• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs

Not what you are looking for? Ask the experts!

Kudos0

one click support 1003,9: virus + ever-increasing popups

[Windows XP, Norton Internet Security 2009]

So I am pretty sure I have accidentally downloaded myself a virus.

Whenever I start up my computer, within minutes, a Norton Internet Security 'One Click Support, Step by Step' window pops up, informing me "Error: Your email message to [email address of recipient] with the subject [email subject] was unable to be sent..." (1003,9) with a Norton 2009 product installed." It proceeds to tell me that if I'm not sending any emails at the time, it probably means my computer is infected. Of course, I'm not sending any emails. Furthermore, I can't seem to close this One Click Support window no matter what I do.

Another thing that happens is that quite swiftly, and inevitably, the problem multiplies: at the top right hand of the popup, it grows and grows from 'Page 1 of 1,' until after about an hour, I find myself with something ridiculous like 'Page 1 of 3000.'

What's even more annoying is that it clogs up my systray with this little icon of an envelope/email; every time another 'page' is added to my ever-increasing number, another little envelope icon appears in my tray. The number of envelope icons in my tray constantly flickers, fluctuating rapidly in number, increasing and decreasing. 

Oddly, I run full system scans every time I use my computer now. Invariably, within a few minutes of beginning my scan, it informs me that it has detected and resolved one problem - something like 'Tracking cookies fully resolved.' However, the results of my scans are inconsistent. Sometimes I will come up with nothing more than the tracking cookies result after a full scan. Other times, it detects a Trojan, and tells me it is also fully resolved. Other times, it informs me that w32.pilleuz has also been resolved. Rarely, it informs me that it has detected about six different threats and resolved them all - tracking cookies, two different types of Trojans (Backdoor.Trojan and Trojan.Gen), Adware.lop, and w32.pilleuz. 

So I googled roughly what I should be doing about w32.pilleuz and half-followed the instructions (I deleted the registry it made on my computer, but couldn't locate the malicious files supposedly dropped by it). Since then, w32.pilleuz hasn't been picked up by any full system scans, but the trojans and adware.lop still are.

So my question is this: what should I be doing? The One-Click-Support popup problem still persists, along with its associated systray spammage. Any help would be greatly appreciated.

Replies

Kudos0

Re: one click support 1003,9: virus + ever-increasing popups

[Windows XP, Norton Internet Security 2009]

So I am pretty sure I have accidentally downloaded myself a virus.

Whenever I start up my computer, within minutes, a Norton Internet Security 'One Click Support, Step by Step' window pops up, informing me "Error: Your email message to [email address of recipient] with the subject [email subject] was unable to be sent..." (1003,9) with a Norton 2009 product installed." It proceeds to tell me that if I'm not sending any emails at the time, it probably means my computer is infected. Of course, I'm not sending any emails. Furthermore, I can't seem to close this One Click Support window no matter what I do.

Another thing that happens is that quite swiftly, and inevitably, the problem multiplies: at the top right hand of the popup, it grows and grows from 'Page 1 of 1,' until after about an hour, I find myself with something ridiculous like 'Page 1 of 3000.'

What's even more annoying is that it clogs up my systray with this little icon of an envelope/email; every time another 'page' is added to my ever-increasing number, another little envelope icon appears in my tray. The number of envelope icons in my tray constantly flickers, fluctuating rapidly in number, increasing and decreasing. 

Oddly, I run full system scans every time I use my computer now. Invariably, within a few minutes of beginning my scan, it informs me that it has detected and resolved one problem - something like 'Tracking cookies fully resolved.' However, the results of my scans are inconsistent. Sometimes I will come up with nothing more than the tracking cookies result after a full scan. Other times, it detects a Trojan, and tells me it is also fully resolved. Other times, it informs me that w32.pilleuz has also been resolved. Rarely, it informs me that it has detected about six different threats and resolved them all - tracking cookies, two different types of Trojans (Backdoor.Trojan and Trojan.Gen), Adware.lop, and w32.pilleuz. 

So I googled roughly what I should be doing about w32.pilleuz and half-followed the instructions (I deleted the registry it made on my computer, but couldn't locate the malicious files supposedly dropped by it). Since then, w32.pilleuz hasn't been picked up by any full system scans, but the trojans and adware.lop still are.

So my question is this: what should I be doing? The One-Click-Support popup problem still persists, along with its associated systray spammage. Any help would be greatly appreciated.

