3 Replies Latest reply on Sep 17, 2012 1:34 AM by limeister77

    Possibe False Positive - Artemis! E088D5F5DA3D

      Dear All

       

      Thanks for your prompt replies.

       

      I believe it is a false positive because I have completed the following tasks. 

      If I have missed a task then please let me know and I will try it.

       

      For WinXP SP3 system.

       

      1) Updated DAT to most recent version.

      2) Ran MS Removal Tool Windows-KB890830-V4.10.exe.  No detections found.

      3) Followed instructions in KB962007.  It is a local machine so some instructions for Group Policy did not apply.

      4) Installed MS08-067 security patch & Update 967715

      5) Run Windows Update

      6) Ran GETSUSP program and already submitted information.

      7) No more Conficker virus message but keep getting Artemis message.

       

       

      I hope to hear good news from you guys again soon.

        • 1. Re: Possibe False Positive - Artemis! E088D5F5DA3D

          Hi,

           

          Thank you for performing the steps mentioned above. However, as stated earlier, we would like you to configure a custom On Demand Scan with Heuristics turned off and perform a full scan with this custom ODS settings. If the value after Artemis! has changed, let us know the full Artemis detection names that are observed now.

           

          Regards,

          Showvik

          • 2. Re: Possibe False Positive - Artemis! E088D5F5DA3D

            Hello again.

             

            I followed up and scanned the other machine with the same artemis message.

            This is the WinXP SP3 machine.

             

            On this machine also I ran a customized on demand scan with no heuristics.  No changes in value.

            I appreciate your help on this matter.

             

            /28/2012          8:53:37 AM          Would be blocked by Access Protection rule  (rule is currently not enforced)           NT AUTHORITY\SYSTEM          C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe          \REGISTRY\MACHINE\Software\VMware, Inc.\VMware Tools\VMUpgradeHelper\Adapters\00:0C:29:23:7F:B2          Virtual Machine Protection:Prevent modification of VMWare Workstation files and settings          Action blocked : Write

            8/28/2012          8:53:45 AM          Would be blocked by Access Protection rule  (rule is currently not enforced)           NT AUTHORITY\SYSTEM          C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe          \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools\VMUpgradeHelper\Adapters\00:0C:29:23:7F:B2\PNPDeviceID          Virtual Machine Protection:Prevent modification of VMWare Workstation files and settings          Action blocked : Create

            8/28/2012          8:53:46 AM          Would be blocked by Access Protection rule  (rule is currently not enforced)           NT AUTHORITY\SYSTEM          C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe          \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools\VMUpgradeHelper\Adapters\00:0C:29:23:7F:B2\InterfaceGUID          Virtual Machine Protection:Prevent modification of VMWare Workstation files and settings          Action blocked : Create

            8/28/2012          8:53:46 AM          Would be blocked by Access Protection rule  (rule is currently not enforced)           NT AUTHORITY\SYSTEM          C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe          \REGISTRY\MACHINE\Software\VMware, Inc.\VMware Tools\VMUpgradeHelper\Adapters\00:0C:29:23:7F:BC          Virtual Machine Protection:Prevent modification of VMWare Workstation files and settings          Action blocked : Write

            8/28/2012          8:53:46 AM          Would be blocked by Access Protection rule  (rule is currently not enforced)           NT AUTHORITY\SYSTEM          C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe          \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools\VMUpgradeHelper\Adapters\00:0C:29:23:7F:BC\PNPDeviceID          Virtual Machine Protection:Prevent modification of VMWare Workstation files and settings          Action blocked : Create

            8/28/2012          8:53:47 AM          Would be blocked by Access Protection rule  (rule is currently not enforced)           NT AUTHORITY\SYSTEM          C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe          \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools\VMUpgradeHelper\Adapters\00:0C:29:23:7F:BC\InterfaceGUID          Virtual Machine Protection:Prevent modification of VMWare Workstation files and settings          Action blocked : Create

            8/28/2012          8:53:47 AM          Would be blocked by Access Protection rule  (rule is currently not enforced)           NT AUTHORITY\SYSTEM          C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe          \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools\VMUpgradeHelper\NetConfigSaved          Virtual Machine Protection:Prevent modification of VMWare Workstation files and settings          Action blocked : Create

             

                

            8/28/2012          1:09:53 PM          Not scanned  (scan timed out)           TLGKR7104DO009\Linde          System:Remote          C:\WINDOWS\system32\kyllzq.dbc

