Christobal Padilla
asked on
What in the world is u.exe?
I have quite of few win2k workstations that have a u.exe file in the root of the c: drive. The users are then getting prompt that ntvdm.exe caused an illegal operation and then the nt authority shuts the pc off. I looked everywhere for a resolution but cannot find one. Has anyone come across this?
ASKER
The file did not exit in either the C:\winnt or the c:\windows directory of the pc. We need c:\windows dir on a WIN2K pc for a custom application by the way. I will get a hikacl log and post it in a few minutes.
ASKER
Here is the log:
Logfile of HijackThis v1.99.1
Scan saved at 9:23:42 AM, on 2/15/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon .exe
C:\WINNT\system32\services .exe
C:\WINNT\system32\lsass.ex e
C:\WINNT\system32\svchost. exe
C:\WINNT\System32\svchost. exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv. exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec\pcAnywhere\ awhost32.e xe
C:\WINNT\system32\cusrvc.e xe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Clie nt\Iap.exe
C:\WINNT\system32\spool\DR IVERS\W32X 86\3\HPZip m12.exe
C:\WINNT\system32\regsvc.e xe
C:\WINNT\system32\MSTask.e xe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINNT\system32\svchost. exe
C:\WINNT\System32\WBEM\Win Mgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\dpmw32.e xe
C:\WINNT\system32\NWTRAY.E XE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTra y.exe
C:\WINNT\system32\internat .exe
C:\WINNT\DvzCommon\DvzMsgr .exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\deft imer.exe
C:\Novell\GroupWise\notify .exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Novell\GroupWise\grpwis e.exe
C:\PROGRA~1\WINZIP\winzip3 2.exe
C:\unzipped\hijackthis\Hij ackThis.ex e
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.dell.com
O1 - Hosts: 172.16.1.60 www.telerepinc.com
O1 - Hosts: 172.16.1.60 telerepinc.com
O1 - Hosts: 172.16.1.60 www.repxml.com
O1 - Hosts: 172.16.1.60 repxml.com
O1 - Hosts: 172.16.1.60 www.hrprep.com
O1 - Hosts: 172.16.1.60 hrprep.com
O1 - Hosts: 172.16.1.60 www.mmtsales.com
O1 - Hosts: 172.16.1.60 mmtsales.com
O1 - Hosts: 172.16.1.60 www.majormarketnetwork.com
O1 - Hosts: 172.16.1.60 majormarketnetwork.com
O1 - Hosts: 172.16.1.60 www.internationaltvsales.com
O1 - Hosts: 172.16.1.60 internationaltvsales.com
O1 - Hosts: 172.16.1.60 www.trepintl.com
O1 - Hosts: 172.16.1.60 trepintl.com
O1 - Hosts: 172.16.1.25 webmail.trep.com
O1 - Hosts: 172.16.1.20 webmail.mmtsales.com
O1 - Hosts: 68.248.173.45 aeinbox.com
O1 - Hosts: 68.248.173.45 www.aeinbox.com
O1 - Hosts: 68.248.173.45 11aeinbox.com
O1 - Hosts: 68.248.173.45 www.11aeinbox.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH elper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radi o - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINNT\system32\msdxm.oc x
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NDPS] C:\WINNT\system32\dpmw32.e xe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTra y.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr .exe
O4 - Global Startup: deftimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Notify.lnk = C:\Novell\GroupWise\notify .exe
O4 - Global Startup: VUPDATE.EXE
O4 - Global Startup: wemupdte.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2\bin\n pjpi142.dl l
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2\bin\n pjpi142.dl l
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-0 0aa003c157 a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-0 0aa003c157 a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\T cpip\..\{B D014DE5-DF 07-4C83-B9 1E-9366D8A E6041}: NameServer = 198.6.1.122,198.6.100.125, 10.213.65. 22
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc .dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon .dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\ awhost32.e xe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.e xe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin. exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Clie nt\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \1050\Inte l 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSv c.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\spool\DR IVERS\W32X 86\3\HPZip m12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
Logfile of HijackThis v1.99.1
Scan saved at 9:23:42 AM, on 2/15/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\System32\svchost.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec\pcAnywhere\
C:\WINNT\system32\cusrvc.e
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Clie
C:\WINNT\system32\spool\DR
C:\WINNT\system32\regsvc.e
C:\WINNT\system32\MSTask.e
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINNT\system32\svchost.