Kudos1

Re: one click support 1003,9: virus + ever-increasing popups

Please download and run the Norton Power Eraser from here.  Review the errors / files it wants to fix the make sure there is no system files it wants to delete.  You can post a screen shot here, if you like, for review by others, if you have a question about the files the NPE finds.

After using the NPE, boot your system into Safe Mode (tap F8 when starting the system until the Advanced Startup Menu is shown and select Safe Mode (no command or network) and press ENTER).  Once the system is booted into Safe Mode, run a full system scan by double clicking on your NIS2009 desktop Icon.  Let us know the results.

Win7 x32 SP1
Kudos0

Re: one click support 1003,9: virus + ever-increasing popups

first off, thanks for your help

anyway, I downloaded the Power Eraser (which I've NEVER heard of before - Norton should advertise it more) and ended up with the screenshot attached. Since I don't really know anything, I've attached a screenshot of what the search came up with (well, three screenshots).

edit: oops, turns out the 'Attachments' option is for text type files only. I hope you guys don't mind imageshack..

Screenshot of my PowerEraser scann results: http://img3.imageshack.us/gal.php?g=powereraser.jpg

I hope this is helpful in your aiding me, thanks

Kudos2

Re: one click support 1003,9: virus + ever-increasing popups

Run the NPE again and have it fix the files it finds (I viewed the screen shots).  Reboot your system and then Run a MalwareBytes scan.

Please download MalwareBytes' AntiMalware from this LINK . Choose the free version as this does not have a real time scanner that will interfere with Norton products. Install the program and update the definitions.

Once MBAM is loaded, run a full scan with it. Have the program fix / delete whatever it finds and make a log file. Please post the log file contents or attach the log file to a reply post here for review.

Win7 x32 SP1
Kudos0

Re: one click support 1003,9: virus + ever-increasing popups

So I ran the NPE, it fixed the files, then I rebooted and ran the MalwareBytes scan, and got it to fix all 32 infected thingos that came up. I've attached the log file for you to review - I sure hope this is possibly near the end of the whole removal process. 

By the way, the One-Click-Support popup has stopped popping up, so I suppose that's good

thanks for your help

Kudos1

Re: one click support 1003,9: virus + ever-increasing popups

If you haven't already done the following then do :

Delete the Temporary files on your system (Go to RUN and type in %temp% and hit ENTER. Then click on any file in the righthand side of the explorer window that opens and press CTRL and A (shortcut for select all), then press Delete).

Empty the Recycle Bin on the desktop.

Delete all System Restore points by turning System Restore off.  Let the system delete the old restore points and then turn System Restore back ON.

Run a full system scan with Norton and MBAM.

Let us know the results.  Thanks for hanging in there; I think we are close to finished.

Win7 x32 SP1
Kudos4

Re: one click support 1003,9: virus + ever-increasing popups

This thread reminded me of when I came across when the list of objects is longer than the Windows and asking for a screenshot which won't show all listed, so 2, 3, 4, or more screenshots is required.

I did try a couple of things but they didn't work.

Then, I had the idea of having a "Copy Scan Results to Clipboard" button at the "Scan Complete"  list.

 

This would allow the user to quickly paste the list into a forum message, Notepad or any other program likely (Word etc.)

Also include the File path or Registry information so that it can be seen where the object is located, or registry entry.

For instance,

svchost.exe       C:\WINDOWS\svchost.exe  

svchost.exe       C:\WINDOWS\system32\svchost.exe

Command       HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*

Quads

Kudos0

Re: one click support 1003,9: virus + ever-increasing popups

Great idea!!!  I hope that is added because the XML log file right now is a little hard to read.

Win7 x32 SP1
Kudos0

Re: one click support 1003,9: virus + ever-increasing popups

In NIS2011 (can't remember if 2010 has it) if you click the little button on the upper right hand side in screenshot below of a quarantine entry.

