Solved

Infected with Artemis!

  • 4 December 2013
  • 10 replies
  • 145 views

Greetings All,
 
My computer has been infected with the Artemis!B048C7DA8B90 virus.
 
Specifically, it attacks my WRSA.exe and WRupdate files. A while back, I noticed Windows Update stopped working and System Restore had literally disappeared from my system (running Windows XP Service Pack 3), I can't get into Windows Firewall from Control Panel (not that I'm using it), and automatically setting Windows Update in security center doesn't work (nor can I get manual updates).
 
So I've been updating and running McAfee Stinger, Malwarebytes, Trojan Killer, Emisoft, AVG (which I've since deleted), and Hitman Pro (Trial version). Only yesterday did I finally get a hit with McAfee Stinger which found and deleted the Artemis virus.
 
With my WRSA.exe file gone, I had to uninstall then reinstall Webroot. I then did a Full Scan. It found no threats. I ran Stinger again and it found and deleted the same files mentioned above. Reinstalled WR again. Changed Stinger settings to Very High and then Repair (not delete). Artemis was back, of course, but instead of repairing the files, Stinger deleted them again. Reinstalled WR again... ugh!
 
You get the picture. If anyone has any ideas about how to remove this file I would greatly appreciate your input. I'm betting there's a few entries in the registry that need to go. Also did a search and found nothing yet on this version of Artemis.
 
Thanks in Advance! 🙂
icon

Best answer by DanP 5 December 2013, 21:02

View original

10 replies

Userlevel 7
Badge +4
I'm so sorry to hear that! The best way for us to help you in this situation is to submit a ticket here to our Support/Threat team. They will quickly help you resolve this at no charge.
Userlevel 7
Badge +56
Hello lhaveavirus and  Welcome to the Webroot Community Forums!


 
Cat is correct the Support team will be happy to help you get this fixed up.
 
Cheers,
 
Daniel 😉
Userlevel 7
Badge +6
Wow, this is the first time I've ever heard of a virus successfully subverting WSA. This is on XP though.
Please do contact support on behalf on other users as well. I'm sure they'll be extremely interested in how this happened.
Will do gang, thank you! And thanks for the nice welcome! 🙂
Userlevel 7
Badge +35
The detection of the WRSA.exe and WRupdate files are False Positives caused by setting the sensitivity on McAfee Stinger to Very High. Artemis! is a generic name used by McAfee for files detected by heuristics.
 
-Dan
Userlevel 7
Badge +56
Hi Dan wouldn't WSA protect itself from being Deleted especially WRSA.exe?
 
TIA,
 
Daniel
Userlevel 7
Badge +35
@ wrote:
Hi Dan wouldn't WSA protect itself from being Deleted especially WRSA.exe?
 
TIA,
 
Daniel
Yes, WSA will protect itself from deletion unless self protection is manually disabled, and we're not aware of any current malware that is disabling self protection. With Stinger sensitivity set to Very High, the desktop shortcut for WSA and the installer are both detected and deleted, and WRSA.exe does show up in the Quarantine tab of Stinger, so in some ways it does appear as though Stinger removed WRSA.exe although the actual file has not been removed.
 
-Dan
Userlevel 7
Badge +56
Excellent!
 
Thanks Dan,
 
Daniel 😃
Userlevel 7
Badge +6
THANKS @ 
Userlevel 3
the only way i know of stinger being able to truly remove everything from a virus is if you go and end the task of explorer.exe and then re-run it with admin rights. but it still misses stuff, mostly .dll's but thats still annoying to have anything left over.

Reply