1 2 3 4 Previous Next 31 Replies Latest reply on Nov 18, 2011 10:56 PM by Hayton

    Artemis !20B937399785 trojan

      Hi there,

       

      Recently my McAfee antivirus has been detecting and removing an Artemis!20B937399785 trojan virus with an item name of SAFARI.exe that is located in C:/program files (x86)\safari\bin. This occurs everytime i restart my laptop. I have windows 7 64 bit on my laptop fully updated and am using version 15 of McAfee virusscan. I have tried using malware and pcsafe doctor in both 'normal and safe' modes to try and get rid of it but the programs always fail to recognise this when in safe mode, i have also tried stopping certain un recognised startup serives and processes but that didn't seem to work. Each time the computer is restarted the trojan returns and mcafee detects and quartines it but it doesnt seem to be removed from my system permanently. Please help i don't know what else to try.

       

      cheers

      Arvin

        • 1. Re: Artemis !20B937399785 trojan
          Hayton

          This is BitCoinMiner. Not of itself a virus, but definitely a Potentially Unwanted Program. If you're getting it afresh at every reboot then you may have other malware on your system. You should download the latest DAT and run a scan - Full Scan might be advisable.

           

          Read the following for more information

          http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Pro gram%3AWin32%2FBitCoinMiner&ThreatID=167389

           

          http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=617462  (see "Virus Characteristics")

           

          Message was edited by: Hayton on 02/11/11 20:37:54 GMT
          • 2. Re: Artemis !20B937399785 trojan

            Hey Hayton,

             

            i have run multiple full scans but i will now try disabling system restore and running the full scan to see if that has worked. Thanks for your help the 2nd link has served to be very useful. I'll post back with my results, should i also try running the scans in safe mode?

             

            cheers

            • 3. Re: Artemis !20B937399785 trojan
              Hayton

              Run in safe mode if you have any problems in normal mode. BitCoinMiner isn't the problem, it's what may have come with it (or that may have introduced it) that you need to look for. There may be nothing, in which case you should look at the msconfig entries to see what's causing the reappearance at every startup. Autoruns and Process Explorer are useful for this sort of thing.

               

               

              Edit - Microsoft haven't updated the entry for this variant yet. The previous entry gives a lot of information - see here.

               

              Message was edited by: Hayton on 03/11/11 03:21:11 GMT
              • 4. Re: Artemis !20B937399785 trojan

                is there anything specific you can mention that i should look for in the msconfig entries, ive used autoruns and have just looked through all of the startup processes/services and have deleted all the entry files that are not found, i have also stopped xnotes.exe. i have also noticed that mcafee tends to identify this pup as well, Generic PUP .z!gx. i have run a full scan and quarantined and deleted the program. i also ran malware bhytes and have not found anything. i'm now going to restart my computer and re-scan hopefully nothing will be found.

                 

                Message was edited by: arvin1 on 11/2/11 11:39:20 PM CDT
                • 5. Re: Artemis !20B937399785 trojan
                  Hayton

                  Look in Startup and Services. In Services, hide the Microsoft entries and look through the list of Unknown manufacturers. I can't say what to look for, except (glib answer) anything that looks unfamiliar.

                  i have also tried stopping certain un recognised startup serives and processes but that didn't seem to work.

                   

                  It looks as if you tried this already. Possibly whatever dropped this on your system has put an entry into the registry to ensure an automatic reload on startup.

                   

                   

                  Edit - It's worth trying Malwarebytes (free version) to see if that can detect something.

                   

                  Message was edited by: Hayton on 03/11/11 04:44:15 GMT
                  • 6. Re: Artemis !20B937399785 trojan

                    hey hayton,

                     

                    So i've updated my dat files and engine for McAfee and i've run a full system scan, it had detected  Generic PUP .z!gx, i quarantined it and deleted it. I also ran Malwarebytes and nothing else was found, i also ran CCleaner and cleared the registry. I then ran autoruns and deleted the xnotes.exe registry startup entry and cleared a few missing files. I then restarted the computer into safe mode and ran a full system scan on mcafee followed by running a quick scan on malware bytes. i then procedded to run ccleaner again and used msconfig and searched for any unknown startups, but none were found. I finally restarted my computer into normal mode and mcAfee has once again found the Artemis!20B937399785 trojan virus with an item name of SAFARI.exe that is located in C:/program files (x86)\safari\bin. I then ran a full scan on McaFee and it had detected the Generic PUP .z!gx file. I also ran a quick scan in malwarebytes after the McAfee scan and no infected objects were found.

                     

                    Please Help, what are the possible next steps i can do to try and overcome this problem

                     

                    thanks

                     

                    Message was edited by: arvin1 on 11/3/11 2:53:10 AM CDT
                    • 7. Re: Artemis !20B937399785 trojan
                      Peacekeeper

                      Have you deleted all internet temp and windows temp files?

                       

                      Try this and reboot.

                       

                      Try a run with getsusp it might find an unknown file that could be the cause. You will find getsusp here

                      McAfee Communities: Anti-Spyware, Malware & Hijacker Tools

                       

                      It will not remove anything just notify Mcafee and also a good idea for you to add your email addy to its preferences so Mcafee can contact you.

                      • 8. Re: Artemis !20B937399785 trojan

                        hey there,

                         

                        thanks for your advice, i have cleared both internet temp and windows temp files using disk clean up and ccleaner and restarted but still the trojan and pup still appears to be on the system. I have also just run getsusp and sent the files to mcafee for analysis. Basically i now know that the suspicious autorun process is C:\ Program Files (x86)\XNotes\xNotes.exe everytime i delete this startup entry using autoruns it seems to reappear everytime i startup the machine. i have no idea how to get rid of this and the Generic PUP .z!gx as well as the Artemis!20B937399785 trojan virus with an item name of SAFARI.exe that is located in C:/program files (x86)\safari\bin.

                         

                        any other methods to get rid of this malware??

                         

                        Message was edited by: arvin1 on 11/3/11 9:12:06 AM CDT
                        • 9. Re: Artemis !20B937399785 trojan
                          Peacekeeper

                          Maybe follow what this forum comes up with.

                          http://forums.majorgeeks.com/showthread.php?p=1678603

                           

                          Poster has same issue

                           

                          Of course you can go with Mcafee's paid removal but best to see what is offerred.

                           

                          Also askked a mcafee staffer to read the thread

                           

                          Message was edited by: Peacekeeper on 4/11/11 7:45:08 AM
                          1 2 3 4 Previous Next