This is the result of the pasting 

c:\documents and settings\john\local settings\temp\3780515.exe________________________________________________________On computers as of:11/07/2010 at 8:56:20 p.m.Last Used:11/07/2010 at 8:59:32 p.m.Startup Item:NoLaunched:No________________________________________________________Few UsersFewer than 50 users in the Norton Community have used this file.____________________________HighThis file risk is high.____________________________Threat DetailsThreat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.____________________________OriginDownloaded from  URL Not AvailableSource: External MediaSource File:3780515.exe____________________________File ActionsFile: c:\documents and settings\john\local settings\temp\3780515.exeRemovedFile: c:\documents and settings\john\desktop\bootkit\3780515.exeRemoved____________________________File Thumbprint - SHA:Not Available____________________________File Thumbprint - MD5:Not Available____________________________

You can do the same in other areas on the History

Quads

Kudos0

Re: one click support 1003,9: virus + ever-increasing popups

Then it should be easy to add this feature to the NPE.

Win7 x32 SP1
Kudos2

Re: one click support 1003,9: virus + ever-increasing popups

Well I would have thought so, as with NPE the feature does not have to show as much info, just the file or registry setting and location or actual registry entry "HKLM...................".

Quads

Kudos0

Re: one click support 1003,9: virus + ever-increasing popups

hey hi, so I emptied my temp, emptied my recycle bin, turned off system restore (and got rid of the restore points) and then turned it back on, and now I'm running my scan with norton and and malwarebytes.. I should have results in possibly an hour-ish, I think.

... one question though, while my computer was infected, I had USB thumbdrives and SD cards and stuff like that plugged into my computer, and before I started the processes you recommended, I had removed them. is it likely that my USB thumbdrive will be infected too? and if I plug it back into my computer and it IS infected, what should I do about that?

sorry, I probably should've mentioned this earlier

Kudos0

Re: one click support 1003,9: virus + ever-increasing popups

If the Norton and MBAM scans come up clean, then plug each drive in one at a time and scan them individually.

Before you do that though, I would definitely recommend updating your NIS to the latest version.  You can do this for free with a valid subscription and you will keep whatever time you have left on the 2009 subscription; it will be carried over to the NIS2010 version.  You can check for the latest version here.

Win7 x32 SP1
Kudos0

Re: one click support 1003,9: virus + ever-increasing popups

okay so that took a lot longer than expected, but I've attached the results for both the norton and malware scan

the norton came up with a trojan, which was resolved (it said it was, so I sure hope it was), and the malware scan came up with nothing

also I'm updating to NIS 2010 right now

so what's the next step? should I be possibly worried that a trojan came up in the scan?

File Attachment: 
Kudos0

Re: one click support 1003,9: virus + ever-increasing popups

Hello gout

You should also update to Internet Explorer 8, if not that, at least to IE 7 IE 6 is quite old now and out of date.

Success always occurs in private and failure in full view.
Kudos0

Re: one click support 1003,9: virus + ever-increasing popups

oh I'm not a huge fan of IE, I use Chrome

... sorry, but thanks for the suggestion anyway

Kudos0

Re: one click support 1003,9: virus + ever-increasing popups

gout -

Since Norton found the Trojan, I would recommend using the Norton Bootable Recovery Tool.  You can find instructions on making and using the tool here.  This will run from the its own environment and scan the harddrives without letting anything hide itself first.  Let us know what it finds (you may have to write this down) when it is done.  Thanks.

Win7 x32 SP1
Kudos0

Re: one click support 1003,9: virus + ever-increasing popups

hi, so I tried using Norton Bootable Recovery Tool - 

I downloaded the tool (with another computer) and burnt it to a disc (also on the other computer), and came back to my (infected) computer and ran it from the disc.

a loading bar appeared, telling me that it was loading the files, but when the loading bar finished, it said it encountered an error.

i tried again, and then burnt another disc, and tried it again, but to no avail.

is there any other way i could approach my trojan problem?

sorry if this is becoming a hassle

Kudos2

Re: one click support 1003,9: virus + ever-increasing popups

Not a hassle.  Try the Emergency USB Stick files from here, since you are having problems with the NBRT.

Win7 x32 SP1
Kudos0

Re: one click support 1003,9: virus + ever-increasing popups

ahh you are an absolute hero... extracting now files to the USB now, i'll let you know the results

Kudos1

Re: one click support 1003,9: virus + ever-increasing popups

gout:

Please do take the time to save your important documents, photos, etc.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: one click support 1003,9: virus + ever-increasing popups

hi, here's the link to some screenshots I took of the results of the scan, kinda - I moved as many risks as I could into quarantine, but for some reason, it said that some of them couldn't be deleted..

log: http://img695.imageshack.us/gal.php?g=asquaredscan1.gif

the leftover ones that couldn't be moved: http://a.imageshack.us/img801/2230/asquaredscan3.jpg

(not sure why that hasn't come up as a link)

Kudos0

Re: one click support 1003,9: virus + ever-increasing popups

and thanks for the heads up, delphinium - just a question, if I want to back up some files onto a USB key, and plug the USB key into my computer, will it get infected?

