userinit.exe,

*Note the comma at the end of the value string*

Windows Log on and Log off immediately.
http://support.microsoft.com/kb/555648

Being that you cannot boot the Windows installation you will have to use
other methods to edit the registry and correct the value. You can
access the registry remotely over a network, or you can mount the disk
to another Windows XP installation and use the Load Hive feature in
Regedit to edit the registry on the broken installation. You can also
use a live CD Like a Bart's PE disk or the UBCD for Windows with a
registry editor plugin.

If you have removed the ntos.exe file *without* changing the userinit
value you would follow the typical instructions here, substituting
"ntos.exe" for "Wsaupdater.exe".

You cannot log on to Windows XP after you remove Wsaupdater.exe
http://support.microsoft.com/kb/892893

Infostealer.Banker.C
http://www.symantec.com/en/uk/enter...writeup.jsp?docid=2007-040208-5335-99&tabid=2

John

I'm running Windows XP, SP2 on a Dell Inspiron 8200. It's a standalone
(Workgroup; not on a domain) machine that's PHYSICALLY connected to a Linksys
wireless router at my home. I read that an 'ntos' file is a virus. It was on
my laptop. I ran Hijackthis.exe (third party virus file remover) on my laptop
because I kept seeing this file called 'ntos.exe' in C:\Windows\System32. I
also ran Killdisk.exe (third party virus file remover) to remove the file
upon bootup. My OS continued to hum right along perfectly. The final thing I
did was go into 'regedit' (the registry) and systematically find/remove ALL
references of 'C:\Windows\System32\ntos.exe' from my registry. After
completely wiping out the file from my OS, I restarted my computer. Tried to
log in and it automatically looped and logged me off. No, it doesn't restart.
It just logs me right off within seconds of typing in my username/password
and takes me back to the Windows Login prompt. It doesn't even load my
profile (explorer.exe). I then resorted to logging into Safe Mode. Same
results. Profile will not load. Just loops Windows Login prompt. Also tried
selecting "Last Known Good Config..." and received the same 'looping' results
upon login. Is there a way to get into the OS? I have a Windows XP install CD
but do not have ANY Automated Recovery Disks...nor do I have a/the 'ntos.exe'
file to load in DOS when I come upon the 'Repair Windows' section of the
Windows XP Install CD. Is there a way to get into the OS/my profile so that I
can manage this from GUI mode instead of DOS? Thanks in advance for your
response(s)!!