Problem : ".1.EXE" and IE security breaches?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

HAVE_mercy

Thread Starter
Joined
Sep 17, 2005
Messages
1
Hello,
I saw in your forum a posting in which one of the program file names (before the extension) ended in "~1", as in "Programfile/ZoneAlar~1.exe". Well. There was only ONE instance of this in the poster's list for you to analyze,but it got my attention and may be linked to my problem. Computer was taking a long time to boot. Then I discovered that I was not able to uninstall some of the security programs I had downloaded (from download.com and other trusted sites).
I started poking around and discovered that copies of each file I opened were being created in "My Documents" BUT, when I attempted to delete these files-- they instantly reappeared before my eyes. My approach was uneducated and haphazard. I searched for all .tmp files to delete them, and some would not delete would replicate themselves at the end of the list (ther ewas "jet32.tmp, which when deleted would become "jet33.tmp". Some of them simploy gave me "cannot delete, in use" messages.
Then I looked in the registry and saw a folder (somewhere in that registry) in which it appeared that a ".1" extension was added to the name of virtually every program I run, and --PLEASE remember I know just enough to be dangerous--under "curver", presumably "current version".
Then I saw a "volume 1" folder in the control panel (access denied). To my untrained eye it appeared that all my programs were copied, extension changed and were running from this ".1.exe" function, including all my security programs. Each time I ran my (free downloaded )antivirus programs (I tried about 4 of them) and I got more and more warnings that it was unable to scan certain files because they were locked. At last count it was 956 files locked and unable to scan. I finally figured out there was something really bad afoot.
I ran Hijack this! and ran it, tried to access your site to upload and couldn't connect, got the message "URL not found" with various error numbers, which I unfortunately did not note.
I did a clean install of Win2000 and set up a PW and slowly the same thing started again with my new ID. (all the other files were still on the disc). Oh yes, I regularly ran Cache Cleaner and, even though I changed from IExplorer to browse (I use Firefox or Opera) there would be lots and lots of IE .tmp files and shellext files that showed up in the display.
Bought/installed Norton AV2005 and it ran funny, wouldn't update; tried to uninstall and it wouldn't uninstall ALL of the files. After clean Win2000 install I reinstalled it, but the worm detect function won't update. (evidently that was one of the processes or apps that wouldn't uninstall, and I am unable to end process in task manager).

I downloaded and installed Firefox, ZoneAlarm and Spybot and updated the Norton's but haven't done much else. (BTW, ZA tells me Norton's constantly is trying to update, presumably trying to download that 500k worm detector file that I can't complete the download on).
Can you help me?
ANd all the other pre-clean install files are still there on my computer. (Somehow I thought they would be deleted, but they weren't).
Also, Windows constantly updates.Like, the little icon in the tray is always at 14% or 33% and never seems to finish, just starts over and over (past the initial update I ran after the install, it just NEVER quits. Why? Could this be a link to a remote computer via IE, since Win uses that browser to update?
Like I said, I know just enough to be dangerous, but that seems curious to me.

here's the Hijack this log file (post-clean install of 2000):
(begin file)

Logfile of HijackThis v1.99.1
Scan saved at 1:14:58 PM, on 1/15/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norton

AntiVirus\NORTON2NDINSTALL\navapsvc.exe
C:\Program Files\Norton

AntiVirus\NORTON2NDINSTALL\IWP\NPFMntor.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\New Folder\Spybot - Search &

Destroy\TeaTimer.exe
C:\WINNT\system32\svchost.exe
C:\Documents and Settings\BF\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL = http://www.mycopper.net
R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page = http://www.mycopper.net
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\NEWFOL~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper -

{BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program

Files\Norton AntiVirus\NORTON2NDINSTALL\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio -

{8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus -

{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program

Files\Norton AntiVirus\NORTON2NDINSTALL\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe

/logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common

Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program

Files\Common Files\Symantec Shared\Security

Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program

Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program

Files\New Folder\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Related -

{c95fe080-8f5d-11d2-a20b-00aa003c157a} -

C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -

{c95fe080-8f5d-11d2-a20b-00aa003c157a} -

C:\WINNT\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/

en/x86/client/wuweb_site.cab?1137300356505
O17 -

HKLM\System\CCS\Services\Tcpip\..\{B0C7B52E-32F2-4BA3-93

D4-2562BBC4489B}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: Symantec Event Manager (ccEvtMgr) -

Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) -

Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) -

Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative

Service (dmadmin) - VERITAS Software Corp. -

C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto-Protect Service

(navapsvc) - Symantec Corporation - C:\Program

Files\Norton AntiVirus\NORTON2NDINSTALL\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service

(NPFMntor) - Symantec Corporation - C:\Program

Files\Norton AntiVirus\NORTON2NDINSTALL\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation -

C:\Program Files\Norton

AntiVirus\NORTON2NDINSTALL\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) -

Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service

(SNDSrvc) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) -

Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

(end file)


I guess I'm looking at a re-format job, but IS there a true WORM SUPPRESSOR PROGRAM out there anywhere? OR anything else I can do short of reformatting?

Thank you SO much for reading this tome,
Barbara

PS I tried terminating the wuauclt.exe function via taskmaster; it just keeps reappearing. I don't know how to turn off this bogus "automatic update" function, whatever it is. Could that be the link into my computer via IE?
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Hi HAVE_mercy, Welcome to TSG!!


The original wuauclt.exe file that comes from Microsoft is located in the C:\WINDOWS\System32 folder.

Windows has file name limitations and that is why you see the ~1 in file names sometimes.
Example: c:\Progra~1 is the same as C:\program files

Jet*.tmp files can be used by a number of applications.

If you can not connect to TSG you can check http://status.techguy.org/ to see if the site is down.

I do not see any worms in your log, I think you are just confused by some of the normal tmp files that Windows creates.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top