Skip to main content
Customer Support Customer Support
Solved

Infected with Artemis!

  • December 4, 2013
  • 10 replies
  • 192 views
I
Fresh Face
Greetings All,
 
My computer has been infected with the Artemis!B048C7DA8B90 virus.
 
Specifically, it attacks my WRSA.exe and WRupdate files. A while back, I noticed Windows Update stopped working and System Restore had literally disappeared from my system (running Windows XP Service Pack 3), I can't get into Windows Firewall from Control Panel (not that I'm using it), and automatically setting Windows Update in security center doesn't work (nor can I get manual updates).
 
So I've been updating and running McAfee Stinger, Malwarebytes, Trojan Killer, Emisoft, AVG (which I've since deleted), and Hitman Pro (Trial version). Only yesterday did I finally get a hit with McAfee Stinger which found and deleted the Artemis virus.
 
With my WRSA.exe file gone, I had to uninstall then reinstall Webroot. I then did a Full Scan. It found no threats. I ran Stinger again and it found and deleted the same files mentioned above. Reinstalled WR again. Changed Stinger settings to Very High and then Repair (not delete). Artemis was back, of course, but instead of repairing the files, Stinger deleted them again. Reinstalled WR again... ugh!
 
You get the picture. If anyone has any ideas about how to remove this file I would greatly appreciate your input. I'm betting there's a few entries in the registry that need to go. Also did a search and found nothing yet on this version of Artemis.
 
Thanks in Advance! 🙂

Best answer by DanP

@ wrote:
Hi Dan wouldn't WSA protect itself from being Deleted especially WRSA.exe?
 
TIA,
 
Daniel
Yes, WSA will protect itself from deletion unless self protection is manually disabled, and we're not aware of any current malware that is disabling self protection. With Stinger sensitivity set to Very High, the desktop shortcut for WSA and the installer are both detected and deleted, and WRSA.exe does show up in the Quarantine tab of Stinger, so in some ways it does appear as though Stinger removed WRSA.exe although the actual file has not been removed.
 
-Dan
TripleHelix

10 replies

Cat
Forum|alt.badge.img+4
  • Cat
  • Retired Webrooter
  • December 4, 2013
I'm so sorry to hear that! The best way for us to help you in this situation is to submit a ticket here to our Support/Threat team. They will quickly help you resolve this at no charge.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . New to the Community? Here's tips for getting started.
RetiredTripleHelix
MikeR
RetiredTripleHelix
Gold VIP
Forum|alt.badge.img+56
Hello lhaveavirus and  Welcome to the Webroot Community Forums!


 
Cat is correct the Support team will be happy to help you get this fixed up.
 
Cheers,
 
Daniel 😉
explanoit
Silver VIP
Forum|alt.badge.img+6
  • explanoit
  • Silver VIP
  • December 4, 2013
Wow, this is the first time I've ever heard of a virus successfully subverting WSA. This is on XP though.
Please do contact support on behalf on other users as well. I'm sure they'll be extremely interested in how this happened.
---------------------------------------- Business Products Sr. Community Leader and Expert Advisor - WSA-Enterprise administrator over 2000 clients First company to 1000+ WSA endpoints | Power User / Business Ambassador / WSA-C and WSA-E Beta tester Find me on Twitter!
I
Fresh Face
  • Ihaveavirus
  • Author
  • Fresh Face
  • December 5, 2013
Will do gang, thank you! And thanks for the nice welcome! 🙂
RetiredTripleHelix
DanP
Forum|alt.badge.img+35
  • DanPOpenText Employee
  • OpenText Employee
  • December 5, 2013
The detection of the WRSA.exe and WRupdate files are False Positives caused by setting the sensitivity on McAfee Stinger to Very High. Artemis! is a generic name used by McAfee for files detected by heuristics.
 
-Dan
Webroot Threat Research
superssjdan
RetiredTripleHelix
dbrisendine
RetiredTripleHelix
Gold VIP
Forum|alt.badge.img+56
Hi Dan wouldn't WSA protect itself from being Deleted especially WRSA.exe?
 
TIA,
 
Daniel
DanP
Forum|alt.badge.img+35
  • DanPOpenText Employee
  • OpenText Employee
  • Answer
  • December 5, 2013
@ wrote:
Hi Dan wouldn't WSA protect itself from being Deleted especially WRSA.exe?
 
TIA,
 
Daniel
Yes, WSA will protect itself from deletion unless self protection is manually disabled, and we're not aware of any current malware that is disabling self protection. With Stinger sensitivity set to Very High, the desktop shortcut for WSA and the installer are both detected and deleted, and WRSA.exe does show up in the Quarantine tab of Stinger, so in some ways it does appear as though Stinger removed WRSA.exe although the actual file has not been removed.
 
-Dan
Webroot Threat Research
RetiredTripleHelix
explanoit
RetiredTripleHelix
Gold VIP
Forum|alt.badge.img+56
Excellent!
 
Thanks Dan,
 
Daniel 😃
explanoit
Silver VIP
Forum|alt.badge.img+6
  • explanoit
  • Silver VIP
  • December 5, 2013
THANKS @ 
---------------------------------------- Business Products Sr. Community Leader and Expert Advisor - WSA-Enterprise administrator over 2000 clients First company to 1000+ WSA endpoints | Power User / Business Ambassador / WSA-C and WSA-E Beta tester Find me on Twitter!
J
Popular Voice
the only way i know of stinger being able to truly remove everything from a virus is if you go and end the task of explorer.exe and then re-run it with admin rights. but it still misses stuff, mostly .dll's but thats still annoying to have anything left over.
Justin Holst Little Dog Tech Associates Software Development/ Network Administration/ Cyber Security
Terms & ConditionsAccessibility statement