Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
30877 Views 31 Replies Latest reply: Nov 18, 2011 10:56 PM by Hayton RSS Go to original post 1 2 3 4 Previous Next
  • Hayton Volunteer Moderator 4,602 posts since
    Sep 27, 2010
    Currently Being Moderated
    10. Nov 3, 2011 6:53 PM (in response to Peacekeeper)
    Re: Artemis !20B937399785 trojan

    "xnotes.exe" is recognised by other AV vendors as malware. McAfee includes this as a PUP associated with BitCoinMiner. See the description at http://vil.nai.com/vil/content/v_617462.htm

     

    xnotes modifies the registry to run automatically at startup :

    HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\XNOTES = %PROGRAMFILES%\XNotes\XNotes.exe

     

    Generic PUP.z!gx looks like the downloader and while McAfee says it's a PUP almost everyone else classes it as a Trojan. See http://home.mcafee.com/virusinfo/virusprofile.aspx?key=582336#none

     

    All the notes for these two say that a regular scan should delete the dropped files and remove or repair the registry setting(s). If you are being re-infected there must be another agent somewhere on your system that is doing it, perhaps by downloading these files at startup, or else McAfee's quarantining is missing something.

     

    I see you're now being taken through some detailed detection and removal steps by someone at MajorGeeks, so I won't suggest anything for you to try. Too many cooks, and all that ...


    Volunteer Moderator  Leeds, UK
    No PM's please
  • Hayton Volunteer Moderator 4,602 posts since
    Sep 27, 2010
    Currently Being Moderated
    13. Nov 3, 2011 9:12 PM (in response to arvin1)
    Re: Artemis !20B937399785 trojan

    MajorGeeks is a respected PC help forum, and I won't interfere while you're following the instructions they're giving you. I see you ran the rootkit diagnostics and they came back clean, that's a good sign.

     

    One thing to consider is that the file that's repeatedly giving you BitCoinMiner may be in a location that a Quick Scan would not go to. If you are advised to run Malwarebytes then run a Full Scan, and do it from Windows not Safe Mode.

     

    Next time you reboot, put Process Explorer in the Startup section of Programs in the Start Menu so you can see what's running, and look for the running processes associated with this PUP/Trojan.


    Volunteer Moderator  Leeds, UK
    No PM's please
  • Peacekeeper Volunteer Moderator 21,363 posts since
    Nov 23, 2002
    Currently Being Moderated
    15. Nov 4, 2011 12:32 AM (in response to Hayton)
    Re: Artemis !20B937399785 trojan

    Peter I have asked a mcafee lab staffer to have a look here as Mcafee is not getting the dropper. See if he has a suggestion.


    Tony
    Volunteer Moderator
    Mcafee Total Protection 7.0 beta, Windows 8 64bit
    No Unrequested PMs please
    Do you have an idea for improving McAfee products? Please share it in the new Ideas community space!  NOTE: You must register an account first.

  • Nitin Kumar McAfee SME 154 posts since
    Nov 7, 2009
    Currently Being Moderated
    16. Nov 4, 2011 1:37 AM (in response to arvin1)
    Re: Artemis !20B937399785 trojan

    Potentially Unwanted Programs (PUPs) are not considered a virus or trojan because they do not self-replicate and they do not damage systems maliciously.

     

    Solution for PUP and to submit the sample below: (after submitting the sample, please mention the ID in this thread).

     

    It could be an issue with the detection and removal configuration you have set for the McAfee product. Some threats reside in system secure location like System Restore in Windows environment.

    You may try to unhide the hidden and system protected files while searching for this program. These locations are usually not accessible by applications.

    Some of the threat files need to be removed manually. These are classified as Potentially Unwanted Programs.

     

    If you are using Windows ME/XP, ensure that system restore is disabled, as described here:

    http://vil.mcafeesecurity.com/vil/SystemHelpDocs/DisableSysRestore.aspx

     

    You can find more information about the enabling/disabling of PUPs at the link given below:

    http://vil.nai.com/vil/pups/configuration.aspx

     

    In case you are still having problems, please send us a sample for analysis, in a password-protected ZIP file (password - infected).  You can find detailed instructions for how to do this at http://vil.mcafeesecurity.com/vil/submit-sample.aspx

     

    If you are having problems password-protecting the file(s), here are  some brief instructions for creating a password-protected zip file for WinZip.

    If you have different software or if you need further instructions, please consult technical support of the archiving software you have.

     

    WinZip is available for download at www.winzip.com

     

    1) Create a new zip file

    2) In WinZip, choose Options, then Password, then type the password  "infected"

    3) Place your infected files in the Zip file

    4) Close the archive and send it to Virus_Research@avertlabs.com with the description of the file.

    If you're using WinZIP you can tell if the files have been  password-protected because there will be a plus-sign at the end of the filename (i.e. "filename.exe+").

     

    Please include a description of the symptoms your system is experiencing, and any pertinent information about what AV Products you are using including company, version number (engine/dat numbers for McAfee Products) and results of the scan.

  • Hayton Volunteer Moderator 4,602 posts since
    Sep 27, 2010
    Currently Being Moderated
    19. Nov 4, 2011 10:17 AM (in response to arvin1)
    Re: Artemis !20B937399785 trojan

    Good to know the situation has improved. Watch out for any re-occurrence, if you're not sure where it came from but you see it come back after visiting a particular site please let us know.

     

    This one apparently drops a lot of files and folders into the %appdata%\local directory. Keep an eye on that location and watch for any more safari/E/chrome/xnotes entries. The dropper is the one McAfee would like to identify; if that is not dealt with then you just get BCM reappearing every time you delete it. And you don't want your CPU running at 100% all the time just to earn a few cents for some crook somewhere who's using you to get BitCoins.


    Volunteer Moderator  Leeds, UK
    No PM's please

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points