7 Replies Latest reply on May 23, 2010 5:19 PM by woody79_00

    Fake Alert and Artemis Trojans

      Hello,

       

      Yesterday while on the internet, www1.dataguard-31p.com/...etc... popped up in a new internet tab, said: "Security Threat Analysis" and "Windows Security Alert", and asked to open "packupdate_build106_2045.exe" (binary file) through "www2.formyprotection34_pd.xmg.pl".  From some internet searching it appears our computer was hit with a Fake Alert.  McAfee then alerted me a few times when it caught some trojans, while I proceeded to shut down my browser windows to rid of the Fake Alert that was on the screen.

       

      We use Mozilla Firefox as our internet browser and McAfee Total Protection as our security software program.

       

      I checked security settings and it looks like our firewall through XP was turned off, so I turned that back on.  Then I rebooted in Safe Mode with Networking.  I also tried a system restore, but that did not seem to help.  McAfee real-time scanning is currently disabled, but I think that is because I am in Safe Mode while I try to fix the issue???

       

      A full scan using McAfee found nothing.  Then I downloaded and ran McAfee's Stinger through a link I found in a McAfee Community Thread Post and the first scan didn't find anything.  So I changed the preferences to "report only", "very high" heuristics, and disabled the option to "scan inside compressed files, and scanned again.  This time the scan found the following:

       

      **see attached report file** (scroll down to the second report in the file; 8 Artemis trojans)

       

      I also downloaded and ran Malwarebytes (through a link I found in a McAfee Community Thread Post) and this is what it found and removed (and I rebooted computer again in Safe Mode with Networking after removing this infected file):

       

      Objects scanned: 272359

      Objects infected: 1 (vendor: malware.trace, category: file, item: C:\ProgramData\sysReserve.ini)

      Full scan of C:\|D:\|E:\

       

      Since McAfee Stinger found the Artemis trojans in report only mode, how do I remove these infected files from our computer?  What does this Artemis trojan do (what is its function?)?  What else do I need to do to rid of the infections?  How will I know when the computer is safe to use again as normal?  Let me know if you need any further information.

       

      I have not logged into my email, etc. since this Fake Alert occurred.  Also, Windows Security Center is turned off and will not let me turn it back on.

       

      Thank you in advance for your help.

       

       

      **Added following to post/thread after original post was made**:

       

      The Stinger program I ran first (that turned up 8 Artemis trojans) was the Stinger specifically made for Fake Alerts (10.0.1.758).  I just downloaded and ran the general version (10.0.1.854) too, but that one turns up nothing except for clean files (250069 clean files).  I also ran another McAfee scan by right-clicking on Computer and clicking scan.  The scan results show 300753 items scanned, 0 items detected, 0 items fixed, and 0 items remaining.

       

      Oh, and I also moved this post/question from the main community page to the one called "Home User Assistance".  I hope this post is in the right place to get some help with this issue and get our computer back in working condition again asap.

       

       

      **Correction, using Windows Vista, NOT XP.**

       

       

      Message was edited by: czander on 5/13/10 5:39:30 PM CDT

       

       

      Message was edited by: czander on 5/13/10 5:43:42 PM CDT

       

       

      Message was edited by: czander on 5/13/10 6:19:29 PM CDT
        • 1. Re: Fake Alert and Artemis Trojans

          Hi czander:

           

          I will do my best to help you, first lets look at that log:

           

          The following are False Positives, they are NOT infections

           

          C:\Program Files\AOL Install\ACST4.DLL
               Found the Artemis!A96727649D8E trojan !!!

          C:\Windows\System32\Macromed\Flash\uninstall_plugin.exe
               Found the Artemis!1D1247CE196B trojan !!!

          C:\Program Files\AOL Install\ACST4.DLL
               Found the Artemis!A96727649D8E trojan !!!

          C:\Program Files\GIMP-2.0\bin\libmng.dll
               Found the Artemis!35F54CC9685E trojan !!!

          C:\Program Files\NetZeroInstallers\IsAdmin.exe
               Found the Artemis!21218D931D99 trojan !!!

          C:\Windows\System32\Macromed\Flash\uninstall_plugin.exe
               Found the Artemis!1D1247CE196B trojan !!!

