cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Conili
Level 7
Report Inappropriate Content
Message 1 of 16

Artemis! Trojan & Virus Process File Removal

I'm bewildered -- even though McAfee caught and removed the Artemis! (I believe Generic?) virus and trojans yesterday, somehow the file "str_1244994559.exe" got installed on my computer and launched the processes "freddy46.exe" and "ld09.exe" . This morning McAfee quarantined but did not remove Artemis and now located "ld09.exe" but states it cannot be removed. I cannot locate any removal instructions for any of this. Help me stop this before it continues.
15 Replies

hi

hi there,
Are you running windows XP ? if so, try downloading ATF cleaner
- After downloading , run it then put a check mark for "Select all", then select empty selected.
- then try downloading and running this tool called Malwarebytes and perform a full scan.
- After then scan, follow the prompts to remove the detected infections then restart the computer.
- Then check if McAfee would still be detecting them.

Goodluck
nanowiz
Level 7
Report Inappropriate Content
Message 3 of 16

LD08.EXE and SYSDLL.EXE - New virus?

My XP system was infected in a way that McAfee was effectly shut down. Here is what I did to fix it.

First symptom was that IE cannot connect to the internet. I can ping any web site in a CMD window. I just can't connect using HTTP.

I checked McAfee and it says that there is a problem with Computer & Files as well as eMail & IM. When I click FIX, it says that connection to the internet failed and cannot continue. I tried just doing a scan and it failed saying that I am missing a component and recommend reinstalling McAfee. Then I tried running MSCONFIG to see what is in the STARTUP list. It also failed saying that MSCONFIG is an unknown command. I had to copy MSCONFIG from another XP system and ran it from the flash drive. I found 2 entries in the startup list that looked suspicious. They are SYSDLL.EXE and LD80.exe. Searching for these names in Google showed that these are most likely vriuses. So, I disabled them and also searched the system for these files and deleted them. Then, I manually searched the registry and found 2 entries enabling SYSDLL open access through the firewall on port 80 and something else. I deleted these entries. Next, I rebooted into safe mode by enabling it in MSCONFIG.

Now in safe mode, I tried to reinstall McAfee. That again failed saying that there is a connection problem to the internet. (I am a Comcast customer and I get McAfee free. But I must install from the internet.) I opened IE and that also has the same connection problem still. I checked Connections under Internet Options in IE and found that Proxy was enabled. After I disabled proxy, IE now can connect to the internet again. I went back to reinstalling McAfee and now it runs without the connection error.

I am now running a full scan in McAfee after it installed successfully. Hope that fixed everything this virus caused. I searched McAfee's web site and found no reference to either of these files.

I don't know if your LD90.EXE is similar to my LD80.EXE. But try my procedure and see if you have any luck with it.
secured2k
Level 11
Report Inappropriate Content
Message 4 of 16

RE: LD08.EXE and SYSDLL.EXE - New virus?

The file names you referenced are usually associated with the koobface worm. It is usually spread by tricking the user into installing bad software by presenting fake content and messages. In some of my personal tests, it has also installed the Vundo trojan.

I suggest scanning with McAfee as well as ESET Online Scanner and MalwareBytes. Chances are that not much will bypass all three scnners.

Please post the log results for ALL of the scanners.

ESET Online Scanner
MalwareBytes
nanowiz
Level 7
Report Inappropriate Content
Message 5 of 16

Now unable to install McAfee

Hi Secure2K,

Thanks for the advise.

I finished the full scan during the McAfee install in safe mode. It found 3 file items and 35 registry items. The 3 files are:
A0349366.EXE Generic Downloader.X
SYSDLL.EXE Generic.dx!dy
796525.DLL Puper!a

The 35 register items all pertain to the Puper!a virus. These were all removed by McAfee. But McAfee still shows that there is a problem with Computer & Files and eMail & IM. Clicking FIX returns an error saying that "One or more problems cannot be fixed because of an error".

I then ran ESET Online Sanner and got the following log:

C:\Documents and Settings\Sammy\My Documents\Install_AIM.exe Win32/Adware.WBug.A application deleted - quarantined
C:\System Volume Information\_restore{0BD7F2AF-3F0E-49E1-8330-194ABFEC653A}\RP712\A0372635.exe Win32/Tinxy.AD trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{0BD7F2AF-3F0E-49E1-8330-194ABFEC653A}\RP712\A0372636.dll Win32/BHO.NOE trojan cleaned by deleting - quarantined

I was not able to install Malwarebytes in safe mode. It kept complaining that system policy is set to not permit this kind of program from installing.

