The fact that it was detected as Artemis!B0A0B0897288 means VirusScan did stop it and they already have it, otherwise it wouldn't have been given the Artemis label.
When emailing Webimmune all their guidelines must be followed carefully as outlined here: http://vil.nai.com/vil/submit-sample.aspx
See this thread regarding Artemis and possibilities on dealing with them, http://community.mcafee.com/thread/2016
Meanwhile I moved this to the Artemis sub-section of Malware Discussions so hopefully someone from Avert/WebImmune will respond to this thread soon.
Thank you for your fast response and help Ex_Brit but it was not detected by virusscan as the artimis trojan. Like I said Virusscan was disabled and did not detect the trojan in the infected file. In fact Virusscan was disabled by the trojan and said the source file which spread the infection contained no virus or trojans. I found the the originating infection file with panda antivirus online scan and above list is of virus total which scanned the infected source file. But now that it has been active on my system for months I cannot locate where it is hiding now. So I know what file was the source of the infection but now I just need to find where the trojan is hiding now. Is that still possble? Or is it undetectable after activation. And I followed all the guide lines for Avert/WebImmune described on the link you send. The file was 5,8 MB in the zip file with password but on their website they say that you should mail them filles bigger then 3 MB so that could not be the problem.
I think more the problem is that they use the firstname.lastname@example.org e-mail adres to receive infection samples from 9 countries. So I can imagine that they are swamped in e-mails.
They do accept files larger than 3mb on an exceptional basis, see the clickable link in my Artemis article. I have no idea where it's lurkiing if it isn't hiding in your quarantined files. I also have no idea how Panda acts when it discovers something.
I suggest following the guidelines here : http://community.mcafee.com/docs/DOC-1294
If that doesn't help load the free version of this tool, update it, run a full scan and let it remove everything it finds. It may ask you to reboot to finish the removal, do so.
If McAfee is still disabled after all that then I suggest uninstalling it in the normal manner, then run the MCPR removal tool and reboot. It is available here.
Then reinstall from your online account.
> I have no idea where it's lurkiing if it isn't hiding in your quarantined files.
No, Virusscan plus never even got round to detecting the trojan and quarintining it. As for your question what panda does with the infected file it simply deletes it. It is even deletes the file when you just look at the directory listing of the file with windows explorer. Then it says infected file found and deletes it.
Last update is that I had a clean installation of windows xp sp3. Downloaded all the windows programs I use and installed them. Did not use any windows program from the other then c: partitions. Only accessed some videos from the other then c: partitions and still after 5 days of rest Virusscan plus got disabled again. I did do scans with the free panda online scan and I just started to scan with karsperky but found nothing of an infection.
How is that possible. Either the scanning with panda or karsperky activates the trojan or its attached to my MBR on the c: partition. Full scan of everything simple takes to long as I have about 1564 GB to scan. I did do a full scan before of the 1564 GB and then it found in the windows restore point signs of infections but they did not mention what kind of infection it was. It must be hidding in the 64 GB and that I can scan in 15 hours. Still a long time.
McAfee VirusScan is already reinstalled from online account so I must have the latest version. But it is still not able to detect the source file as infected. It just gets deacitvated and says that there is not trojan found. So this is a modified more advanced version of the above mentioned trojan. They simple adjusted it again to be undectable by McAfee.
We really need expert help here!. Someone who removed this trojan from other systems.
Questions regarding the behaviour of other brands of protection or onoine scanners would have to go to their forums I guess.
To check that your system is clean download Hijackthis and post its log on one of the following forums for expert guidance:
Do not post Hijackthis logs here, we can't help with those!
Post the logs at a specialist Forum:
Be sure to read all the sticky announcements/instructions at the top of each malware forum!
One thing to note is that Artemis by definition is an unknown object being investigated by McAfee's Webimmune people so it could well be a false alarm.
Thank you, for all help, I will consider the Hijackthis. However if the trojan is so clever as to not be able to be found by scan I doubt that a Hijackthis will help. Still I will think about it.
>One thing to note is that Artemis by definition is an unknown object being investigated by McAfee's Webimmune people so it could well be a false >alarm.
Yes, well if it is a falso alarm then why is the McAfee VrisusScan deactivated? Also why does virus total find the above mentioned long list of trojans in the source infected file. This is all not normal behavior. There is no way that this is a false alarm.
By the way a quick scan with Malwarebytes detects the following registry keys.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Are those registry keys normal entered by McAfee VirusScan or could it be the trojan?
It would reallly be nice if the Webimmune people let hear something from them. Where are you Webimmume/Avert???????????????? We need your help.
I think those keys are effected by McAfee but I'm not positive as I'm none too tehcnical in that field.
I'm surprised that noone has waded in here.
The virustotal scan results indicate a trojan dropper, this means if you excuted the file to your hard drive it will have dropped other files onto your system, either by the files being packed inside that file, or they would have been downloaded from the internet.
If Panda has deleted the file in question, but the infection keeps re-spawing, this could mean that other malicious files on your system are protecting the file(s) from being deleted, you`ll need to locate those other files, to remove the infection completely.
The results of the Malwarebytes means that windows security centre will not notify you if your antivirus and firewall are disabled, if you did not change those settings, allow Malwarebytes to change it back.
Whilst i agree HJT will most unlikely show anything bad, that is but one tool in the amour of those forums, HJT is very rarley used now, i suggest going down that road.
If you have sent the file in question to the lab, they may issue you with an extra.dat once they have done a proper analysis of the file.
Thank you both for your help.
>If Panda has deleted the file in question, but the infection keeps re-spawing, this could mean that other malicious files on your system are protecting >the file(s) from being deleted, you`ll need to locate those other files, to remove the infection completely.
Yes, I reformated the c: partition with windows and then reinstalled windows so the only place where it could still hide is if it infected files on the other than c: partition or its hidding in the MBR on the c: partition.
>If you have sent the file in question to the lab, they may issue you with an extra.dat once they have done a proper analysis of the file.
Yes, well it's now been 2 weeks ago that I sent 7 e-mails to them with the source infected file so they could analyse them. I have still heared nothing from McAfee. Attempts to find out more why they do not respond to my e-mails get nowhere. I did found out that they receive e-mails from 9 countries on the trojan analyses e-mail adres so that's probably why it takes forever for them to get into action. That or they are all on vacation.
Still I believe that study of this trojan is the only change I have at removing it from my system and still keep all my files. Even though the virus/trojan might rewrite itself after infection you might still be able to extrapolate a signature if you study it closely. Anyway this is not happing at the moment. McAfee is doing nothing.
MCAFEE PLEASE LET US HEAR SOMETHING FROM YOU. ANALYZE THIS TROJAN OR GIVE US ANY SIGN OF LIFE.