Artemis trojan problem, programs shut down

This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.


Thread Starter
Apr 14, 2010
Hello, I have the artemis trojan horse. I am using a Windows Vista SP1 Home Premium Edition. My computer is a Dell Inspiron 1420 with Intel Core 2 Duo T8300 (2.4GHz, 800Mhz, 3M L2 Cache). I am currently using Internet Explorer 7 and my anti-virus is McAfee. This is a bit long but I am trying to be as detailed as possible.

It all started when I heard clicking noises as if I were going from one page to the next while I was not. Also, I had gotten a popup saying that my JavaScript had to be reinstalled (it works okay as far as I can tell now). All of a sudden, all of my internet browsers had shut down. When I had tried to reopen the browser, it gave me the "Open With" box and in it was the IE browser application. Whether I click on it or click cancel, the browser still opens up.

Now convinced there was something terribly wrong with my computer, I opened up McAfee and did a quick scan to assess the damage. The scan showed that I had the artemis trojan and it Quarantined it. I was not able to delete or remove it. I then decided to do a reboot as I thought that would solve the problem. Instead it made things worse because now McAfee will not respond when I try to open it. I get the same "Open With" window and when I browse for the file to open I am not able to open it due to it being the wrong way to get to the file or something.

Now no program will open when I try to open it, instead I get the "Open With" window with some programs there that when I click on them, I get another "Open With" window again. It's a never-ending cycle. I went to Microsoft's website and downloaded a virus scan. I was lucky enough to install it and when it ran the scan, it moved very slowly and by the time it reached 7% it said that I had 8 threats and 1 file detected. I had to stop the scan prematurely because it was moving at a very slow pace.

Right now, the only program that opens is internet explorer and now it doesn't open when I try to open it from the taskbar but it opens from other areas. The only other program that works is adobe acrobat. When I try to open other files, I either get the "Open With" box or I get anerror message saying "Application Not Found." Also, I find that my computer is moving a little slower (it's usually very fast) and when I use the scroll bar, it gets stuck on the scroll function when usually it can unscroll when I let go of the scroll bar.

Lastly, I downloaded "Hijack This" and saved it but when I tried to run it, I got the "Open With" box and I cannot get it to run. I hope you guys can still help me or at least lead me to the right direction for help. Thank you very much for reading this.


Malware Specialist
Oct 22, 2008
Hello there :cool: Welcome to the TSG Forums.
My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:
  • The fixes are specific to your problem and should only be used on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
  • It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Step 1

Please download exeHelper to your desktop.
Double-click on to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran, and should open at the end of the scan)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Step 2

Download OTS to your Desktop

  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Basic Scans please change the radio button under Registry from Safe List to All.
  • Under Additional Scans check the following:
    • Reg - Desktop Components
    • Reg - Disabled MS Config Items
    • Reg - NetSvcs
    • Reg - Shell Spawning
    • Reg - Uninstall List
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Please paste the contents of the following codebox into the Custom Scans box at the bottom
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post. To do so click on the blue "Reply" button or "Go Advanced" and click on the "Manage Attachments" button

Step 3

GMER Rootkit Scanner
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs. Make sure you disable your security programs as well, as they may interfere with the program.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable your security programs when done.


Thread Starter
Apr 14, 2010
Thank you so much for your help, NeonFx. Once I did the first step, the "Open With" window has stopped opening up and my programs are able to run again. Here is the exehelperlog result:

exeHelper by Raktor
Build 20100414
Run at 17:20:45 on 04/16/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Removing HKCR\secfile
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...

The results from the OTS is in the attachment.

I have a question about step 3, the GMER Rootkit scanner. I ran it through the first time but while it was scanning, my sister had clicked on the start menu at the bottom left of the screen and the scan stopped. I know that the scan would not work if the computer was in use so I tried to start from the beginning but the computer crashed. So I deleted that file completely and tried it again (no internet, antivirus disabled) and it scanned but then a it stopped working and I had to close it. I deleted that one (also deleted from recycle bin) and tried it once again but same thing. Is the error that it was disrupted the first time and it won't work again? Is there something else I can do to make it work? Or is it due to a problem with a program I have, like Java? Thanks.



Malware Specialist
Oct 22, 2008
The GMER rootkit scanner is the best we have but sadly it is delicate. Problems like that are common. Try running it without the "Files" scan checked and let me know how that goes.

You could also try running it in Safe Mode to see if that helps. To boot your computer into Safe Mode you'll need to repeatedly tap the F8 key on your keyboard as you turn your computer on until a black and white menu appears with the option.