           

          The above files you can ignore, since you scanned with non-default settings on Stinger this can be expected. These are not detections they are false positives due to using the high heuristics setting which isn't reccommended. I would however uninstall the AOL stuff as I find it to be classic adware and bloatware in my opinion. Uninstall AOL from the Add/Remove Programs under control panel.

           

          The following are Adware Files

           

          C:\Program Files\WildTangent\Dell Games\Bejeweled 2 Deluxe\WinBej2-WT.exe

               Found the Artemis!1603513D4DC2 trojan !!!

          C:\Windows\CouponPrinter.ocx

               Found the Artemis!197AA0B3D714 trojan !!!

           

          Wiltangent and Coupon Printer are classic Adware please remove them from the add/remove programs in the control panel, we will also do some furhter cleaning up of this later in the post.

           

          The following entries worries me greatly

           

          C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_4c9c5a00\atapi.sys
               Found the Artemis!0D83C87A801A trojan !!!

          C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18034_none_dd1bb97e219 e87cb\atapi.sy

               found the Artemis!0D83C87A801A trojan !!!

          C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_4c9c5a00\atapi.sys
               Found the Artemis!0D83C87A801A trojan !!!

          C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18034_none_dd1bb97e219 e87cb\atapi.sys
               Found the Artemis!0D83C87A801A trojan !!!

           

          The entries above are classic symtoms of infection with a varation of MBRkit(Master Boot Record Kit) pretty much NONE of the AV vendors can remove this thing reliabably....as it pretty much requires manual removal due to how it alters the MBR on the computer. The good news is this is a very to fix manually with a few steps.

           

          Step 1: Download the free version Malwarebytes Anti-Malware from here, install it open it up and update it.

          Step 2: Reboot the Computer, Press F8 a few times BEFORE the Windows loading screen comes up and choose safe mode and boot computer into safe mode.

          Step 3: Run full scan with MalwareBytes Anti-Malware and remove everything it finds.

          Step 4: Insert Windows Vista disk into computer and reboot computer and ensure you boot from your Windows Vista Disk (change boot settings in BIOS or use f12 key and choose cd/dvd drive)

          Step 5: Choose recovery option

          Step 6 when recovery options show up choose Command Line

          Step 7: In the command line type the following two commands pressing enter after each command

           

          bootrec / fixmbr

           

          bootrec /fixboot

           

          This will rewrite your master boot record and fix the bootsector (overwriting and removing the damage caused by MBRkit) giving you a clean MBR

           

          Reboot computer into regular mode now and with your Windows Vista Disk still in the drive

           

          Open up an elevated command line(click Windows Start Orb, type cmd in the search box, right click on command prompt and select run as administrator) and type

           

          sfc /scannow and press enter

           

          let it run, if will fix atapi.sys with a clean version if needed.

           

          reboot computer and you should be in good shape.

           

          Disclaimer: You follow these instructions at your own risk. I am NOT responsible for any damage that could or may occur to your system by following these steps as virus infections can sometimes destroy data when being removed due to various circumstance. I am not responsible for any data loss. You follow these steps at your own risk and willingy choose to do so. If you are not comfortable performing these steps, please see an IT Professional or local repair shop.

           

           

          Message was edited by: woody79_00 on 5/14/10 10:17:59 AM CDT
          • 2. Re: Fake Alert and Artemis Trojans

            Hello woody79_00,

             

            I removed the following through add/remove programs:

             

            C:\Program Files\AOL Install\ACST4.DLL

                 Found the Artemis!A96727649D8E trojan !!!

            C:\Program Files\GIMP-2.0\bin\libmng.dll

                 Found the Artemis!35F54CC9685E trojan !!!

            C:\Program Files\NetZeroInstallers\IsAdmin.exe

                 Found the Artemis!21218D931D99 trojan !!!

            C:\Program Files\WildTangent\Dell Games\Bejeweled 2 Deluxe\WinBej2-WT.exe

                 Found the Artemis!1603513D4DC2 trojan !!!

            C:\Windows\CouponPrinter.ocx

                 Found the Artemis!197AA0B3D714 trojan !!!

