Problem : ".1.EXE" and IE security breaches?

This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.


Thread Starter
Sep 17, 2005
I saw in your forum a posting in which one of the program file names (before the extension) ended in "~1", as in "Programfile/ZoneAlar~1.exe". Well. There was only ONE instance of this in the poster's list for you to analyze,but it got my attention and may be linked to my problem. Computer was taking a long time to boot. Then I discovered that I was not able to uninstall some of the security programs I had downloaded (from and other trusted sites).
I started poking around and discovered that copies of each file I opened were being created in "My Documents" BUT, when I attempted to delete these files-- they instantly reappeared before my eyes. My approach was uneducated and haphazard. I searched for all .tmp files to delete them, and some would not delete would replicate themselves at the end of the list (ther ewas "jet32.tmp, which when deleted would become "jet33.tmp". Some of them simploy gave me "cannot delete, in use" messages.
Then I looked in the registry and saw a folder (somewhere in that registry) in which it appeared that a ".1" extension was added to the name of virtually every program I run, and --PLEASE remember I know just enough to be dangerous--under "curver", presumably "current version".
Then I saw a "volume 1" folder in the control panel (access denied). To my untrained eye it appeared that all my programs were copied, extension changed and were running from this ".1.exe" function, including all my security programs. Each time I ran my (free downloaded )antivirus programs (I tried about 4 of them) and I got more and more warnings that it was unable to scan certain files because they were locked. At last count it was 956 files locked and unable to scan. I finally figured out there was something really bad afoot.
I ran Hijack this! and ran it, tried to access your site to upload and couldn't connect, got the message "URL not found" with various error numbers, which I unfortunately did not note.
I did a clean install of Win2000 and set up a PW and slowly the same thing started again with my new ID. (all the other files were still on the disc). Oh yes, I regularly ran Cache Cleaner and, even though I changed from IExplorer to browse (I use Firefox or Opera) there would be lots and lots of IE .tmp files and shellext files that showed up in the display.
Bought/installed Norton AV2005 and it ran funny, wouldn't update; tried to uninstall and it wouldn't uninstall ALL of the files. After clean Win2000 install I reinstalled it, but the worm detect function won't update. (evidently that was one of the processes or apps that wouldn't uninstall, and I am unable to end process in task manager).

I downloaded and installed Firefox, ZoneAlarm and Spybot and updated the Norton's but haven't done much else. (BTW, ZA tells me Norton's constantly is trying to update, presumably trying to download that 500k worm detector file that I can't complete the download on).
Can you help me?
ANd all the other pre-clean install files are still there on my computer. (Somehow I thought they would be deleted, but they weren't).
Also, Windows constantly updates.Like, the little icon in the tray is always at 14% or 33% and never seems to finish, just starts over and over (past the initial update I ran after the install, it just NEVER quits. Why? Could this be a link to a remote computer via IE, since Win uses that browser to update?
Like I said, I know just enough to be dangerous, but that seems curious to me.

here's the Hijack this log file (post-clean install of 2000):
(begin file)

Logfile of HijackThis v1.99.1
Scan saved at 1:14:58 PM, on 1/15/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec

C:\Program Files\Common Files\Symantec

C:\Program Files\Common Files\Symantec

C:\Program Files\Norton

C:\Program Files\Norton

C:\Program Files\Common Files\Symantec

C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\New Folder\Spybot - Search &

C:\Documents and Settings\BF\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =
R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page =
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} -

O2 - BHO: NAV Helper -

{BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program

Files\Norton AntiVirus\NORTON2NDINSTALL\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio -

{8E718888-423F-11D2-876E-00A0C9082467} -

O3 - Toolbar: Norton AntiVirus -

{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program

Files\Norton AntiVirus\NORTON2NDINSTALL\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common

Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program

Files\Common Files\Symantec Shared\Security

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program

Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program

Files\New Folder\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Related -

{c95fe080-8f5d-11d2-a20b-00aa003c157a} -

O9 - Extra 'Tools' menuitem: Show &Related Links -

{c95fe080-8f5d-11d2-a20b-00aa003c157a} -

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

O17 -


D4-2562BBC4489B}: NameServer =
O23 - Service: Symantec Event Manager (ccEvtMgr) -

Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) -

Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) -

Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative

Service (dmadmin) - VERITAS Software Corp. -

O23 - Service: Norton AntiVirus Auto-Protect Service

(navapsvc) - Symantec Corporation - C:\Program

Files\Norton AntiVirus\NORTON2NDINSTALL\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service

(NPFMntor) - Symantec Corporation - C:\Program

Files\Norton AntiVirus\NORTON2NDINSTALL\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation -

C:\Program Files\Norton

O23 - Service: ScriptBlocking Service (SBService) -

Symantec Corporation -

O23 - Service: Symantec Network Drivers Service

(SNDSrvc) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

O23 - Service: Symantec Core LC - Symantec Corporation -

C:\Program Files\Common Files\Symantec

O23 - Service: TrueVector Internet Monitor (vsmon) -

Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

(end file)

I guess I'm looking at a re-format job, but IS there a true WORM SUPPRESSOR PROGRAM out there anywhere? OR anything else I can do short of reformatting?

Thank you SO much for reading this tome,

PS I tried terminating the wuauclt.exe function via taskmaster; it just keeps reappearing. I don't know how to turn off this bogus "automatic update" function, whatever it is. Could that be the link into my computer via IE?


Retired Moderator
Apr 16, 2002
Hi HAVE_mercy, Welcome to TSG!!

The original wuauclt.exe file that comes from Microsoft is located in the C:\WINDOWS\System32 folder.

Windows has file name limitations and that is why you see the ~1 in file names sometimes.
Example: c:\Progra~1 is the same as C:\program files

Jet*.tmp files can be used by a number of applications.

If you can not connect to TSG you can check to see if the site is down.

I do not see any worms in your log, I think you are just confused by some of the normal tmp files that Windows creates.
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts