cancel
Showing results for 
Search instead for 
Did you mean: 
stephe
Level 8

Item JYOMWB49.EXE.PART Threat Artemis!0D31CEFC2E3F (trojan)

On Saturday, November 12, 20011, my semi-weekly scheduled full scan

turned up Item JYOMWB49.EXE.PART Threat Artemis!0D31CEFC2E3F (trojan)

in C:\DOCUMENTS AND SETTINGS\STEVE\LOCAL SETTINGS\TEMP

My McAfee Security report mentioned four trojans being found, but

only the only the one was in quarantine.  I am assuming that the

fact that the item's name ended in ".EXE.PART" means that it was

a multi-part trojan.

It is now Monday, November 14, 2011, and a Google search still

turns up nothing for JYOMWB49.EXE.PART nor Artemis!0D31CEFC2E3F

Is this a very new trojan that McAfee has yet to identify?

If I go to Navigation Center, then to

McAfee Quarantined And Trusted Items > Quarantined Items

and click on Quarantined Items, it will take 15 seconds to show

me results.

If I click on Quarantined Potentially Unwanted Programs, McAfee

freezes after 15 seconds, and stops responding.

Inside Quarantined and Trusted Items, it says:

"Quarantine is a secure area where suspect items are unable to

harm your PC. You can delete, restore, or send them to McAfee for

analysis. Trusted items will not be detected in future scans. 

Learn More."

When I click on Learn More, and then click on Send quarantined

items to McAfee, I wind up at a Help page that says:

"When McAfee quarantines items, it encrypts and isolates them in a

folder to prevent the files, programs, or cookies from harming your PC.

You can send quarantined items to McAfee, where they are analyzed to

create filter updates. When you submit a quarantined item for analysis,

you are given an ID number so that you can track your request on the

McAfee website: webimmune.net.

1 Open the Quarantined and Trusted Items page.

2 Click Quarantined Items or Quarantined Potentially Unwanted

    Programs to display the list of quarantined threats. 

3 From the list, select the item that you want analyzed, and click

Send to McAfee."

When I clicked on Send JYOMWB49.EXE.PART to McAfee I was not given

any ID number that I know of.

When I click on webimmune.net, I see this:

"Attention: WebImmune will End Of Life on Dec 14th 2011.

Please refer to KB50388 for alternative submission methods to send

"samples to McAfee Labs."

I would like to find out the severity level of the JYOMWB49.EXE.PART

trojan and what -- if anything -- it left in my system.

0 Kudos
14 Replies
Peacekeeper
Level 20

Re: Item JYOMWB49.EXE.PART Threat Artemis!0D31CEFC2E3F (trojan)

Well an idea would be after you sent the file to Mcafee as per http://vil.nai.com/vil/submit-sample.aspx you will get a submission number. The send to Mcafee works but no guarantee it does every time. So you can restore the file note where it is and submit it to Mcafee. Then re scan it and it will go to quarantine.

I would delete all temp and internet temp files ie do a disk clean up.

then run the two stingers ( they need to be redownloaded to update them and run getsusp. It auto submits the files as well. Ensure you added your email to the preferences area.

McAfee Communities: Anti-Spyware, Malware & Hijacker Tools

0 Kudos
stephe
Level 8

Re: Item JYOMWB49.EXE.PART Threat Artemis!0D31CEFC2E3F (trojan)

I re-started in Safe Mode, ran a McAfee scan, which found nothing,

disabled System Restore (I'm running Windows XP SP 3), then ran the

Stinger (the link I went to only had one stinger), which also found

nothing, then re-booted to regular mode and enabled System Restore.

0 Kudos
Peacekeeper
Level 20

Re: Item JYOMWB49.EXE.PART Threat Artemis!0D31CEFC2E3F (trojan)

Should be ok now but run the other scanners.The link I gave has the fake Alert stinger, getsusp and 2 anti Malware program links in it.

Did you send the file to Mcafee?

0 Kudos
stephe
Level 8

Re: Item JYOMWB49.EXE.PART Threat Artemis!0D31CEFC2E3F (trojan)

I already had Malwarebytes' Anti-malware, and it found nothing.

I didn't use GetSusp because I deleted the trojan after sending it to McAfee two days ago.

0 Kudos
stephe
Level 8

Re: Item JYOMWB49.EXE.PART Threat Artemis!0D31CEFC2E3F (trojan)

Isn't GetSusp specifically for sending stuff to McAfee, or is it a malware

scanner, too?

0 Kudos
Peacekeeper
Level 20

Re: Item JYOMWB49.EXE.PART Threat Artemis!0D31CEFC2E3F (trojan)

Getsusp is not specifically for sending it scans the drives and notes any known and sspicious files. It also notes unknown files abd all are sent to mcafee for checking. This way it picks up new malware that is not detected yet. the techs then add detection to the DATs.

Re stinger yes they seem the same will check

0 Kudos
stephe
Level 8

Re: Item JYOMWB49.EXE.PART Threat Artemis!0D31CEFC2E3F (trojan)

>Getsusp is not specifically for sending it scans the drives

>and notes any known and sspicious files. It also notes

>unknown files abd all are sent to mcafee for checking.

     Ah, okay.  I went back to Safe Mode and ran Getsusp,

and this is the program's report with only the items listed

as being other than OK remaining:

<<

McAfee Labs(r) GetSusp(tm) Version 3.0.0.211 built on Oct 24 2011

Copyright (c) 2011 McAfee, Inc. All Rights Reserved.

