1 2 3 Previous Next 28 Replies Latest reply on Nov 23, 2010 9:34 AM by Jack

    Windows XP SP3 system infected by Artemis!B0A0B0897288 How to remove?.

      Also know as:

      Antivirus:Version:Last updated:Result:
      AntiVir8.2.4.122010.07.20TR/Drop.FriJoiner.azz
      CAT-QuickHeal11.002010.07.20Trojan.Agent.ATV
      ClamAV0.96.0.3-git2010.07.20PUA.Packed.ASPack
      Emsisoft5.0.0.342010.07.20Trojan-Dropper.Win32.FriJoiner!IK
      IkarusT3.1.1.84.02010.07.20Trojan-Dropper.Win32.FriJoiner
      Jiangmin13.0.9002010.07.20TrojanDropper.FriJoiner.vv
      Kaspersky7.0.0.1252010.07.20Trojan-Dropper.Win32.FriJoiner.azz
      McAfee5.400.0.11582010.07.20Artemis!B0A0B0897288
      McAfee-GW-Edition2010.12010.07.20Artemis!B0A0B0897288
      Norman6.05.112010.07.20Suspicious_Gen2.APGAH
      nProtect2010-07-20.022010.07.20Trojan-Dropper/W32.FriJoiner.6111538
      Panda10.0.2.72010.07.19Trj/Sinowal.DW
      PCTools7.0.3.52010.07.20Trojan.ADH
      Sophos4.55.02010.07.20Mal/Generic-A
      Sunbelt66062010.07.20Trojan.Win32.Generic!BT
      Symantec20101.1.1.72010.07.20Trojan.ADH
      VBA323.12.12.62010.07.20Trojan-Dropper.Win32.FriJoiner.azz
      ViRobot2010.6.21.38962010.07.20Dropper.S.FriJoiner.6111538

      Situation:
      Used this infected program for 5 months without McAfee virusscan detecting it. So it spread across my backups also.

      Symtomps:
      I get a your computer is no longer protected message from Mcafee Virusscan plus when I do a scan with McAfee Virusscan plus of an infected file and after that it just does this ever now and then. . When I click it security center says that I am not protected and that:


      Computer & Files required action:
      Realtime scanning is disabled.
      Spyware and spyware and pottentially unwanted program scanning is disabled.
      IM scanning is disabled.
      Script scanning is disabled.
      Buffer overflow protection is disabled. 


      When I click fix it I get an errormessage saying that:

      One or more problems cannot be fixed because of an error.

      When I click it again it does work and I am protected again but the trojan has spread on my system in the meanwhile.

      What did I do about it?:
      Reinstalled windows xp sp3 4 times but after acessing filles from other than c partition I get the above described problem with McAfeeVirusscan plus. The trojan must still be there but cannot be detected anymore by the various free online scanning tools that are there and get's activated when I scan with McAfee Virusscan plus. When I scan the source file the above described deactivation of Virusscan plus happens and Virusscan plus repports that no virus has been found. When in fact it activated the trojan. It did this two times after each other because I retried it because I could not believe my eyes.

      Swiched to Panda Internet Security as that program did detect the source while McAfee did not detect it. Contact Panda suport when scanning did not reveil anything but only the original infected file. Panda Support order a new 24 hour scan with a new more uptodate virus detection program which did reveil infection in the System Volume Information dirs but after removal of those dirs the infection came back twice again after even a windows xp reinstall.

      Send 7 e-mails to virus_research@avertlabs.com with the infected source file so it could be analyzed. Never heard from it anymore. Not even a confirmation of receipt. That was 1 week ago.

      Contacted McAfee support 4 times at 0,80 per minute telephone. Did not get anywhere with them. They just do no have the knowledge to fix this problem.

      So know I am going to hit the forums with this problem. I probably should have done that right away.

      So how do I remove the infection of Artemis!B0A0B0897288 of my other than c patitions and backups and how can I see what version of McAfee I am running. Which date of the .dat file.

        • 1. Re: Windows XP SP3 system infected by Artemis!B0A0B0897288 How to remove?.
          exbrit

          The fact that it was detected as Artemis!B0A0B0897288 means VirusScan did stop it and they already have it, otherwise it wouldn't have been given the Artemis label.