Thread Starter
Apr 14, 2010
Okay, I was finally able to get it to scan completely while in Safe Mode. Here are the results:

Rootkit scan 2010-04-16 21:51:59
Windows 6.0.6001 Service Pack 1
Running: w48ukfxh.exe; Driver: C:\Users\PRISCI~1\AppData\Local\Temp\pxlyyuow.sys

---- Devices - GMER 1.0.15 ----
Device \FileSystem\fastfat \Fat 8DC25A7A
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001fe1e03740 (not active ControlSet)
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe1e03740
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001fe1e03740 (not active ControlSet)
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] Counter 5108
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] Help 5109
---- EOF - GMER 1.0.15 ----

The attachment is also available if you want it. Thank you so much for your help :)



Malware Specialist
Oct 22, 2008
Great. Let's do the following now:

NOTE: ComboFix should NOT be used without supervision by someone trained in its use. It does a whole lot more to a system than just remove infected files.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Disabling Security Programs
  • Double click on ComboFix.exe & follow the prompts.

    Note: Combofix will run without the Recovery Console installed.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you please let me know. A increasing number of infections are spreading using Autoplay and leaving it disabled is a good idea.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


Thread Starter
Apr 14, 2010
I have a question. Around the time I was installing ComboFix and even when I finished, (when I enabled McAfee) they said they removed the trojan Artemis. It hadn't told me that until now. Does that mean its just now been finally removed?

Here is the log from the ComboFix scan (also attached):

ComboFix 10-04-15.05 - Priscilla 04/16/2010 23:03:51.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3061.1853 [GMT -4:00]
Running from: c:\users\Priscilla\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
((((((((((((((((((((((((( Files Created from 2010-03-17 to 2010-04-17 )))))))))))))))))))))))))))))))
2010-04-17 03:10 . 2010-04-17 03:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-14 06:51 . 2010-04-14 06:53 -------- d-----w- c:\program files\Windows Live Safety Center
2010-04-14 03:23 . 2010-02-23 11:32 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 03:23 . 2010-02-23 11:32 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 03:23 . 2010-02-23 11:32 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 03:23 . 2010-02-18 14:49 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 03:23 . 2010-02-18 14:49 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 03:23 . 2010-03-04 18:54 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 03:23 . 2010-02-18 14:49 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 03:23 . 2010-02-18 14:11 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 03:23 . 2010-02-18 11:52 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 03:22 . 2009-12-23 12:43 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 03:22 . 2010-01-15 00:04 98304 ----a-w- c:\windows\system32\cabview.dll
2010-03-27 10:37 . 2010-03-27 10:37 22103176 ----a-w- c:\programdata\Electronic Arts\EA Core\cache\{ CP_Guest_3252(4)_ver3 }\eadm-installer.exe
2010-03-27 10:34 . 2010-03-27 10:34 24243792 ----a-w- c:\programdata\Electronic Arts\EA Core\cache\{ CP_Guest_3252(2)_ver2 }\Sims3_1.11.7.005001_from_1.10.6.004001.exe
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2010-04-17 01:52 . 2009-02-21 12:37 1 ----a-w- c:\users\Priscilla\AppData\Roaming\\3\user\uno_packages\cache\stamp.sys
2010-04-16 23:46 . 2009-03-15 23:02 -------- d-----w- c:\programdata\Dl_cats
2010-04-14 22:21 . 2008-10-24 07:20 6648 ----a-w- c:\users\Priscilla\AppData\Local\d3d9caps.dat
2010-04-14 22:15 . 2008-07-18 13:50 12 ----a-w- c:\windows\bthservsdp.dat
2010-04-14 05:49 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-07 11:59 . 2008-07-18 19:09 -------- d-----w- c:\program files\McAfee
2010-04-06 11:10 . 2008-08-08 09:02 23158 ----a-w- c:\users\Priscilla\AppData\Roaming\wklnhst.dat
2010-03-27 10:34 . 2010-01-22 13:25 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-03-27 10:34 . 2010-01-22 13:25 38784 ----a-w- c:\users\Priscilla\AppData\Roaming\Macromedia\Flash Player\\bin\airappinstaller\airappinstaller.exe
2010-03-27 10:34 . 2010-01-22 13:25 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\\bin\airappinstaller\airappinstaller.exe
2010-03-26 04:24 . 2008-08-05 19:06 79480 ----a-w- c:\users\Priscilla\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-09 16:28 . 2010-03-31 05:27 833024 ----a-w- c:\windows\system32\wininet.dll
2010-03-09 16:25 . 2010-03-31 05:27 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 14:01 . 2010-03-31 05:27 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:39 . 2010-03-12 08:00 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:37 . 2010-03-12 08:00 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 21:18 . 2010-03-12 08:00 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-05 02:37 . 2010-02-05 02:37 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbEA65.tmp.exe
2010-02-02 01:27 . 2010-02-02 01:27 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbD472.tmp.exe
2010-01-25 12:48 . 2010-02-24 04:01 472576 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:48 . 2010-02-24 04:01 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:48 . 2010-02-24 04:01 151040 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:48 . 2010-02-24 04:01 472064 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 12:45 . 2010-02-24 04:01 329216 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:35 . 2010-02-24 04:01 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:35 . 2010-02-24 04:01 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:34 . 2010-02-24 04:01 511488 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:34 . 2010-02-24 04:01 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:44 . 2010-02-24 04:02 2048 ----a-w- c:\windows\system32\tzres.dll
2008-07-18 21:43 . 2008-07-18 21:43 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-18 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2008-01-02 405504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-04-22 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-22 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-22 133656]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-25 30192]
"mcagent_exe"="c:\program files\\Agent\mcagent.exe" [2009-10-29 1218008]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"dldwmon.exe"="c:\program files\Dell V505\dldwmon.exe" [2008-06-05 677104]
"dldwamon"="c:\program files\Dell V505\dldwamon.exe" [2008-06-05 16624]
"Dell V505 Fax Server"="c:\program files\Dell V505\fm3032.exe" [2008-06-05 312560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
c:\users\Priscilla\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-5-13 1058088]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-7-18 50688]
Download Centre.lnk - c:\program files\Yamaha Corporation\Digital Music Notebook\Common\Download Centre\Download Centre.exe [2009-11-10 419160]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-07-18 19:17 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
R2 dldwCATSCustConnectService;dldwCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\dldwserv.exe [2008-05-16 99568]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 135664]
R3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-10-25 30192]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2008-01-02 73728]
S2 dldw_device;dldw_device;c:\windows\system32\dldwcoms.exe [2008-05-16 595184]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-04-28 161048]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-05-21 179712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
Contents of the 'Scheduled Tasks' folder
2010-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 13:37]
2010-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 13:37]
2010-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 16:22]
2009-12-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 16:22]
2010-04-17 c:\windows\Tasks\User_Feed_Synchronization-{4E190B5B-902F-4F27-B922-4BCAFFAB7238}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
------- Supplementary Scan -------
uStart Page = hxxp://
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {63F5866B-A7C5-40B4-9A89-0CCA99726C8D} - hxxps://
- - - - ORPHANS REMOVED - - - -
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKLM-Run-Dell Photo AIO Printer 942 - c:\program files\Dell Photo AIO Printer 942\dlbubmgr.exe
HKLM-Run-DellMCM - c:\program files\Dell Photo AIO Printer 942\memcard.exe
AddRemove-EA Download Manager - c:\program files\Electronic Arts\EADM\EADMUninstall.exe