GetSusp initiated on Tue Nov 15 14:56:57 2011

Successfully connected to McAfee Known Files Database.

  Master Boot Record(s):....1

  Possibly Infected:.............0

  Boot Sector(s):.................1

  Possibly Infected: ............0

C:\PROGRAM FILES\AMAZON\MP3 DOWNLOADER\UNINSTALL.EXE ... is Suspicious !!!

C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPRBXX.EXE ... is Unknown !!!

[. . .]

C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPUIXX.DLL ... is Unknown !!!

[. . .]

C:\PROGRAM FILES\CONNECTION WIZARD\CONNWIZ.EXE ... is Unknown !!!

C:\PROGRAM FILES\DELL PHOTO AIO PRINTER 924\DLCCAIOX.EXE ... is Unknown !!!

[. . .]

C:\PROGRAM FILES\FLVPLAYER\UNINSTALL.EXE ... is Suspicious !!!

C:\PROGRAM FILES\INPAINT\INPAINT.EXE ... is Suspicious !!!

[. . .]

C:\PROGRAM FILES\INTEL\INTEL MATRIX STORAGE MANAGER\SHELL.EXE ... is Unknown !!!

[. . .]

C:\PROGRAM FILES\JUNO\BIN\JUNO.EXE ... is Unknown !!!

C:\PROGRAM FILES\JUNO\BIN\JUNOINFO.EXE ... is Unknown !!!

C:\PROGRAM FILES\JUNO\BIN\JUNOSAVE.EXE ... is Unknown !!!

[. . .]

C:\PROGRAM FILES\MEDIA PLAYER CLASSIC\MPLAYERC.EXE ... is Unknown !!!

[. . .]

C:\PROGRAM FILES\WONDERSHARE\PDFCONVERTER\UNINS000.EXE ... is Unknown !!!

[. . .]

C:\PROGRAM FILES\WONDERSHARE\PDFCONVERTERPRO\UNINS000.EXE ... is Unknown !!!

C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.0.3705\MSCORLIB\1.0.3300.0__B77A5C561934E089_544A95B5\MSCORLIB.DLL ... is Unknown !!!

C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.0.3705\SYSTEM.XML\1.0.3300.0__B77A5C561934E089_99DCD1D1\SYSTEM.XML.DLL ... is Unknown !!!

C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.0.3705\SYSTEM\1.0.3300.0__B77A5C561934E089_8F868632\SYSTEM.DLL ... is Unknown !!!

C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\MSCORLIB\1.0.5000.0__B77A5C561934E089_C5B7405A\MSCORLIB.DLL ... is Unknown !!!

C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\SYSTEM.XML\1.0.5000.0__B77A5C561934E089_8B7A7647\SYSTEM.XML.DLL ... is Unknown !!!

C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\SYSTEM\1.0.5000.0__B77A5C561934E089_21729C0D\SYSTEM.DLL ... is Unknown !!!

[. . .]

C:\WINDOWS\INSTALLER\{21657574-BD54-48A2-9450-EB03B2C7FC29}\MYDVDREL60.EXE ... is Suspicious !!!

[. . .]

C:\WINDOWS\INSTALLER\{6D52C408-B09A-4520-9B18-475B81D393F1}\_9FA356B1395F_4530_8CB3_946ED0B3291E.EXE ... is Suspicious !!!

[. . .]

C:\WINDOWS\INSTALLER\{FCD9CD52-7222-4672-94A0-A722BA702FD0}\NEWSHORTCUT1.EXE ... is Unknown !!!

[. . .]

C:\WINDOWS\SYSTEM32\IMSMUDLG.EXE ... is Unknown !!!

GetSusp scan identified (5) Suspicious file(s) and (19) Unknown file(s).

Scan results are saved at C:\Documents and Settings\Steve\Desktop\gsusp_111511_145956.zip.

Suspicious samples if any have been successfully delivered to McAfee Labs.

<<

The Amazon MP3 downloader, the ATI program, the connection wizard,

Dell Photo AIO Printer, flvplayer, inpaint, intel matrix storage

manager, Juno, Media Player Classic, and Wondershare PDF Converter,

are all for-real files, as far I as I know, though.

C:\WINDOWS\SYSTEM32\IMSMUDLG.EXE looks iffy, though.

0 Kudos
stephe
Level 8

Re: Item JYOMWB49.EXE.PART Threat Artemis!0D31CEFC2E3F (trojan)

>C:\WINDOWS\SYSTEM32\IMSMUDLG.EXE looks iffy, though.

I went to C:\WINDOWS\system32 and found IMSMUDLG.EXE, and this

is what it said next to the item's icon:

Imsmudlg.exe

Application

Uninstset Installation Utility

And when I moved my cursor over the icon, this is was displayed:

Description: Uninstset Installation Utility

Company: Intel(R) Corporation

File Version: 0.0.0.0

Date Created: 9/2/2010 9:14 AM

Size: 124 KB

A quick look at items at

C:\Program Files\Intel\Intel Matrix Storage Manager

shows that it is related to files created at the same exact date.

So, I'm not too concerned with that item.

0 Kudos
Peacekeeper
Level 20

Re: Item JYOMWB49.EXE.PART Threat Artemis!0D31CEFC2E3F (trojan)

OK they will check those anyway did you add your email addy to the preferences so they can update you if something detected?

0 Kudos