             

            Then I followed your directions (Windows Vista disk, bootrec/fixmbr, bootrec/fixboot, and sfc/scannow).  When I run sfc/scannow it scans and then tells me that "Verification 100% complete. Windows Resource Protection found corrupt files but was unable to fix some of them.  Details are included in the CBS.Log windir\Logs\CBS\CBS.log.  For example C:\Windows\Logs\CBS\CBS.log."  I tried to view the CBS.Log but it tells me "Access Denied".  I ran sfc/scannow 5 times now, and it always says the same thing.

             

            I ran McAfee's Stinger again also (version 10.0.1.758 for FakeAlerts) and now it finds only the following:

             

            C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_4c9c5a00\atapi.sys
                 Found the Artemis!0D83C87A801A trojan !!!
            C:\Windows\System32\Macromed\Flash\uninstall_plugin.exe
                 Found the Artemis!1D1247CE196B trojan !!!

             

            Your directions (Windows Vista disk, bootrec/fixmbr, bootrec/fixboot, and sfc/scannow) must have removed C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18034_none_dd1bb97e21 9e87cb\atapi.sys, because that one no longer appears on the Stinger report.

             

            Any ideas on how to get rid of the remaing 2 stubborn items?

             

            C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_4c9c5a00\atapi.sys
                  Found the Artemis!0D83C87A801A trojan !!!
            C:\Windows\System32\Macromed\Flash\uninstall_plugin.exe
                  Found the Artemis!1D1247CE196B trojan !!!

             

            Thank you!

            • 3. Re: Fake Alert and Artemis Trojans

              Hi Czander I'll try to make this one a little more simple since were almost done.

               

              Step 1: Go to Add Remove Programs and Uninstall Adobe Flash Player

               

              Step 1 is to make sure Flash hasn't been patched, we will cleanly reinstall it at the end of this session. This will take care of the false positive in C:\Windows\System32\Macromed\Flash\uninstall_plugin.exe

              since we will be replacing it with a new version.

               

              Step 2: Download Hitman Pro and install it on your system. (Be sure you are connected to the internet when installing it and scanning with it)

               

              Step 3: Scan your system with Hitman Pro make sure your connected to the internet(Hitman Pro is probably the single best tool around for dealing with rootkits, and it uses mutiuple anti-virus vendor engines all at the same time on the cloud, and it has its own behaviorial analysis to be sure your clean) If Hitman Pro says your clean, your clean.

               

              If Hitman Pro finds an infection, you get a 30-day free trial of it and it will remove the infection (which is great because were only going to use it this one time, and it doesn't have real-time protection. its just a very very through second opinion)

               

              Step 4: Once Hitman Pro is done scanning your system and removing whatever is found, go to www.adobe.com and click on Get Flash Player and reinstall clean version of flash and you should be golden.

               

              Let me know the results

               

              sincerely

               

              Woody

               

               

              Disclaimer:

              You follow these instructions at your own risk. I am NOT responsible for any damage that could or may occur to your system by following these steps as virus infections can sometimes destroy data when being removed due to various circumstance. I am not responsible for any data loss. You follow these steps at your own risk and willingy choose to do so. If you are not comfortable performing these steps, please see an IT Professional or local repair shop.

              • 4. Re: Fake Alert and Artemis Trojans

                Removed Flash and installed (and ran) Hitman Pro.  When scanned, Hitman did not find anything.  Re-ran Malwarebytes, which also found nothing.  Re-ran McAfee Stinger, and this time nothing turned up.  However, I re-ran sfc/scannow and that still says "Verification 100% complete.  Windows Resource Protection found corrupt files but was unable to fix some of them.  Details are included in the CBS.Log windir\Logs\CBS\CBS.log.  For example C:\Windows\Logs\CBS\CBS.log."  I am unable to view this log because when I try it says "Access Denied."  Should I be worried about this?  When will we know our computer is safe to use if this message about corrupt files still appears?

                 

                Thank you for all your help.

                • 5. Re: Fake Alert and Artemis Trojans

                  Hi czander,

                   

                  I would say your system is clean, since Stinger, hitman, and malwarebytes find nothing

                   

                  The error log you state may just be a generic error.

