Re: NTOS File Removal: Can't Login
- From: John John <audetweld@xxxxxxxxxxx>
- Date: Wed, 08 Aug 2007 09:51:51 -0300
This looks like yet another one of those pests that changes the userinit value at the Winlogon key in the registry. Incorrectly changing the userinit value typically results in the computer rebooting and returning to the logon screen when it cannot find the associated userinit entries. The Userinit entry is at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Here is the description of the value:
[Quote]
Specifies the programs that Winlogon runs when a user logs on. By default, Winlogon runs Userinit.exe, which runs logon scripts, reestablishes network connections, and then starts Explorer.exe, the Windows user interface.
You can change the value of this entry to add or remove programs. For example, to have a program run before the Windows Explorer user interface starts, substitute the name of that program for Userinit.exe in the value of this entry, then include instructions in that program to start Userinit.exe. You might also want to substitute Explorer.exe for Userinit.exe if you are working offline and are not using logon scripts.
[end quote]
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/12330.mspx?mfr=true
If you have removed the ntos.exe value data at the Winlogon Userinit key then you will have to add a valid entry to the value and make sure that the userinit.exe file is in the correct location. The key normally contains the following entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name: Userinit
Value data: C:\WINDOWS\system32\userinit.exe,
*Note the comma at the end of the value string*
Windows Log on and Log off immediately.
http://support.microsoft.com/kb/555648
Being that you cannot boot the Windows installation you will have to use other methods to edit the registry and correct the value. You can access the registry remotely over a network, or you can mount the disk to another Windows XP installation and use the Load Hive feature in Regedit to edit the registry on the broken installation. You can also use a live CD Like a Bart's PE disk or the UBCD for Windows with a registry editor plugin.
If you have removed the ntos.exe file *without* changing the userinit value you would follow the typical instructions here, substituting "ntos.exe" for "Wsaupdater.exe".
You cannot log on to Windows XP after you remove Wsaupdater.exe
http://support.microsoft.com/kb/892893
Infostealer.Banker.C
http://www.symantec.com/en/uk/enterprise/security_response/writeup.jsp?docid=2007-040208-5335-99&tabid=2
John
a144mb wrote:
I'm running Windows XP, SP2 on a Dell Inspiron 8200. It's a standalone (Workgroup; not on a domain) machine that's PHYSICALLY connected to a Linksys wireless router at my home. I read that an 'ntos' file is a virus. It was on my laptop. I ran Hijackthis.exe (third party virus file remover) on my laptop because I kept seeing this file called 'ntos.exe' in C:\Windows\System32. I also ran Killdisk.exe (third party virus file remover) to remove the file upon bootup. My OS continued to hum right along perfectly. The final thing I did was go into 'regedit' (the registry) and systematically find/remove ALL references of 'C:\Windows\System32\ntos.exe' from my registry. After completely wiping out the file from my OS, I restarted my computer. Tried to log in and it automatically looped and logged me off. No, it doesn't restart. It just logs me right off within seconds of typing in my username/password and takes me back to the Windows Login prompt. It doesn't even load my profile (explorer.exe). I then resorted to logging into Safe Mode. Same results. Profile will not load. Just loops Windows Login prompt. Also tried selecting "Last Known Good Config..." and received the same 'looping' results upon login. Is there a way to get into the OS? I have a Windows XP install CD but do not have ANY Automated Recovery Disks...nor do I have a/the 'ntos.exe' file to load in DOS when I come upon the 'Repair Windows' section of the Windows XP Install CD. Is there a way to get into the OS/my profile so that I can manage this from GUI mode instead of DOS? Thanks in advance for your response(s)!!
.
- Follow-Ups:
- Re: NTOS File Removal: Can't Login
- From: sgopus
- Re: NTOS File Removal: Can't Login
- Prev by Date: Re: Reinstalling Windows XP Without Disk?
- Next by Date: error message : 0x80070005
- Previous by thread: Re: MS AUTOPLAY ISSUE
- Next by thread: Re: NTOS File Removal: Can't Login
- Index(es):
Relevant Pages
|