           

          When emailing Webimmune all their guidelines must be followed carefully as outlined here: http://vil.nai.com/vil/submit-sample.aspx

           

          See this thread regarding Artemis and possibilities on dealing with them, http://community.mcafee.com/thread/2016

           

          Meanwhile I moved this to the Artemis sub-section of Malware Discussions so hopefully someone from Avert/WebImmune will respond to this thread soon.

          1 of 1 people found this helpful
          • 2. Re: Windows XP SP3 system infected by Artemis!B0A0B0897288 How to remove?.

            Thank you for your fast response and help Ex_Brit but it was not detected by virusscan as the artimis trojan. Like I said Virusscan was disabled and did not detect the trojan in the infected file. In fact Virusscan was disabled by the trojan and said the source file which spread the infection contained no virus or trojans.  I found the the originating infection file with panda antivirus online scan and above list is of virus total which scanned the infected source file. But now that it has been active on my system for months I cannot locate where it is hiding now.  So I know what file was the source of the infection but now I just need to find where the trojan is hiding now. Is that still possble? Or is it undetectable after activation. And I followed all the guide lines for Avert/WebImmune described on the link you send. The file was 5,8 MB in the zip file with password but on their website they say that you should mail them filles bigger then 3 MB so that could not be the problem.

             

            I think more the problem is that they use the virus_research@avertlabs.com e-mail adres to receive infection samples from 9 countries. So I can imagine that they are swamped in e-mails.

            • 3. Re: Windows XP SP3 system infected by Artemis!B0A0B0897288 How to remove?.
              exbrit

              They do accept files larger than 3mb on an exceptional basis, see the clickable link in my Artemis article.   I have no idea where it's lurkiing if it isn't hiding in your quarantined files.  I also have no idea how Panda acts when it discovers something.

               

              I suggest following the guidelines here :  http://community.mcafee.com/docs/DOC-1294

               

              If that doesn't help load the free version of this tool, update it, run a full scan and let it remove everything it finds.  It may ask you to reboot to finish the removal, do so.

               

              If McAfee is still disabled after all that then I suggest uninstalling it in the normal manner, then run the MCPR removal tool and reboot.  It is available here.

               

              Then reinstall from your online account.

              • 4. Re: Windows XP SP3 system infected by Artemis!B0A0B0897288 How to remove?.

                > I have no idea where it's lurkiing if it isn't hiding in your quarantined files.

                 

                No, Virusscan plus never even got round to detecting the trojan and quarintining it. As for your question what panda does with the infected file it simply deletes it. It is even deletes the file when you just look at the directory listing of the file with windows explorer. Then it says infected file found and deletes it.

                 

                Last update is that I had a clean installation of windows xp sp3. Downloaded all the windows programs I use and installed them. Did not use any windows program from the other then c: partitions. Only accessed some videos from the other then c: partitions and still after 5 days of rest Virusscan plus got disabled again. I did do scans with the free panda online scan and I just started to scan with karsperky but found nothing of an infection.

                 

                How is that possible. Either the scanning with panda or karsperky activates the trojan or its attached to my MBR on the c: partition. Full scan of everything simple takes to long as I have about 1564 GB to scan. I did do a full scan before of the 1564 GB and then it found in the windows restore point signs of infections but they did not mention what kind of infection it was. It must be hidding in the 64 GB and that I can scan in 15 hours. Still a long time.

                 

                McAfee VirusScan is already reinstalled from online account so I must have the latest version. But it is still not able to detect the source file as infected. It just gets deacitvated and says that there is not trojan found. So this is a modified more advanced version of the above mentioned trojan. They simple adjusted it again to be undectable by McAfee.

                 

                We really need expert help here!. Someone who removed this trojan from other systems.

                • 5. Re: Windows XP SP3 system infected by Artemis!B0A0B0897288 How to remove?.
                  exbrit

                  Questions regarding the behaviour of other brands of protection or onoine scanners would have to go to their forums I guess.

                   

                  To check that your system is clean download Hijackthis and post its log on one of the following forums for expert guidance:

                   

                  DOWNLOAD HIJACKTHIS

                   

                   

                  Do not post Hijackthis logs here, we can't help with  those!