                   

                  if you want to view the contents of that log file perform the following steps:

                   

                  1. go to start and type Notepad into the search box and then "right-click" on notepad and select "Run as Administrator" click through the User Account Control prompt.

                   

                  step 2: In notepad go to file and then Open

                   

                  Step 3: In the notepad open dialog box browse to C:\Windows\Logs\CBS\CBS.log and click open.

                   

                  you must be run as administrator to view that file, by default you don't have necessary rights to view the log file, running notepad as administrator will allow you to view the contents.

                   

                  You can paste the results of the log file here and we can take a look at it.

                   

                  the files its mentioning in question may not have anything wrong with them.

                   

                  I will also reccommend booting your computer from your Windows Vista Disk and selecting the command line from the Windows Recovery Environment and then run sfc /scannow from the command line there just to be sure nothing is conflicting with it.

                   

                  you can follow the same steps used to run the bootrec/fixboot and bootrec/fixmbr commands, just instead of running those commands run sfc /scannow

                   

                  also if you can, post the contents of that log.

                   

                  Disclaimer:

                  You follow these instructions at your own risk. I am NOT responsible for any damage that could or may occur to your system by following these steps as virus infections can sometimes destroy data when being removed due to various circumstance. I am not responsible for any data loss. You follow these steps at your own risk and willingy choose to do so. If you are not comfortable performing these steps, please see an IT Professional or local repair shop.

                  • 6. Re: Fake Alert and Artemis Trojans

                    I was incorrect when I said the infected files were gone.  I  incorrectly ran Stinger in regular mode which would turn of the "Very  High" setting.  Stinger still finds the following:

                     

                    C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_4c9c5a00\atapi.sys
                          Found the Artemis!0D83C87A801A trojan !!!
                    C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18034_none_dd1bb97e21 9e87cb\atapi.sys
                          Found the Artemis!0D83C87A801A trojan !!!

                     

                    When I  uninstalled Flash, it got rid of that trojan.  But then I reinstalled  Flash on www.adobe.com and ran Stinger again in Safe Mode and a whole  bunch of new things appeared regarding that download of Flash.  When I  saw them appear, I immediately stopped the Stinger and logged back into  regular mode to remove Flash again.  When I re-ran Stinger again in Safe  Mode, the two above files appear.  This is really frustrating since one  of those above infected files was gone and is now back again and all  the prior steps I have done to fix it don't seem to remove it this  time.  And no matter what I do the first infected file always appears.

                     

                    I  was able to view the CBS.Log following the instructions you gave me on  how to be able to read that, but is way too big to attach or copy/paste  the whole thing.

                     

                    What else can I remove to rid of these infected  files?  At this point, should I just reinstall Windows entirely?

                    • 7. Re: Fake Alert and Artemis Trojans

                      Hi,

                       

                      If you are running Stinger on a high or greater sensitivity rating, it is a very real possibility that those detections are false positives

                       

                      I say that because Stinger run on high settings is notoriously known for false positives. Also when you re-installed Adobe Flash, it was clean. There was nothing wrong with your Adobe Flash. McAfee was inncorrectly flagging it.

                       

                      Since Hitman Pro and others came up clean we rill run one last final scan in safe mode

                       

                      1. Download SuperAntispyware Free Edition, Install it, and Update it

                       

                      2. Boot the Computer into Safe Mode and run a full system scan with it, and remove any items that it finds if it finds any.

                       

                      3. Download the Norton Cleaner tool and run it to ensure all traces of rogues are gone. (this tool was written specifically for this purpose)

                       

                      4. run a online scan with Trend Micro Housecall

                       

                      After that, I would say your clean.

                       

                      I know the Adobe Flash detection is a false positive, and since we fixed your boot record, and repair with the sfc /scannow tool I would say your almost out of the woods. Once your done with the above tools, if you come out clean. I would say your computer is in good shape and your good to go.

                       

                      report back your findings.

                       

                       

                      Disclaimer:

                      You follow these instructions at your own risk. I am NOT responsible for any damage that could or may occur to your system by following these steps as virus infections can sometimes destroy data when being removed due to various circumstance. I am not responsible for any data loss. You follow these steps at your own risk and willingy choose to do so. If you are not comfortable performing these steps, please see an IT Professional or local repair shop.