Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.



13 February 2007
Risk Impact:
File Names:
Systems Affected:


Spyware.NTLogonCapture captures operating system logon user names and passwords, and saves them to a file.


The files are detected as Spyware.NTLogonCapture.


This spyware must be manually installed.

Antivirus Protection Dates

  • Initial Rapid Release version 02 October 2014 revision 022
  • Latest Rapid Release version 15 January 2018 revision 004
  • Initial Daily Certified version 09 June 2004
  • Latest Daily Certified version 23 March 2017 revision 041
  • Initial Weekly Certified release date 09 June 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Spyware.NTLogonCapture installs a Graphical Identification and Authentication (GINA) DLL. This file intercepts user logons to the operating system.

By default, the GINA DLL file is Ssntlc.dll and the log file is Ntlogoncapture.txt, but these are configurable when the software is installed.

The following instructions pertain to all Symantec antivirus products that support Security Risk detection.
  1. Update the definitions.
  2. Delete the value that was added to the registry and delete a file.
  3. Run a full system scan and delete all the files detected as Spyware.NTLogonCapture.
For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To delete the value from the registry

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit

    Then click OK. (The Registry Editor opens.)

  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ntlc.exe

  4. In the right pane, write down the Value data of the Values:




  5. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths

  6. In the right pane, delete the key:


  7. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

  8. In the right pane, set the Value data of:


    to the Value data noted for olddll in step d.

    If olddll was empty, then delete GinaDL.

  9. Exit the Registry Editor.
  10. Using Windows Explorer, delete the file whose path was shown in the logfile Value data box (in step d).
  11. Restart the computer.

3. To scan for and delete the files
  1. Start your Symantec antivirus program, and then run a full system scan.
  2. If any files are detected as Spyware.NTLogonCapture, click Delete.

    Note: If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file name. Then use Windows Explorer to locate and delete the file.