ntos.exe removal

McAfee: PWS-Zbot:

This is a Trojan program that was first seen in the year 2007. But recently, an update of this program was found spreading widely. When executed, it immediately drops a file named "ntos.exe" in the "C:\WINDOWS\System32" folder along with a few dlls. These are added to the registry such that the Trojan is run at every start-up of the system and a separate item is also added in the registry in order to connect the Trojan to the internet using a separate User profile due to which it even escapes the clutches of the Firewall. Registry keys are added to Network, Explorer and the Internet settings in order to achieve this. It is also capable of recording the keystrokes that is input in the computer and once a set of keystrokes are collected, it connects itself to the server and sends this log to the server. This way, the computer becomes insecure in order to open and manage any personal information such as online banking. The Trojan is also said to stop several applications from running. These applications may include Anti-virus programs and Firewalls or a few other programs that might create a difficulty for the Trojan to execute in its usual fashion. By updating this Trojan further, it may also get the capability of taking screenshots. So it is better to get rid of it before it is updated. Lets have a look at its removal instructions.

Manual instructions to remove ntos.exe:

  1. Lets begin by starting the system in Safe mode. Once you're done, go to Start-->Run and type "regedit". The Windows registry editor will open where you need to navigate to the following point and modify this key

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

    On your right-hand side, look for the string with the name "Userint". Open the key and remove “C:\%WINDIR%\system32\ntos.exe” from it. The string should look like this

  2. Now go to this key and delete the following string values

    o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
    + UID = "%ComputerName%"

    o [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer]
    + {F710FA10-2031-3106-8872-93A2B5C5C620} = F7 09 F2 0D

    o [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    + ProxyEnable = 0x00000000

  3. After that, reboot your system once again in the Safe mode and using the Windows Explorer, delete the file "C:\WINDOWS\System32\ntos.exe".
  4. Unregister the following dlls

  5. Now restart your computer and enjoy. You have successfully delete the Trojan.

Topics that might help you here:

Enable safe mode booting, enable Registry editing tools, unregistering DLL.

Learn PHP from experts
Get the best security software for your compter here!

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme