Autoexec.nt file missing?

[Bud Norris]

STUPID? isn't that a little harsh David? However be that as it may, please
read the following disclaimer:

Because Windows XP Home Edition does not include the Local Security Settings
Console, you can't enable Auditing on a computer running Home Edition.

I have Home Edition and I would bet most others do also.

Just how do you know we haven't fixed the problem? If you know what's
causing it please let us know.

If no anti-virus program or ad-aware program or Trojan hunting program can
find the culprit what do you expect us to do? I'm sure we would really
appreciate your suggestions, except auditing of course.

Respectfully,
--
NevBud
Winners: They have the guts to face the envy and hatred of the losers and
the wrath of the gods.

David Candy <.> wrote in message
I've wasted my time before telling people the process on how to fix. But you
idiots refuse to do it. YOU HAVE NOT FIXED IT (as some setup programs will
now fail).

Autoexec.nt. There is something deleting it for many people at boot or
shutdown. Hopefully auditiong will show what program or virus is doing it.
Most people can't use auditing so noone know what it is. Auditing records
access to something (what you specify it to) in Windows. It's off by default
because it slows down the computer and often noone cares.

1. Turn on auditing (this turns it on but nothing is being audited)
2. Set auditing for just this file (else you'll get millions of messages to
sort through if you audit everything).


1. You must enable Auditing for the machine (in Local Security Policy - see
Help).

2. You must specify what to audit. You do this the same place you set
permissions (click Advanced).

Then you can read it in the Event Viewer


Audit object access
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy

Description
Determines whether to audit the event of a user accessing an object-for
example, a file, folder, registry key, printer, and so forth-that has its
own system access control list (SACL) specified.

If you define this policy setting, you can specify whether to audit
successes, audit failures, or not audit the event type at all. Success
audits generate an audit entry when a user successfully accesses an object
that has a SACL specified. Failure audits generate an audit entry when a
user unsuccessfully attempts to access an object that has a SACL specified.
To set this value to no auditing, in the Properties dialog box for this
policy setting, select the Define these policy settings check box and clear
the Success and Failure check boxes.

Note that you can set a SACL on a file system object using the Security tab
in that object's Properties dialog box.

Default: No auditing.



Then set auditing for your drives in the Drives Properties - Security -
Advanced - Auditing

You have to turn it on then set what is to be audited.

This is what a audit for a printer looks like

Object Open:
Object Server: Spooler
Object Type: Document
Object Name: http://smh.com.au/news/opinion/webdiary/index.html?from=lhsnav
Handle ID: 9487952
Operation ID: {-,-}
Process ID: 1020
Image File Name: C:\WINDOWS\system32\spoolsv.exe
Primary User Name: SERENITY$
Primary Domain: WORKGROUP
Primary Logon ID: (0x0,0x3E7)
Client User Name: David Candy
Client Domain: SERENITY
Client Logon ID: (0x0,0xE179)
Accesses: READ_CONTROL
%%6949
Privileges: -
Restricted Sid Count: 0
For more information, see Help and Support Center at

Big companies have programs that look through these logs. You can use a
spreadsheet.

--
----------------------------------------------------------
http://www.uscricket.com

Well can you believe that? I tried the suggestion of "Bullwinkle" and
changed the file's properties to "read only" and it doesn't get deleted upon
boot. I'm flabbergasted that such a simple thing could resolve this deletion
problem! Even if the root cause of the original problem of the file being
deleted in the first place, is still unknown, at least I can live with it
until I can discover what caused it.
I've put this problem to all kind of places on the Web (I use both Terry and
Bud Norris) and even to my computer OEM (Gateway) and nobody ever thought of
changing the file's properties.
Many, many thanks to Bullwinkle!

