Spyware, Viruses, & Security forum

General discussion

[1].exe virus - Anyone seen this, know how to clean it?

We have a number of servers infected with a virus that creates an i[1].exe process, starts some bogus services and creates folders/logs in temporary internet file folders (for the user who executes the file).

Symantec Corp Edition did not see it until this evening's update and we are not sure if it's getting all of it.

Any help greatly appreciated.


Discussion is locked
You are posting a reply to: [1].exe virus - Anyone seen this, know how to clean it?
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: [1].exe virus - Anyone seen this, know how to clean it?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Process File: 1 or 1.exe

In reply to: [1].exe virus - Anyone seen this, know how to clean it?

1.exe is a process which is registered as the TROJ_SUA.A worm. This virus is distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open its hostile attachment. The worm has its own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data. This process is a security risk and should be removed from your system.

Note: 1.exe is a process belonging to an advertising program. This process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups. This process is a security risk and should be removed from your system.


Please run the Housecall online virus scan located at:
Follow the prompts to scan your hard drive for viruses. Select the "Autoclean" option so that Housecall will remove any viruses from your system.
When the scan is finished, please restart your computer.

Does Housecall come up clean?

Collapse -
Something new

In reply to: Process File: 1 or 1.exe

We took a look at this def earlier, this seems to be something new with an IRC popper looking to connect to an external host.

It looks to be a couple of different viruses mixed together.


Collapse -
Did you run Housecall?

In reply to: Something new

You also could try ewido:

First download ewido anti-spyware from HERE and save that file to your desktop.

This is a 30 trial of the program.

Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.

Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"

Close ewido and reboot your system back into Normal Mode.

Pls. let us know how you are doing.

Collapse -
Maybe W32.Beagle.AY@mm?

In reply to: [1].exe virus - Anyone seen this, know how to clean it?

This is a virus that you easily get through p2p applications. This virus creates that file, but maybe others do as well? You said you found it with Symantec Corp Edition, so yes, it would have removed it all. NAV2006 can pick this virus up, i'm not sure what other AV's can. This is a fairly serious virus. Do an online scan like Marianna said, and this will definately get rid of all of it.

Collapse -
It Appears To Be The One At ...

In reply to: [1].exe virus - Anyone seen this, know how to clean it?

Collapse -
W32/Tilebot-GM ???

In reply to: It Appears To Be The One At ...


This was discovered on 8/30/06. The [1].exe file seems to be initially dropped in the temporary internet files folder, then renamed to lsass.exe and moved to c:\*windir* creating a bogus service and also creates the Troj/Rootkit-W in c:\*windir*\system32 named as rdriv.sys in addition to a slew of registry changes.

Popular Forums

Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions


Sublime suburban chariot

High on style and technology, the 2019 Volvo XC90 is an incredibly satisfying everyday crossover.