C:\WINNT\System32\WBEM\Win
C:\WINNT\Explorer.EXE
C:\WINNT\system32\dpmw32.e
C:\WINNT\system32\NWTRAY.E
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTra
C:\WINNT\system32\internat
C:\WINNT\DvzCommon\DvzMsgr
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\deft
C:\Novell\GroupWise\notify
C:\Program Files\Palm\HOTSYNC.EXE
C:\Novell\GroupWise\grpwis
C:\PROGRA~1\WINZIP\winzip3
C:\unzipped\hijackthis\Hij
R1 - HKCU\Software\Microsoft\In
O1 - Hosts: 172.16.1.60 www.telerepinc.com
O1 - Hosts: 172.16.1.60 telerepinc.com
O1 - Hosts: 172.16.1.60 www.repxml.com
O1 - Hosts: 172.16.1.60 repxml.com
O1 - Hosts: 172.16.1.60 www.hrprep.com
O1 - Hosts: 172.16.1.60 hrprep.com
O1 - Hosts: 172.16.1.60 www.mmtsales.com
O1 - Hosts: 172.16.1.60 mmtsales.com
O1 - Hosts: 172.16.1.60 www.majormarketnetwork.com
O1 - Hosts: 172.16.1.60 majormarketnetwork.com
O1 - Hosts: 172.16.1.60 www.internationaltvsales.com
O1 - Hosts: 172.16.1.60 internationaltvsales.com
O1 - Hosts: 172.16.1.60 www.trepintl.com
O1 - Hosts: 172.16.1.60 trepintl.com
O1 - Hosts: 172.16.1.25 webmail.trep.com
O1 - Hosts: 172.16.1.20 webmail.mmtsales.com
O1 - Hosts: 68.248.173.45 aeinbox.com
O1 - Hosts: 68.248.173.45 www.aeinbox.com
O1 - Hosts: 68.248.173.45 11aeinbox.com
O1 - Hosts: 68.248.173.45 www.11aeinbox.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radi
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NDPS] C:\WINNT\system32\dpmw32.e
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTra
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr
O4 - Global Startup: deftimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Notify.lnk = C:\Novell\GroupWise\notify
O4 - Global Startup: VUPDATE.EXE
O4 - Global Startup: wemupdte.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-0
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-0
O17 - HKLM\System\CCS\Services\T
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.e
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Clie
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSv
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\spool\DR
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe"
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
i thought that u.exe was a utility that proxies your internet connection in order to access streaming content made available only to citizens of specific countries, like abc.com etc
u.exe is definetely a virus.
You should update your antivius databases. and run scan your disks including Flash drives
If it does not helps to catch the virus, then remove symantec antivirus forever and buy another one. From my Experience : Yesterday 5 feb 2008 my NOD32 killed this virus right after update.
also run msconfig
go to "startup" and remove:
deftimer.exe
VUPDATE.EXE
wemupdte.exe
also
dpmw32.exe looks suspicious
Run Internet Explorer.
Go to Tool menu, Select Manage Add-Ons... item. turn off
"Toolbar: @msdxmLC.dll,-1@1033,&Radi o - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINNT\system32\msdxm.oc x"
and close all IE windows.
You should update your antivius databases. and run scan your disks including Flash drives
If it does not helps to catch the virus, then remove symantec antivirus forever and buy another one. From my Experience : Yesterday 5 feb 2008 my NOD32 killed this virus right after update.
also run msconfig
go to "startup" and remove:
deftimer.exe
VUPDATE.EXE
wemupdte.exe
also
dpmw32.exe looks suspicious
Run Internet Explorer.
Go to Tool menu, Select Manage Add-Ons... item. turn off
"Toolbar: @msdxmLC.dll,-1@1033,&Radi
and close all IE windows.
means an SDBot/IRC bot is present in the system.
So check if "win32ssr.exe" is also present in the system, you might need to show hidden files and folders first, don't use 'search' function to look for it.
Can we look at your hijackthis log?
http://danborg.org/spy/hjt/alternativ.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.