            8/28/2012          1:09:53 PM          Deleted           TLGKR7104DO009\Linde          System:Remote(192.168.1.210 (ASP2_ES))          C:\WINDOWS\system32\kyllzq.dbc          Artemis!E088D5F5DA3D (Virus)

            8/28/2012          1:30:21 PM          Not scanned  (scan timed out)           TLGKR7104DO009\Linde          System:Remote          C:\WINDOWS\system32\kyllzq.dbc

            8/28/2012          1:30:21 PM          Deleted           TLGKR7104DO009\Linde          System:Remote(192.168.1.211 (ASP2_OS_SV1))          C:\WINDOWS\system32\kyllzq.dbc          Artemis!E088D5F5DA3D (Virus)

            8/28/2012          1:35:08 PM          Not scanned  (scan timed out)           TLGKR7104DO009\Linde          System:Remote          C:\WINDOWS\system32\kyllzq.dbc

            8/28/2012          1:35:08 PM          Deleted           TLGKR7104DO009\Linde          System:Remote(192.168.1.212 (ASP2_OS_SV2))          C:\WINDOWS\system32\kyllzq.dbc          Artemis!E088D5F5DA3D (Virus)

            8/28/2012          1:52:38 PM          Not scanned  (scan timed out)           TLGKR7104DO009\Linde          System:Remote          C:\WINDOWS\system32\kyllzq.dbc

            8/28/2012          1:52:39 PM          Deleted           TLGKR7104DO009\Linde          System:Remote(192.168.1.210 (ASP2_ES))          C:\WINDOWS\system32\kyllzq.dbc          Artemis!E088D5F5DA3D (Virus)

             

             

             

             

            8/28/2012          12:27:29 PM                    Engine version                          =          5400.1158

            8/28/2012          12:27:29 PM                    AntiVirus   DAT version                 =          6817.0

            8/28/2012          12:27:29 PM                    Number of detection signatures in EXTRA.DAT =          None

            8/28/2012          12:27:29 PM                    Names of detection signatures in EXTRA.DAT  =          None

            8/28/2012          12:26:59 PM          Scan Started          TLGKR7104DO009\Linde          On-Demand Scan

            8/28/2012          12:33:21 PM          Not scanned (The file is encrypted)           c:\Installs\Virus Removal\McAfee\GETSUSP\gsusp_EC14AACD4BF5_081012_094334.zip

            8/28/2012          1:01:46 PM          Scan Summary          TLGKR7104DO009\Linde          Scan Summary

            8/28/2012          1:01:46 PM          Scan Summary          TLGKR7104DO009\Linde          Processes scanned    : 83

            8/28/2012          1:01:46 PM          Scan Summary          TLGKR7104DO009\Linde          Processes detected   : 0

            8/28/2012          1:01:46 PM          Scan Summary          TLGKR7104DO009\Linde          Processes cleaned    : 0

            8/28/2012          1:01:46 PM          Scan Summary          TLGKR7104DO009\Linde          Boot sectors scanned : 2

            8/28/2012          1:01:46 PM          Scan Summary          TLGKR7104DO009\Linde          Boot sectors detected: 0

            8/28/2012          1:01:46 PM          Scan Summary          TLGKR7104DO009\Linde          Boot sectors cleaned : 0

            8/28/2012          1:01:46 PM          Scan Summary          TLGKR7104DO009\Linde          Files scanned        : 48481

            8/28/2012          1:01:46 PM          Scan Summary          TLGKR7104DO009\Linde          Files with detections: 0

            8/28/2012          1:01:46 PM          Scan Summary          TLGKR7104DO009\Linde          File detections      : 0

            8/28/2012          1:01:46 PM          Scan Summary          TLGKR7104DO009\Linde          Files cleaned        : 0

            8/28/2012          1:01:46 PM          Scan Summary          TLGKR7104DO009\Linde          Files deleted        : 0

            8/28/2012          1:01:46 PM          Scan Summary          TLGKR7104DO009\Linde          Files not scanned    : 43

            8/28/2012          1:01:46 PM          Scan Summary          TLGKR7104DO009\Linde          Run time             : 0:34:47

            8/28/2012          1:01:46 PM          Scan Complete          TLGKR7104DO009\Linde          On-Demand Scan

            • 3. Re: Possibe False Positive - Artemis! E088D5F5DA3D

              Hello All

               

              Have there been any follow up on this issue?

              Cheers