Kudos0

Re: one click support 1003,9: virus + ever-increasing popups

... oh right, just noticed that I could save the log as a text file...

File Attachment: 
Kudos0

Re: one click support 1003,9: virus + ever-increasing popups

Hello gout

Do you use GameSpyArcade to play your online games? If you do, are you a subscribed member? What version of the program do you have? Please submit aphex.exe to Symantec for further analysis as this might be a false positive.

Please use this link if you think that a file is a false positive:
https://submit.symantec.com/dispute/

If there is a possibility that the file might be infected, please submit it to Symantec using this link:


https://submit.symantec.com/websubmit/retail.cgi



Another alternative which is fast you can use Threat Expert:

http://www.threatexpert.com/submit.aspx

(Thanks to Yaso for providing the links)

You can submit it to Threat Expert also and please report what it finds. Thanks.

Success always occurs in private and failure in full view.
Kudos1

Re: one click support 1003,9: virus + ever-increasing popups

gout:

Don't use the same drive that the infection appears to have arrived in.  Save only documents, photos, etc.  Do not save any .exe, .scr, .rar etc. because they may be infected.  Lose the illegal software and keygens.  That is how to get infected very quickly.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: one click support 1003,9: virus + ever-increasing popups

hey floplot - 

I actually don't play any online games at all (well I used to, but it wasn't using GameSpyArcade) so I'm actually confused as to why it's on my computer

so I tried using the symantec submission, but the thing is, when I was browsing my program files for aphex.exe, I couldn't actually find the gamespy arcade folder in the program files

I tried using threatexpert, but the same thing happened - I couldn't find it

Kudos0

Re: one click support 1003,9: virus + ever-increasing popups

hi delphinium, how do I judge which drive that the infection appears to have arrived in?

and by lose, did you just mean uninstall and delete?

Kudos1

Re: one click support 1003,9: virus + ever-increasing popups

Yes, they mean delete and / or uninstall.  Did you turn off System Restore not too long ago?  This is looking like a bad rootkit infection.

Win7 x32 SP1
Kudos1

Re: one click support 1003,9: virus + ever-increasing popups

Hi gout:

Best thing is probably to use a new one.  Did you turn off your system restore as suggested by dbrisendine?  I am still seeing two entries in system restore in your log.

What is F drive in your system?  Do you have the option to delete everything found by Asquared?

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: one click support 1003,9: virus + ever-increasing popups

okay well I've begun going through the log and trying to uninstall all the keygen ones - they're mostly with programs that I don't even really use much

and I turned off system restore before, but then I immediately turned it back on - I'm not sure why I did that, I think I probably misread your instructions. **bleep** it, my bad.

also, what's a rootkit infection?

Kudos0

Re: one click support 1003,9: virus + ever-increasing popups

okay so I've borrowed my dads USB key - it won't get infected if I plug it into my computer though, right?

and after the last two posts I've turned off system restore - sorry for forgetting about that

the F drive is just another internal hard drive

and do you mean the option to delete everything in quarantine?

coz there's a delete button here, which I guess I'm supposed to click now

Kudos0

Re: one click support 1003,9: virus + ever-increasing popups

okay so I turned off system restore, ran another scan with the Emergency USB Stick files, and it came up with no trojans or anything, just a bunch of tracking cookies. however, when I tried to delete them, it said I couldn't..?

so my question is, is my computer clear now?

Kudos1

Re: one click support 1003,9: virus + ever-increasing popups

The problem with System Restore was that, before your system was cleaned, the malware kept getting backed up to a restore point.

Scan your system with NIS2009 and the USB scanner once more.  If everything comes up clean (other than cookies) then you should be fine. At this point, you should be able to turn System Restore back on.

You may want to upgrade to the latest NIS2010, however.  It is free to those with current valid licenses; you can check for it here.  Other than that, I would think your are doing fine.  Thanks for hanging in there and watch what you download; there's a reason some things are free; they are giving you more than you think.

Hope this helps and if you need anything else, please come back and post.

Win7 x32 SP1

Replies are locked for this thread.