Recently my McAfee antivirus has been detecting and removing an Artemis!20B937399785 trojan virus with an item name of SAFARI.exe that is located in C:/program files (x86)\safari\bin. This occurs everytime i restart my laptop. I have windows 7 64 bit on my laptop fully updated and am using version 15 of McAfee virusscan. I have tried using malware and pcsafe doctor in both 'normal and safe' modes to try and get rid of it but the programs always fail to recognise this when in safe mode, i have also tried stopping certain un recognised startup serives and processes but that didn't seem to work. Each time the computer is restarted the trojan returns and mcafee detects and quartines it but it doesnt seem to be removed from my system permanently. Please help i don't know what else to try.
Solved! Go to Solution.
You can delete cvr files -
and sqm files - http://msghelp.net/showthread.php?tid=57018
and .tmp files.
dimhost.exe - you mean "dismhost.exe"? That should be in your %system% directory, not in appdata\local\temp. Check the files in that directory - right-click on that exe and a couple of dll files and choose Properties, check to see if they are Microsoft files. If they are, leave them where they are. As a general rule, if something's in a Temp directory then it's only needed for a specific reason, for a limited time period, and after that it should be deleted by the app that created it. Of course, many programs don't bother to clean up when they terminate, so you get clutter in which it's often easy to hide files created by malware - on the basis that no-one's ever going to look in there and see them.
If you look in CCleaner -->Options -->Include you can specify locations where that program will look for junk files to get rid of. I've put all the temp directories I could find in the list, then made sure to right-click on any files that came up in the results that should be excluded from future cleaning scans.
I'm still pondering the question of exactly what it was that put this PUP on your system. Somewhere there's a clue, but I need to look at other people's experience. Something's been overlooked.
Edit - Temp directories? Use the built-in Windows file search to find them. There are a lot in the user-data area (%appdata%).Message was edited by: Hayton on 05/11/11 02:48:21 GMT
This is BitCoinMiner. Not of itself a virus, but definitely a Potentially Unwanted Program. If you're getting it afresh at every reboot then you may have other malware on your system. You should download the latest DAT and run a scan - Full Scan might be advisable.
Read the following for more information
http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=617462 (see "Virus Characteristics")Message was edited by: Hayton on 02/11/11 20:37:54 GMT
i have run multiple full scans but i will now try disabling system restore and running the full scan to see if that has worked. Thanks for your help the 2nd link has served to be very useful. I'll post back with my results, should i also try running the scans in safe mode?
Run in safe mode if you have any problems in normal mode. BitCoinMiner isn't the problem, it's what may have come with it (or that may have introduced it) that you need to look for. There may be nothing, in which case you should look at the msconfig entries to see what's causing the reappearance at every startup. Autoruns and Process Explorer are useful for this sort of thing.
Edit - Microsoft haven't updated the entry for this variant yet. The previous entry gives a lot of information - see here.Message was edited by: Hayton on 03/11/11 03:21:11 GMT
is there anything specific you can mention that i should look for in the msconfig entries, ive used autoruns and have just looked through all of the startup processes/services and have deleted all the entry files that are not found, i have also stopped xnotes.exe. i have also noticed that mcafee tends to identify this pup as well, Generic PUP .z!gx. i have run a full scan and quarantined and deleted the program. i also ran malware bhytes and have not found anything. i'm now going to restart my computer and re-scan hopefully nothing will be found.Message was edited by: arvin1 on 11/2/11 11:39:20 PM CDT
Look in Startup and Services. In Services, hide the Microsoft entries and look through the list of Unknown manufacturers. I can't say what to look for, except (glib answer) anything that looks unfamiliar.
i have also tried stopping certain un recognised startup serives and processes but that didn't seem to work.
It looks as if you tried this already. Possibly whatever dropped this on your system has put an entry into the registry to ensure an automatic reload on startup.
Edit - It's worth trying Malwarebytes (free version) to see if that can detect something.Message was edited by: Hayton on 03/11/11 04:44:15 GMT
So i've updated my dat files and engine for McAfee and i've run a full system scan, it had detected Generic PUP .z!gx, i quarantined it and deleted it. I also ran Malwarebytes and nothing else was found, i also ran CCleaner and cleared the registry. I then ran autoruns and deleted the xnotes.exe registry startup entry and cleared a few missing files. I then restarted the computer into safe mode and ran a full system scan on mcafee followed by running a quick scan on malware bytes. i then procedded to run ccleaner again and used msconfig and searched for any unknown startups, but none were found. I finally restarted my computer into normal mode and mcAfee has once again found the Artemis!20B937399785 trojan virus with an item name of SAFARI.exe that is located in C:/program files (x86)\safari\bin. I then ran a full scan on McaFee and it had detected the Generic PUP .z!gx file. I also ran a quick scan in malwarebytes after the McAfee scan and no infected objects were found.
Please Help, what are the possible next steps i can do to try and overcome this problem
thanksMessage was edited by: arvin1 on 11/3/11 2:53:10 AM CDT
Have you deleted all internet temp and windows temp files?
Try this and reboot.
Try a run with getsusp it might find an unknown file that could be the cause. You will find getsusp here
It will not remove anything just notify Mcafee and also a good idea for you to add your email addy to its preferences so Mcafee can contact you.
thanks for your advice, i have cleared both internet temp and windows temp files using disk clean up and ccleaner and restarted but still the trojan and pup still appears to be on the system. I have also just run getsusp and sent the files to mcafee for analysis. Basically i now know that the suspicious autorun process is C:\ Program Files (x86)\XNotes\xNotes.exe everytime i delete this startup entry using autoruns it seems to reappear everytime i startup the machine. i have no idea how to get rid of this and the Generic PUP .z!gx as well as the Artemis!20B937399785 trojan virus with an item name of SAFARI.exe that is located in C:/program files (x86)\safari\bin.
any other methods to get rid of this malware??Message was edited by: arvin1 on 11/3/11 9:12:06 AM CDT
Maybe follow what this forum comes up with.
Poster has same issue
Of course you can go with Mcafee's paid removal but best to see what is offerred.
Also askked a mcafee staffer to read the threadMessage was edited by: Peacekeeper on 4/11/11 7:45:08 AM