Lots of luck Sebastion! If somehow you can replace the AUTOEXEC.NT file in
your C:\WINNT\System32| folder AND keep it there, please let me know how you
managed it. Everytime I put the file into the system32 folder it is deleted
the next time I reboot. No body seems to know why this happens It's
obviously something to do with the Windows XP file protection feature but no
one can tell me what to do to stop the deletion.
Also when people tell you that the folder you are to put the AUTOEXEC.NT
file in is your C:\Windows\System32\ folder they are incorrect. It's the
C:\WINNT\System32| folder. People for some reason keep saying it's the
C:\Windows|System32 folder. (Ido realize thats what the Microsoft articles
say but ther're wrong)
If any of these experts that answered your question can tell me how to stop
the deletion problem please do it!

NevBud

:
The file is located in the Windows\system32 folder

I didn't really phrase my question properly. I had already discovered that
the file is missing from that directory and I was trying to locate another
copy to put there. As I understand it (you can see I'm a new user)

this
used

to be windows\driver cache\i386 and [since SP2] windows\sustem32zdllcache.

"Patti MacLeod" suggested two refences. The second wasn't available, the
first was helpful.

Thanks for all clues - I'll have more if they're availabe because, being
naive, I keep thinking I might learn to understand all this stuff one day.

 

[David Candy]

I'm refering to all users generically.
I also don't acknowledge the legitamacy of Home. If something is happening then tough luck is Home's attitude..

--
----------------------------------------------------------
http://www.uscricket.com

STUPID? isn't that a little harsh David? However be that as it may, please
read the following disclaimer:

Because Windows XP Home Edition does not include the Local Security Settings
Console, you can't enable Auditing on a computer running Home Edition.

I have Home Edition and I would bet most others do also.

Just how do you know we haven't fixed the problem? If you know what's
causing it please let us know.

If no anti-virus program or ad-aware program or Trojan hunting program can
find the culprit what do you expect us to do? I'm sure we would really
appreciate your suggestions, except auditing of course.

Respectfully,
--
NevBud
Winners: They have the guts to face the envy and hatred of the losers and
the wrath of the gods.

David Candy <.> wrote in message
I've wasted my time before telling people the process on how to fix. But you
idiots refuse to do it. YOU HAVE NOT FIXED IT (as some setup programs will
now fail).

Autoexec.nt. There is something deleting it for many people at boot or
shutdown. Hopefully auditiong will show what program or virus is doing it.
Most people can't use auditing so noone know what it is. Auditing records
access to something (what you specify it to) in Windows. It's off by default
because it slows down the computer and often noone cares.

1. Turn on auditing (this turns it on but nothing is being audited)
2. Set auditing for just this file (else you'll get millions of messages to
sort through if you audit everything).


1. You must enable Auditing for the machine (in Local Security Policy - see
Help).

2. You must specify what to audit. You do this the same place you set
permissions (click Advanced).

Then you can read it in the Event Viewer


Audit object access
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy

Description
Determines whether to audit the event of a user accessing an object-for
example, a file, folder, registry key, printer, and so forth-that has its
own system access control list (SACL) specified.

If you define this policy setting, you can specify whether to audit
successes, audit failures, or not audit the event type at all. Success
audits generate an audit entry when a user successfully accesses an object
that has a SACL specified. Failure audits generate an audit entry when a
user unsuccessfully attempts to access an object that has a SACL specified.
To set this value to no auditing, in the Properties dialog box for this
policy setting, select the Define these policy settings check box and clear
the Success and Failure check boxes.

Note that you can set a SACL on a file system object using the Security tab
in that object's Properties dialog box.

Default: No auditing.



Then set auditing for your drives in the Drives Properties - Security -
Advanced - Auditing

You have to turn it on then set what is to be audited.

This is what a audit for a printer looks like

Object Open:
Object Server: Spooler
Object Type: Document
Object Name: http://smh.com.au/news/opinion/webdiary/index.html?from=lhsnav
Handle ID: 9487952
Operation ID: {-,-}
Process ID: 1020
Image File Name: C:\WINDOWS\system32\spoolsv.exe
Primary User Name: SERENITY$
Primary Domain: WORKGROUP
Primary Logon ID: (0x0,0x3E7)
Client User Name: David Candy
Client Domain: SERENITY
Client Logon ID: (0x0,0xE179)
Accesses: READ_CONTROL
%%6949
Privileges: -
Restricted Sid Count: 0
For more information, see Help and Support Center at

Big companies have programs that look through these logs. You can use a
spreadsheet.

--
----------------------------------------------------------
http://www.uscricket.com

Well can you believe that? I tried the suggestion of "Bullwinkle" and
changed the file's properties to "read only" and it doesn't get deleted upon
boot. I'm flabbergasted that such a simple thing could resolve this deletion
problem! Even if the root cause of the original problem of the file being
deleted in the first place, is still unknown, at least I can live with it
until I can discover what caused it.
I've put this problem to all kind of places on the Web (I use both Terry and
Bud Norris) and even to my computer OEM (Gateway) and nobody ever thought of
changing the file's properties.
Many, many thanks to Bullwinkle!

Lots of luck Sebastion! If somehow you can replace the AUTOEXEC.NT file in
your C:\WINNT\System32| folder AND keep it there, please let me know how you
managed it. Everytime I put the file into the system32 folder it is deleted
the next time I reboot. No body seems to know why this happens It's
obviously something to do with the Windows XP file protection feature but no
one can tell me what to do to stop the deletion.
Also when people tell you that the folder you are to put the AUTOEXEC.NT
file in is your C:\Windows\System32\ folder they are incorrect. It's the
C:\WINNT\System32| folder. People for some reason keep saying it's the
C:\Windows|System32 folder. (Ido realize thats what the Microsoft articles
say but ther're wrong)
If any of these experts that answered your question can tell me how to stop
the deletion problem please do it!

NevBud

:
The file is located in the Windows\system32 folder

I didn't really phrase my question properly. I had already discovered
that
the file is missing from that directory and I was trying to locate another
copy to put there. As I understand it (you can see I'm a new user) this
used
to be windows\driver cache\i386 and [since SP2] windows\sustem32zdllcache.

"Patti MacLeod" suggested two refences. The second wasn't available, the
first was helpful.

Thanks for all clues - I'll have more if they're availabe because, being
naive, I keep thinking I might learn to understand all this stuff one day.

 

[XPUSER]

Interesting - When I first became aware of this issue from a colleague
of mine that was troubleshooting someone's computer, they had found
"Wintools for IE" in the non Microsoft Services of
System Configuration Utility Services tab and so I figured that some
spyware was causing the issue.
===================================================

STUPID? isn't that a little harsh David? However be that as it may, please
read the following disclaimer:

Because Windows XP Home Edition does not include the Local Security
Settings
Console, you can't enable Auditing on a computer running Home Edition.

I have Home Edition and I would bet most others do also.

Just how do you know we haven't fixed the problem? If you know what's
causing it please let us know.

If no anti-virus program or ad-aware program or Trojan hunting program can
find the culprit what do you expect us to do? I'm sure we would really
appreciate your suggestions, except auditing of course.

Respectfully,
--
NevBud
Winners: They have the guts to face the envy and hatred of the losers and
the wrath of the gods.

David Candy <.> wrote in message
I've wasted my time before telling people the process on how to fix. But
you
idiots refuse to do it. YOU HAVE NOT FIXED IT (as some setup programs will
now fail).

Autoexec.nt. There is something deleting it for many people at boot or
shutdown. Hopefully auditiong will show what program or virus is doing it.
Most people can't use auditing so noone know what it is. Auditing records
access to something (what you specify it to) in Windows. It's off by
default
because it slows down the computer and often noone cares.

1. Turn on auditing (this turns it on but nothing is being audited)
2. Set auditing for just this file (else you'll get millions of messages
to
sort through if you audit everything).


1. You must enable Auditing for the machine (in Local Security Policy -
see
Help).

2. You must specify what to audit. You do this the same place you set
permissions (click Advanced).

Then you can read it in the Event Viewer


Audit object access
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy

Description
Determines whether to audit the event of a user accessing an object-for
example, a file, folder, registry key, printer, and so forth-that has its
own system access control list (SACL) specified.

If you define this policy setting, you can specify whether to audit
successes, audit failures, or not audit the event type at all. Success
audits generate an audit entry when a user successfully accesses an object
that has a SACL specified. Failure audits generate an audit entry when a
user unsuccessfully attempts to access an object that has a SACL
specified.
To set this value to no auditing, in the Properties dialog box for this
policy setting, select the Define these policy settings check box and
clear
the Success and Failure check boxes.

Note that you can set a SACL on a file system object using the Security
tab
in that object's Properties dialog box.

Default: No auditing.



Then set auditing for your drives in the Drives Properties - Security -
Advanced - Auditing

You have to turn it on then set what is to be audited.

This is what a audit for a printer looks like

Object Open:
Object Server: Spooler
Object Type: Document
Object Name:
http://smh.com.au/news/opinion/webdiary/index.html?from=lhsnav
Handle ID: 9487952
Operation ID: {-,-}
Process ID: 1020
Image File Name: C:\WINDOWS\system32\spoolsv.exe
Primary User Name: SERENITY$
Primary Domain: WORKGROUP
Primary Logon ID: (0x0,0x3E7)
Client User Name: David Candy
Client Domain: SERENITY
Client Logon ID: (0x0,0xE179)
Accesses: READ_CONTROL
%%6949
Privileges: -
Restricted Sid Count: 0
For more information, see Help and Support Center at

Big companies have programs that look through these logs. You can use a
spreadsheet.

--
----------------------------------------------------------
http://www.uscricket.com

Well can you believe that? I tried the suggestion of "Bullwinkle" and
changed the file's properties to "read only" and it doesn't get deleted upon
boot. I'm flabbergasted that such a simple thing could resolve this deletion
problem! Even if the root cause of the original problem of the file being
deleted in the first place, is still unknown, at least I can live with it
until I can discover what caused it.
I've put this problem to all kind of places on the Web (I use both Terry and
Bud Norris) and even to my computer OEM (Gateway) and nobody ever thought of
changing the file's properties.
Many, many thanks to Bullwinkle!

Lots of luck Sebastion! If somehow you can replace the AUTOEXEC.NT file in
your C:\WINNT\System32| folder AND keep it there, please let me know how you
managed it. Everytime I put the file into the system32 folder it is deleted
the next time I reboot. No body seems to know why this happens It's
obviously something to do with the Windows XP file protection feature
but no
one can tell me what to do to stop the deletion.
Also when people tell you that the folder you are to put the AUTOEXEC.NT
file in is your C:\Windows\System32\ folder they are incorrect. It's the
C:\WINNT\System32| folder. People for some reason keep saying it's the
C:\Windows|System32 folder. (Ido realize thats what the Microsoft articles
say but ther're wrong)
If any of these experts that answered your question can tell me how to stop
the deletion problem please do it!

NevBud

:
The file is located in the Windows\system32 folder

I didn't really phrase my question properly. I had already discovered
that
the file is missing from that directory and I was trying to locate another
copy to put there. As I understand it (you can see I'm a new user) this
used
to be windows\driver cache\i386 and [since SP2] windows\sustem32zdllcache.

"Patti MacLeod" suggested two refences. The second wasn't available, the
first was helpful.

Thanks for all clues - I'll have more if they're availabe because, being
naive, I keep thinking I might learn to understand all this stuff one day.

 

[David Candy]

File C:\Program Files\Common files\WinTools\WSup.exe
File C:\Program Files\Common files\WinTools\WToolsS.exe
File C:\Program Files\Common files\WinTools\WToolsA.exe
Folder C:\Program Files\Common files\WinTools

If someone sends me these files or tells me how to get infected I'll tell you if they have anything to do with deleting autoexec.nt.
--
----------------------------------------------------------
http://www.uscricket.com

Interesting - When I first became aware of this issue from a colleague
of mine that was troubleshooting someone's computer, they had found
"Wintools for IE" in the non Microsoft Services of
System Configuration Utility Services tab and so I figured that some
spyware was causing the issue.
===================================================

STUPID? isn't that a little harsh David? However be that as it may, please
read the following disclaimer:

Because Windows XP Home Edition does not include the Local Security
Settings
Console, you can't enable Auditing on a computer running Home Edition.

I have Home Edition and I would bet most others do also.

Just how do you know we haven't fixed the problem? If you know what's
causing it please let us know.

If no anti-virus program or ad-aware program or Trojan hunting program can
find the culprit what do you expect us to do? I'm sure we would really
appreciate your suggestions, except auditing of course.

Respectfully,
--
NevBud
Winners: They have the guts to face the envy and hatred of the losers and
the wrath of the gods.

David Candy <.> wrote in message
I've wasted my time before telling people the process on how to fix. But
you
idiots refuse to do it. YOU HAVE NOT FIXED IT (as some setup programs will
now fail).

Autoexec.nt. There is something deleting it for many people at boot or
shutdown. Hopefully auditiong will show what program or virus is doing it.
Most people can't use auditing so noone know what it is. Auditing records
access to something (what you specify it to) in Windows. It's off by
default
because it slows down the computer and often noone cares.

1. Turn on auditing (this turns it on but nothing is being audited)
2. Set auditing for just this file (else you'll get millions of messages
to
sort through if you audit everything).


1. You must enable Auditing for the machine (in Local Security Policy -
see
Help).

2. You must specify what to audit. You do this the same place you set
permissions (click Advanced).

Then you can read it in the Event Viewer


Audit object access
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy

Description
Determines whether to audit the event of a user accessing an object-for
example, a file, folder, registry key, printer, and so forth-that has its
own system access control list (SACL) specified.

If you define this policy setting, you can specify whether to audit
successes, audit failures, or not audit the event type at all. Success
audits generate an audit entry when a user successfully accesses an object
that has a SACL specified. Failure audits generate an audit entry when a
user unsuccessfully attempts to access an object that has a SACL
specified.
To set this value to no auditing, in the Properties dialog box for this
policy setting, select the Define these policy settings check box and
clear
the Success and Failure check boxes.

Note that you can set a SACL on a file system object using the Security
tab
in that object's Properties dialog box.

Default: No auditing.



Then set auditing for your drives in the Drives Properties - Security -
Advanced - Auditing

You have to turn it on then set what is to be audited.

This is what a audit for a printer looks like

Object Open:
Object Server: Spooler
Object Type: Document
Object Name:
http://smh.com.au/news/opinion/webdiary/index.html?from=lhsnav
Handle ID: 9487952
Operation ID: {-,-}
Process ID: 1020
Image File Name: C:\WINDOWS\system32\spoolsv.exe
Primary User Name: SERENITY$
Primary Domain: WORKGROUP
Primary Logon ID: (0x0,0x3E7)
Client User Name: David Candy
Client Domain: SERENITY
Client Logon ID: (0x0,0xE179)
Accesses: READ_CONTROL
%%6949
Privileges: -
Restricted Sid Count: 0
For more information, see Help and Support Center at

Big companies have programs that look through these logs. You can use a
spreadsheet.

--
----------------------------------------------------------
http://www.uscricket.com

Well can you believe that? I tried the suggestion of "Bullwinkle" and
changed the file's properties to "read only" and it doesn't get deleted upon
boot. I'm flabbergasted that such a simple thing could resolve this deletion
problem! Even if the root cause of the original problem of the file being
deleted in the first place, is still unknown, at least I can live with it
until I can discover what caused it.
I've put this problem to all kind of places on the Web (I use both Terry and
Bud Norris) and even to my computer OEM (Gateway) and nobody ever thought of
changing the file's properties.
Many, many thanks to Bullwinkle!

Lots of luck Sebastion! If somehow you can replace the AUTOEXEC.NT file in
your C:\WINNT\System32| folder AND keep it there, please let me know how
you
managed it. Everytime I put the file into the system32 folder it is
deleted
the next time I reboot. No body seems to know why this happens It's
obviously something to do with the Windows XP file protection feature
but
no
one can tell me what to do to stop the deletion.
Also when people tell you that the folder you are to put the AUTOEXEC.NT
file in is your C:\Windows\System32\ folder they are incorrect. It's the
C:\WINNT\System32| folder. People for some reason keep saying it's the
C:\Windows|System32 folder. (Ido realize thats what the Microsoft articles
say but ther're wrong)
If any of these experts that answered your question can tell me how to
stop
the deletion problem please do it!

NevBud

:
The file is located in the Windows\system32 folder

I didn't really phrase my question properly. I had already discovered
that
the file is missing from that directory and I was trying to locate
another
copy to put there. As I understand it (you can see I'm a new user) this
used
to be windows\driver cache\i386 and [since SP2]
windows\sustem32zdllcache.

"Patti MacLeod" suggested two refences. The second wasn't available,
the
first was helpful.

Thanks for all clues - I'll have more if they're availabe because, being
naive, I keep thinking I might learn to understand all this stuff one
day.

 

[Terry]

I think I've found the culprit. It's a program called Windows Adcontrol that
has an app named "Windupdate.exe". This program gets put in a computer by a
site where a program is downloaded.

Here's how to fix the problem:

1. Go to Lavasoft.com and download their free ad-aware program called
"Ad-aware-se personal v1.05". After you install it make sure it gets the
lastes definitions (11-25-04 as of this). I ran an earlier version of this
and it didn't find the program.
2. Run the program in the custom settings option with all things checked.
3. This scan of your entire system should pick up any risky ad items. It
should identify this Windupdate program and its registry items.
4. You can select these items found and remove them from your computer.
5. After you have removed the program you should check in your C:/ Program
Files/ folder to see if this program folder is now gone. (You can check for
the folder before the scan if you want to)
6. They warn you that some items you remove could make some of your added
programs not perform. However when you remove these items it puts them in a
quarrantine file in Ad-aware and you can go back and restore any you think
you want or need. I haven't found any that I need to restore. This
quarrantine file is kept and each time you run Ad-aware it adds another file
with the new items found. So don't worry about removing these risk items
found.

I ran this Ad-aware program found the Windupdate program and removed all
reference to it. I then reset the autoexec.nt file in my System32 folder and
when I restarted my computer it did not get deleted as it did in the past.

Lots of luck Sebastion! If somehow you can replace the AUTOEXEC.NT file in
your C:\WINNT\System32| folder AND keep it there, please let me know how you
managed it. Everytime I put the file into the system32 folder it is deleted
the next time I reboot. No body seems to know why this happens It's
obviously something to do with the Windows XP file protection feature but no
one can tell me what to do to stop the deletion.
Also when people tell you that the folder you are to put the AUTOEXEC.NT
file in is your C:\Windows\System32\ folder they are incorrect. It's the
C:\WINNT\System32| folder. People for some reason keep saying it's the
C:\Windows|System32 folder. (Ido realize thats what the Microsoft articles
say but ther're wrong)
If any of these experts that answered your question can tell me how to stop
the deletion problem please do it!

NevBud

The file is located in the Windows\system32 folder

I didn't really phrase my question properly. I had already discovered that
the file is missing from that directory and I was trying to locate another
copy to put there. As I understand it (you can see I'm a new user) this used
to be windows\driver cache\i386 and [since SP2] windows\sustem32zdllcache.

"Patti MacLeod" suggested two refences. The second wasn't available, the
first was helpful.

Thanks for all clues - I'll have more if they're availabe because, being
naive, I keep thinking I might learn to understand all this stuff one day.

 

[XPUSER]

Thank you for that info Terry.
I suspected some spyware / virus all along but having never had direct experience with the issue,
I had no way of investigating / troubleshooting it.

A good direct link for getting the free version of Ad-Aware SE:
http://www.lavasoft.de/ms/index.htm

Two other free Anti Spyware programs that I use:

Spybot - Search & Destroy 1.3
http://www.safer-networking.org/microsoft.en.html

SpywareBlaster 3.2
http://www.javacoolsoftware.com/spywareblaster.html

This is what I found when I searched on Windows AdControl:
http://www.sysinfo.org/startuplist.php?filter=WinAdCtl.exe
http://computercops.biz/startuplist-6126.html

This is what I found when I searched on windupdate.exe:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.rado.html

Ooookaaay....

http://www.vtsoftware.co.uk/users/MarkDowsett.htm <----- Ah Ha!! A confirmation...

However, instead of following the procedure in that link above,
(There is no DOS in XP but there is Safe Mode where you can run Command Prompt Window)
I think it best to install Ad-Aware SE - update it - and then boot to
Safe Mode and run a full system scan with the updated Ad-Aware SE
and remove all New Critical Objects that are found and then boot back
up to Normal Mode.

Now I have found this:
http://forums.eyo.com.au/arc/t-65615.html

Hmmmm...

Then this which never seemed to get anywhere:
http://forums.eyo.com.au/arc/t-65647.html

Bottom line as far as I am concerned:

Make sure your system is free of viruses and spywares -

If you have a functioning Anti Virus program - update it and scan with it -

Install at least one of the above Anti Spyware programs - update it and scan with it -

For those who need it -

Free Anti Virus program downloads:

http://free.grisoft.com/freeweb.php/doc/1/)

http://www.avast.com/eng/avast_4_home2.html

Online Anti Virus Scanners -

Panda ActiveScan
http://www.pandasoftware.com/activescan/

TrendMicro Houscall Anti Virus Scan
http://housecall.trendmicro.com/

McAfee Security - FreeScan
http://www.mcafee.com/myapps/mfs/default.asp

Symantec Security Check
http://security.symantec.com/ssc/home.asp

Computer Associates
http://www3.ca.com/securityadvisor/virusinfo/default.aspx

==================================================================

I think I've found the culprit. It's a program called Windows Adcontrol that
has an app named "Windupdate.exe". This program gets put in a computer by a
site where a program is downloaded.

Here's how to fix the problem:

1. Go to Lavasoft.com and download their free ad-aware program called
"Ad-aware-se personal v1.05". After you install it make sure it gets the
lastes definitions (11-25-04 as of this). I ran an earlier version of this
and it didn't find the program.
2. Run the program in the custom settings option with all things checked.
3. This scan of your entire system should pick up any risky ad items. It
should identify this Windupdate program and its registry items.
4. You can select these items found and remove them from your computer.
5. After you have removed the program you should check in your C:/ Program
Files/ folder to see if this program folder is now gone. (You can check for
the folder before the scan if you want to)
6. They warn you that some items you remove could make some of your added
programs not perform. However when you remove these items it puts them in a
quarrantine file in Ad-aware and you can go back and restore any you think
you want or need. I haven't found any that I need to restore. This
quarrantine file is kept and each time you run Ad-aware it adds another file
with the new items found. So don't worry about removing these risk items
found.

I ran this Ad-aware program found the Windupdate program and removed all
reference to it. I then reset the autoexec.nt file in my System32 folder and
when I restarted my computer it did not get deleted as it did in the past.

Lots of luck Sebastion! If somehow you can replace the AUTOEXEC.NT file in
your C:\WINNT\System32| folder AND keep it there, please let me know how you
managed it. Everytime I put the file into the system32 folder it is deleted
the next time I reboot. No body seems to know why this happens It's
obviously something to do with the Windows XP file protection feature but no
one can tell me what to do to stop the deletion.
Also when people tell you that the folder you are to put the AUTOEXEC.NT
file in is your C:\Windows\System32\ folder they are incorrect. It's the
C:\WINNT\System32| folder. People for some reason keep saying it's the
C:\Windows|System32 folder. (Ido realize thats what the Microsoft articles
say but ther're wrong)
If any of these experts that answered your question can tell me how to stop
the deletion problem please do it!

NevBud

:
The file is located in the Windows\system32 folder

I didn't really phrase my question properly. I had already discovered that
the file is missing from that directory and I was trying to locate another
copy to put there. As I understand it (you can see I'm a new user) this used
to be windows\driver cache\i386 and [since SP2] windows\sustem32zdllcache.

"Patti MacLeod" suggested two refences. The second wasn't available, the
first was helpful.

Thanks for all clues - I'll have more if they're availabe because, being
naive, I keep thinking I might learn to understand all this stuff one day.

 

[Control]

A backup copy of Autoexec.nt and many other files may be found in: -
c:\windows\repair :cool