Virus Removal: ntsystem.exe, ntoskrnl.dll, gviz.htm

Virus Removal Story: ntsystem.exe, ntoskrnl.dll, gviz

This detective story begins with usual support request from a one of RegRun′s users.

Greatis Software support expert detected suspicious file in the user′s system report file. This file is generated by free Greatis Software Reanimator software.

It was the "c:\windows\system32\ntsystem.exe". This file was registered in the "Run" startup keys as "gwiz".

But deletion of the "ntsystem.exe" file doesn′t not provide us any success. The file is automatically recreated after reboot. Catty tried to delete "ntsystem.exe" at Windows restart using the newest Greatis Software product called "Partizan". Partizan doesn′t use Windows "PendingFileRename key for deleting. It uses own Native API application and Partizan successfully deleted "ntsystem.exe".

But after successful Windows loading we got "ntsystem.exe" again.

Catty asked a user for getting "xpbootlog.txt" report made by Greatis Software Bootlog XP tool. We analyzed received "xpbootlog.txt" and found the strange file: NTOSKRNL.DLL.

It looks like the Windows related system file. NTOSKRNL.EXE is a good known Windows system file. But NTOSKRNL.DLL is not the same.

After that we opened xpbootlog.txt using Bootlog XP software.

We found that the DLL was loaded by Winlogon. NTOSKRNL.DLL is registered as Winlogon Notification DLL.

NTOSKRNL.DLL is a user mode rootkit. It hides its presence in the registry and in the loaded modules listing.

You could not delete it using standard Windows deletion methods.

Removal Instructions

  1. Download RegRun Reanimator (free of charge, no ads)
    Unzip it to any folder on your hard drive.
  2. Open Reanimator.exe. Open "Reanimator" menu, "Execute Reanimator Job". Choose "ntsystem.rnr" file.
    "NTSYSTEM.RNR" job contains the procedure for activating RegRun Partizan and deleting the ntsystem.exe and ntoskrnl.dll at reboot.

    You will see the "RegRun Partizan" on the Windows blue boot screen in the same moment when Windows checking hard drives.

    Look at the messages on the screen to be sure that the dangerous files are deleted.

  3. Restart your computer. Open Reanimator and choose "Scan for Viruses" to be sure that it is complete.
  4. Please, visit our support center if you have any questions.
    Open a support ticket and attach your detailed system report made by RegRun Reanimator.
  5. To remove Partizan from your computer, open Reanimator.exe, choose "Uninstall Partizan"
    Click on the "Uninstall" button.

Conclusion

Suggest you to use RegRun Platinum Edition to be sure that you are clear!
Good luck!
Dmitry Sokolov

Comments

I am a senior citizen who is trying to learn as much as I can about computers in my retirement. On September 6, 2006 I received a NTSYSTEM.EXE file that I could not delete, caused numerous popups on my computer, and caused me great concern and four (4) full days of research before seeing your website offering a solution to the problem. Keep in mind I have Dell, Microsoft and McAfee security measures in operation on my computer. You suggest that people infected with the above malicious file download and run your RegRun Animator. I took your suggestion. To my great surprise and pleasure, the associated files were gone in a matter of minutes. Not only that, your RegRun Animator helped me delete other unwanted files. My hats off to you. I can now go about the business for which I bought my computer without interruption. Thank you, and thank you again.

Jack Nelson

Add or See Comments (>10)
}