I rebooted back into normal mode. Now, McAfee is nowhere to be found. Looks like the install did not complete properly. I started IE to reinstall it from Comcast and I got a blank screen right after logging on to my account in Comcast. I then used another system to download the install file into a flash drive and ran from it. That also failed saying that Java Script is not working properly. IE is probably failing also for the same issue when it hits a Java script link. McAfee's error message gave me a link to reinstall Java Script. I followed it, but it also failed to install saying that I have a later service pack that this install file. I search on the internet high and low and so far have not found any way to fix Java Script on this system.

Next I tried loading Malwarebytes in normal mode. It now installs OK. It finished scanning. Log file is at the end of this post.

Appreciate if you can shed any light on how to fix Java Script under Service Pak 3 and perhaps how to get McAfee working again.

Thanks, Nanowiz.

_______________________________________________________________
Malwarebytes' Anti-Malware 1.37
Database version: 2293
Windows 5.1.2600 Service Pack 3

6/16/2009 11:39:41 PM
mbam-log-2009-06-16 (23-39-41).txt

Scan type: Quick Scan
Objects scanned: 102767
Time elapsed: 6 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 8
Folders Infected: 8
Files Infected: 236

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e7f15ac4-e0a9-43f0-921b-70dfea621220} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ErrorFix (Rogue.ErrorFix) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ErrorFix (Rogue.ErrorFix) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ErrorFix (Rogue.ErrorFix) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
<additional lines deleted to keep post within limits>
secured2k
Level 11
Report Inappropriate Content
Message 6 of 16

RE: Now unable to install McAfee

Reinstall Internet Explorer and all associated files and registry entries for IE will be reinstalled and repaired.
nanowiz
Level 7
Report Inappropriate Content
Message 7 of 16

Java Script Still not working

I have downloaded IE 8 and installed it. Java Script is still not working. I checked the various settings in advanced options for script and they are all enabled.

Any further ideas?
secured2k
Level 11
Report Inappropriate Content
Message 8 of 16

RE: Java Script Still not working

Please (re) post the error message(s) you are receiving and EXACTLY HOW you get those messages to appear.
nanowiz
Level 7
Report Inappropriate Content
Message 9 of 16

re: Java Script still not working

OK. The most immediate problem is that Java Script is not working. I get it in 2 ways:

First is in Internet Explorer where any link to a javascript will do nothing. This is preventing me from reinstalling McAfee from Comcast's web link.

I go to https://home.mcafee.com/secure/Protected/Logon.aspx and sign in with my email and pw. When I click on the 'Login' button, nothing happens. It is the same for any of the Javascript links below the Login button.

Next, I use another system to download the install file 'DMSetup-serial.exe' from McAfee and run it in this system. I get this message form McAfee Security Center:

Installation Cannot Continue
We are having trouble installing the McAfee software because Javascript is not working correctly on this PC.
Need More Information? Visit our Customer Support site at
http://us.mcafee.com/root/campaign.asp?cid=43582 for detailed instructions

I followed this link to a McAfee document with links to reinstall JScript. I chose the one for XP and ran it. It gave me this error: 'Setup has detected that the Service Pak version of this system is newer than the update you are applying. There is no need to apply this update.'

re: Java Script still not working

Please go to this site and see if you get a popup saying "You can use Java Script!".

http://liblearn.osu.edu/tutor/jscript.html

You can also try these 4 commands (IN ORDER) to restore JavaScript/VBScript. Reinstalling IE should have done this, but here is the manual way.

You can run these Commands from the Start -> Run command.


REGSVR32 /U %SYSTEMROOT%\SYSTEM32\VBSCRIPT.DLL
REGSVR32 /U %SYSTEMROOT%\SYSTEM32\JSCRIPT.DLL

REGSVR32 %SYSTEMROOT%\SYSTEM32\VBSCRIPT.DLL
REGSVR32 %SYSTEMROOT%\SYSTEM32\JSCRIPT.DLL