Spyware.NTLogonCapture

Printer Friendly Page

Updated: February 13, 2007 11:37:41 AM
Type: Spyware
Risk Impact: High
File Names: Ssntlc.dll
Systems Affected: Windows

Behavior


Spyware.NTLogonCapture captures operating system logon user names and passwords, and saves them to a file.

Symptoms


The files are detected as Spyware.NTLogonCapture.

Transmission


This spyware must be manually installed.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version January 15, 2018 revision 004
  • Initial Daily Certified version June 09, 2004
  • Latest Daily Certified version March 23, 2017 revision 041
  • Initial Weekly Certified release date June 09, 2004

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Updated: February 13, 2007 11:37:41 AM
Type: Spyware
Risk Impact: High
File Names: Ssntlc.dll
Systems Affected: Windows


Spyware.NTLogonCapture installs a Graphical Identification and Authentication (GINA) DLL. This file intercepts user logons to the operating system.


By default, the GINA DLL file is Ssntlc.dll and the log file is Ntlogoncapture.txt, but these are configurable when the software is installed.

Updated: February 13, 2007 11:37:41 AM
Type: Spyware
Risk Impact: High
File Names: Ssntlc.dll
Systems Affected: Windows


The following instructions pertain to all Symantec antivirus products that support Security Risk detection.

  1. Update the definitions.
  2. Delete the value that was added to the registry and delete a file.
  3. Run a full system scan and delete all the files detected as Spyware.NTLogonCapture.
For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To delete the value from the registry

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit

    Then click OK. (The Registry Editor opens.)

  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ntlc.exe

  4. In the right pane, write down the Value data of the Values:

    logfile

    and:

    olddll

  5. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths

  6. In the right pane, delete the key:

    ntlc.exe

  7. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

  8. In the right pane, set the Value data of:

    GinaDLL

    to the Value data noted for olddll in step d.

    If olddll was empty, then delete GinaDL.

  9. Exit the Registry Editor.
  10. Using Windows Explorer, delete the file whose path was shown in the logfile Value data box (in step d).
  11. Restart the computer.

3. To scan for and delete the files
  1. Start your Symantec antivirus program, and then run a full system scan.
  2. If any files are detected as Spyware.NTLogonCapture, click Delete.


    Note: If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file name. Then use Windows Explorer to locate and delete the file.