                   

                   

                  Post the logs at a specialist Forum:

                   

                   

                  AUMHA FORUM

                   

                   

                  BLEEPING COMPUTER FORUM

                   

                   

                  MAJOR GEEKS FORUM

                   

                   

                  MALWAREBYTES FORUM

                   

                   

                  MALWARE REMOVAL FORUM

                   

                   

                  SPYWAREHAMMER FORUM

                   

                   

                  SPYWARE INFO FORUM

                   

                   

                  WHAT THE TECH FORUM

                   

                   

                  Be sure to read all the sticky announcements/instructions at the top of each malware forum!

                   

                  One thing to note is that Artemis by definition is an unknown object being investigated by McAfee's Webimmune people so it could well be a false alarm.

                  • 6. Re: Windows XP SP3 system infected by Artemis!B0A0B0897288 How to remove?.

                    Thank you, for all help, I will consider the Hijackthis. However if the trojan is so clever as to not be able to be found by scan I doubt that a Hijackthis will help. Still I will think about it.

                     

                    >One thing to note is that Artemis by definition is an unknown object being investigated by McAfee's Webimmune people so it could well be a false >alarm.

                     

                    Yes, well if it is a falso alarm then why is the McAfee VrisusScan deactivated? Also why does virus total find the above mentioned long list of trojans in the source infected file. This is all not normal behavior. There is no way that this is a false alarm.

                     

                    By the way a quick scan with Malwarebytes detects the following registry keys.

                     

                    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

                    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

                     

                    Are those registry keys normal entered by McAfee VirusScan or could it be the trojan?

                     

                    It would reallly be nice if the Webimmune people let hear something from them. Where are you Webimmume/Avert???????????????? We need your help.

                    • 7. Re: Windows XP SP3 system infected by Artemis!B0A0B0897288 How to remove?.
                      exbrit

                      I think those keys are effected by McAfee but I'm not positive as I'm none too tehcnical in that field.

                       

                      I'm surprised that noone has waded in here.

                      • 8. Re: Windows XP SP3 system infected by Artemis!B0A0B0897288 How to remove?.

                        Hello,

                         

                        The virustotal scan results indicate a trojan dropper, this means if you excuted the file to your hard drive it will have dropped other files onto your system, either by the files being packed inside that file, or they would have been downloaded from the internet.

                         

                        If Panda has deleted the file in question, but the infection keeps re-spawing, this could mean that other malicious files on your system are protecting the file(s) from being deleted, you`ll need to locate those other files, to remove the infection completely.

                         

                        The results of the Malwarebytes means that windows security centre will not notify you if your antivirus and firewall are disabled, if you did not change those settings, allow Malwarebytes to change it back.

                         

                        Whilst i agree HJT will most unlikely show anything bad, that is but one tool in the amour of those forums, HJT is very rarley used now, i suggest going down that road.

                         

                        If you have sent the file in question to the lab, they may issue you with an extra.dat once they have done a proper analysis of the file.

                         

                         


                         

                         

                        on 30/07/10 22:07:07 IST
                        • 9. Re: Windows XP SP3 system infected by Artemis!B0A0B0897288 How to remove?.

                          Thank you both for your help.

                           

                          >If Panda has deleted the file in question, but the infection keeps re-spawing, this could mean that other malicious files on your system are protecting >the file(s) from being deleted, you`ll need to locate those other files, to remove the infection completely.

                           

                          Yes, I reformated the c: partition with windows and then reinstalled windows so the only place where it could still hide is if it infected files on the other than c: partition or its hidding in the MBR on the c: partition.

                           

                          >If you have sent the file in question to the lab, they may issue you with an extra.dat once they have done a proper analysis of the file.

                           

                          Yes, well it's now been 2 weeks ago that I sent 7 e-mails to them with the source infected file so they could analyse them. I have still heared nothing from McAfee. Attempts to find out more why they do not respond to my e-mails get nowhere. I did found out that they receive e-mails from 9 countries on the trojan analyses e-mail adres so that's probably why it takes forever for them to get into action. That or they are all on vacation.

                           

                          Still  I believe that study of this trojan is the only change I have at removing it from my system and still keep all my files. Even though the virus/trojan might rewrite itself after infection you might still be able to extrapolate a  signature if you study it closely. Anyway this is not happing at the moment. McAfee is doing nothing.

                           

                          MCAFEE PLEASE LET US HEAR SOMETHING FROM YOU. ANALYZE THIS TROJAN OR GIVE US ANY SIGN OF LIFE.

                          1 2 3 Previous Next