Link to home
Start Free TrialLog in
Avatar of Christobal Padilla
Christobal PadillaFlag for United States of America

asked on

What in the world is u.exe?

I have quite of few win2k workstations that have a u.exe file in the root of the c: drive.  The users are then getting prompt that ntvdm.exe caused an illegal operation and then the nt authority shuts the pc off.  I looked everywhere for a resolution but cannot find one.  Has anyone come across this?
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image

u.exe in the rootdrive, accompanied with this file ->C:\WINDOWS\win32ssr.exe
means an SDBot/IRC bot is present in the system.

So check if "win32ssr.exe" is also present in the system, you might need to show hidden files and folders first, don't use 'search' function to look for it.


Can we look at your hijackthis log?
http://danborg.org/spy/hjt/alternativ.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
Avatar of Christobal Padilla

ASKER

The file did not exit in either the C:\winnt or the c:\windows directory of the pc.  We need c:\windows dir on a WIN2K pc for a custom application by the way.  I will get a hikacl log and post it in a few minutes.

Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 9:23:42 AM, on 2/15/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINNT\system32\cusrvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINNT\system32\internat.exe
C:\WINNT\DvzCommon\DvzMsgr.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\deftimer.exe
C:\Novell\GroupWise\notify.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Novell\GroupWise\grpwise.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O1 - Hosts: 172.16.1.60 www.telerepinc.com
O1 - Hosts: 172.16.1.60 telerepinc.com
O1 - Hosts: 172.16.1.60 www.repxml.com
O1 - Hosts: 172.16.1.60 repxml.com
O1 - Hosts: 172.16.1.60 www.hrprep.com
O1 - Hosts: 172.16.1.60 hrprep.com
O1 - Hosts: 172.16.1.60 www.mmtsales.com
O1 - Hosts: 172.16.1.60 mmtsales.com
O1 - Hosts: 172.16.1.60 www.majormarketnetwork.com
O1 - Hosts: 172.16.1.60 majormarketnetwork.com
O1 - Hosts: 172.16.1.60 www.internationaltvsales.com
O1 - Hosts: 172.16.1.60 internationaltvsales.com
O1 - Hosts: 172.16.1.60 www.trepintl.com
O1 - Hosts: 172.16.1.60 trepintl.com
O1 - Hosts: 172.16.1.25 webmail.trep.com
O1 - Hosts: 172.16.1.20 webmail.mmtsales.com
O1 - Hosts: 68.248.173.45 aeinbox.com
O1 - Hosts: 68.248.173.45 www.aeinbox.com
O1 - Hosts: 68.248.173.45 11aeinbox.com
O1 - Hosts: 68.248.173.45 www.11aeinbox.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NDPS] C:\WINNT\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe
O4 - Global Startup: deftimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Notify.lnk = C:\Novell\GroupWise\notify.exe
O4 - Global Startup: VUPDATE.EXE
O4 - Global Startup: wemupdte.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD014DE5-DF07-4C83-B91E-9366D8AE6041}: NameServer = 198.6.1.122,198.6.100.125,10.213.65.22
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)

ASKER CERTIFIED SOLUTION
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of raver15
raver15

i thought that u.exe was a utility that proxies your internet connection in order to access streaming content made available only to citizens of specific countries, like abc.com etc
u.exe is definetely a virus.
You should update your antivius databases. and run scan your disks including Flash drives
If it does not helps to catch the virus, then remove symantec antivirus forever and buy another one. From my Experience : Yesterday 5 feb 2008 my NOD32 killed this virus right after update.

also run msconfig
go to "startup" and remove:
deftimer.exe
VUPDATE.EXE
wemupdte.exe

also
 dpmw32.exe looks suspicious

Run Internet Explorer.
Go to Tool menu, Select Manage Add-Ons... item. turn off
"Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx"
and close all IE windows.