Results 1 to 9 of 9

Thread: Quick and Dirty NTOS.exe removal

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    686

    Quick and Dirty NTOS.exe removal

    NTOS.exe stealths itself, sysinternals AUTORUNS will show an entry in the "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" section where NTOS.exe is tagged on the end of the usual "C:\WINDOWS\system32\userinit.exe," but if you set autoruns to remove the entry it will immediately reappear. When you look at the location using windows explorer it will not show the file. Download Pocket Killbox HERE.

    Run killbox and put in the path to the naughty file - usually "c:\windows\system32\ntos.exe" - then select the replace on reboot radio button and check the 'use dummy' box. now click the remove file button (red with white cross). After rebbot you will be able to remove the startup entry and both see and delete the dummy NTOS.exe in %systemroot%\System32\.

    Which is nice.
    I'm using Windows 7 - you got a problem with that?

  2. #2
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,212
    Brilliant!

    Thank you for the great posts

    Cheers!
    ------------------------------------------------------------



  3. #3
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    686
    My pleasure, I always like to help people if I come across a nasty one and have to work out what to do to get rid of it - especially if the anti-whatevers don't even see it. Saves time for the next guy and I have had enough help off the internetz before to know how much it is appreciated.
    I'm using Windows 7 - you got a problem with that?

  4. #4
    Junior Member Spyplane's Avatar
    Join Date
    Sep 2011
    Location
    Scotland
    Posts
    5
    Did you have to go into safe mode to do this? as I have the same problem but I can't get past the safe mode log-in, so I cannot run KILLBOX?
    Any help would be great.

    My Post: http://www.techzonez.com/forums/show...263#post151263

    Regards
    Karl

  5. #5
    Titanium Member efc's Avatar
    Join Date
    Sep 2002
    Location
    North Central Arkansas
    Posts
    2,103
    Linux Mint Debian Edition

  6. #6
    Junior Member Spyplane's Avatar
    Join Date
    Sep 2011
    Location
    Scotland
    Posts
    5
    Thanks again efc,
    But how do I run the program without getting past the login page?
    That's my problem, I can't get into windows to run these programs to clear this problem.
    Can I connect the HDD to my computer and run the program?

    Regards
    Karl

  7. #7
    Head Honcho Administrator Reverend's Avatar
    Join Date
    Apr 2002
    Location
    England
    Posts
    14,737
    What Safe Mode option are you selecting?

    Select the 'Safe Mode with Command Line' option which does not load the logon screen.

    Try a system restore to a date before this problem started.

    When the command line opens type '%systemroot%\System32\restore\rstrui.exe' (without quotes) and hit Enter. Choose a restore point and when it has completed restart the machine.

    =========== Please Read The Forum Rules ===========

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •