Re: Autoexec.nt file missing?

From: David Candy (.)
Date: 11/27/04 

Date: Sat, 27 Nov 2004 11:05:39 +1100

File C:\Program Files\Common files\WinTools\WSup.exe
File C:\Program Files\Common files\WinTools\WToolsS.exe
File C:\Program Files\Common files\WinTools\WToolsA.exe
Folder C:\Program Files\Common files\WinTools

If someone sends me these files or tells me how to get infected I'll tell you if they have anything to do with deleting autoexec.nt. 

-- 
----------------------------------------------------------
http://www.uscricket.com
"XPUSER" <XPUSER@HOTMAIL.XYZ> wrote in message news:ukHTQKB1EHA.2112@TK2MSFTNGP15.phx.gbl...
> Interesting - When I first became aware of this issue from a colleague
> of mine that was troubleshooting someone's computer, they had found
> "Wintools for IE" in the non Microsoft Services of
> System Configuration Utility Services tab and so I figured that some
> spyware was causing the issue.
> ===================================================
> 
> 
> "Bud Norris" <bdev605@prodigy.net> wrote in message 
> news:uS4np4A1EHA.2196@TK2MSFTNGP14.phx.gbl...
>> STUPID? isn't that a little harsh David? However be that as it may, please
>> read the following disclaimer:
>>
>> Because Windows XP Home Edition does not include the Local Security 
>> Settings
>> Console, you can't enable Auditing on a computer running Home Edition.
>>
>> I have Home Edition and I would bet most others do also.
>>
>> Just how do you know we haven't fixed the problem? If you know what's
>> causing it please let us know.
>>
>> If no anti-virus program or ad-aware program or Trojan hunting program can
>> find the culprit what do you expect us to do? I'm sure we would really
>> appreciate your suggestions, except auditing of course.
>>
>> Respectfully,
>> --
>> NevBud
>> Winners: They have the guts to face the envy and hatred of the losers and
>> the wrath of the gods.
>>
>> David Candy <.> wrote in message
>> news:#O7qJ4z0EHA.3120@TK2MSFTNGP12.phx.gbl...
>> I've wasted my time before telling people the process on how to fix. But 
>> you
>> idiots refuse to do it. YOU HAVE NOT FIXED IT (as some setup programs will
>> now fail).
>>
>> Autoexec.nt. There is something deleting it for many people at boot or
>> shutdown. Hopefully auditiong will show what program or virus is doing it.
>> Most people can't use auditing so noone know what it is. Auditing records
>> access to something (what you specify it to) in Windows. It's off by 
>> default
>> because it slows down the computer and often noone cares.
>>
>> 1. Turn on auditing (this turns it on but nothing is being audited)
>> 2. Set auditing for just this file (else you'll get millions of messages 
>> to
>> sort through if you audit everything).
>>
>>
>> 1. You must enable Auditing for the machine (in Local Security Policy - 
>> see
>> Help).
>>
>> 2. You must specify what to audit. You do this the same place you set
>> permissions (click Advanced).
>>
>> Then you can read it in the Event Viewer
>>
>>
>> Audit object access
>> Computer Configuration\Windows Settings\Security Settings\Local
>> Policies\Audit Policy
>>
>> Description
>> Determines whether to audit the event of a user accessing an object-for
>> example, a file, folder, registry key, printer, and so forth-that has its
>> own system access control list (SACL) specified.
>>
>> If you define this policy setting, you can specify whether to audit
>> successes, audit failures, or not audit the event type at all. Success
>> audits generate an audit entry when a user successfully accesses an object
>> that has a SACL specified. Failure audits generate an audit entry when a
>> user unsuccessfully attempts to access an object that has a SACL 
>> specified.
>> To set this value to no auditing, in the Properties dialog box for this
>> policy setting, select the Define these policy settings check box and 
>> clear
>> the Success and Failure check boxes.
>>
>> Note that you can set a SACL on a file system object using the Security 
>> tab
>> in that object's Properties dialog box.
>>
>> Default: No auditing.
>>
>>
>>
>> Then set auditing for your drives in the Drives Properties - Security -
>> Advanced - Auditing
>>
>> You have to turn it on then set what is to be audited.
>>
>> This is what a audit for a printer looks like
>>
>> Object Open:
>> Object Server: Spooler
>> Object Type: Document
>> Object Name: 
>> http://smh.com.au/news/opinion/webdiary/index.html?from=lhsnav
>> Handle ID: 9487952
>> Operation ID: {-,-}
>> Process ID: 1020
>> Image File Name: C:\WINDOWS\system32\spoolsv.exe
>> Primary User Name: SERENITY$
>> Primary Domain: WORKGROUP
>> Primary Logon ID: (0x0,0x3E7)
>> Client User Name: David Candy
>> Client Domain: SERENITY
>> Client Logon ID: (0x0,0xE179)
>> Accesses: READ_CONTROL
>> %%6949
>> Privileges: -
>> Restricted Sid Count: 0
>> For more information, see Help and Support Center at
>>
>> Big companies have programs that look through these logs. You can use a
>> spread***.
>>
>> --
>> ----------------------------------------------------------
>> http://www.uscricket.com
>> "Terry" <tllawton@prodigy.net> wrote in message
>> news:OHDwDQy0EHA.3900@TK2MSFTNGP10.phx.gbl...
>>> Well can you believe that? I tried the suggestion of "Bullwinkle" and
>>> changed the file's properties to "read only" and it doesn't get deleted
>> upon
>>> boot. I'm flabbergasted that such a simple thing could resolve this
>> deletion
>>> problem! Even if the root cause of the original problem of the file being
>>> deleted in the first place, is still unknown, at least I can live with it
>>> until I can discover what caused it.
>>> I've put this problem to all kind of places on the Web (I use both Terry
>> and
>>> Bud Norris) and even to my computer OEM (Gateway) and nobody ever thought
>> of
>>> changing the file's properties.
>>> Many, many thanks to Bullwinkle!
>>>
>>> "Bud Norris" <bdev605@prodigy.net> wrote in message
>>> news:uNYq88Y0EHA.1924@TK2MSFTNGP10.phx.gbl...
>>>> Lots of luck Sebastion! If somehow you can replace the AUTOEXEC.NT file
>> in
>>>> your C:\WINNT\System32| folder AND keep it there, please let me know how
>>> you
>>>> managed it. Everytime I put the file into the system32 folder it is
>>> deleted
>>>> the next time I reboot. No body seems to know why this happens It's
>>>> obviously something to do with the Windows XP file protection feature 
>>>> but
>>> no
>>>> one can tell me what to do to stop the deletion.
>>>> Also when people tell you that the folder you are to put the AUTOEXEC.NT
>>>> file in is your C:\Windows\System32\ folder they are incorrect. It's the
>>>> C:\WINNT\System32| folder. People for some reason keep saying it's the
>>>> C:\Windows|System32 folder. (Ido realize thats what the Microsoft
>> articles
>>>> say but ther're wrong)
>>>> If any of these experts that answered your question can tell me how to
>>> stop
>>>> the deletion problem please do it!
>>>>
>>>> NevBud
>>>>
>>>> Sebastian <Sebastian@discussions.microsoft.com> wrote in message
>>>> news:AC0C0803-9FC3-40F8-96BF-1CE6116CF993@microsoft.com...
>>>> > "JerryM (ID)" wrote:
>>>> > > The file is located in the Windows\system32 folder
>>>> >
>>>> > I didn't really phrase my question properly.  I had already discovered
>>>> that
>>>> > the file is missing from that directory and I was trying to locate
>>> another
>>>> > copy to put there.  As I understand it (you can see I'm a new user)
>> this
>>>> used
>>>> > to be windows\driver cache\i386 and [since SP2]
>>> windows\sustem32zdllcache.
>>>> >
>>>> > "Patti MacLeod" suggested two refences.  The second wasn't available,
>>> the
>>>> > first was helpful.
>>>> >
>>>> > Thanks for all clues - I'll have more if they're availabe because,
>> being
>>>> > naive, I keep thinking I might learn to understand all this stuff one
>>> day.
>>>> >
>>>> >
>>>>
>>>>
>>>
>>>
>>
>> 
> 
>