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2010-04-16 23:10
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
--------------------- LOCKED REGISTRY KEYS ---------------------
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
Completion time: 2010-04-16 23:12:41
ComboFix-quarantined-files.txt 2010-04-17 03:12
Pre-Run: 220,624,588,800 bytes free
Post-Run: 220,295,270,400 bytes free
- - End Of File - - 990F3C9367FD651230AA9FDC91386781



Malware Specialist
Oct 22, 2008
The good news is that I don't see anything in your logs.

To answer your question I would need to know what file it detected as Artemis and removed, and not just that it removed that infection.



  • Under the Paste Fix Here box on the right, paste in the contents of following code box

[Unregister Dlls]
[Files/Folders - Modified Within 30 Days]
NY ->  7SkRgtbX5FlAM -> C:\Users\Priscilla\AppData\Local\7SkRgtbX5FlAM
NY ->  7SkRgtbX5FlAM -> C:\ProgramData\7SkRgtbX5FlAM
NY ->  22 C:\Windows\Temp\*.tmp files -> C:\Windows\Temp\*.tmp
NY ->  20 C:\Users\Priscilla\AppData\Local\Temp\Low\Google Toolbar\*.tmp files -> C:\Users\Priscilla\AppData\Local\Temp\Low\Google Toolbar\*.tmp
NY ->  164 C:\Users\Priscilla\AppData\Local\Temp\*.tmp files -> C:\Users\Priscilla\AppData\Local\Temp\*.tmp
NY ->  1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp
[Empty Temp Folders]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • This will create a log in C:\_OTS\MovedFiles\<date>_<time>.log where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste or attach the contents of that file here.

Note: You may receive some errors while running the fix. Just press Ok and the fix should continue normally.
If it seems to get stuck, give it some time. It's probably still working.


Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan. Scan all of your harddrives.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.


Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • [*]Spyware, adware, dialers, and other riskware
      [*]E-mail databases
  • Click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View report... at the bottom.
  • Click the Save report... button.

  • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply


Thread Starter
Apr 14, 2010
Here is the result from the OTS log:

All Processes Killed
[Files/Folders - Modified Within 30 Days]
C:\Users\Priscilla\AppData\Local\7SkRgtbX5FlAM moved successfully.
C:\ProgramData\7SkRgtbX5FlAM moved successfully.
File delete failed. C:\Users\Priscilla\AppData\Local\Temp\~DF68E5.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\Priscilla\AppData\Local\Temp\~DF6901.tmp scheduled to be deleted on reboot.
C:\Users\Priscilla\AppData\Local\Temp\~DF74BF.tmp deleted successfully.
C:\Users\Priscilla\AppData\Local\Temp\~DFCE4C.tmp deleted successfully.
C:\ProgramData\SPLAE80.tmp deleted successfully.
[Empty Temp Folders]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41620 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Priscilla
->Temp folder emptied: 61953 bytes
->Temporary Internet Files folder emptied: 838795213 bytes
->Java cache emptied: 65928990 bytes
->Flash cache emptied: 272336 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 5120 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 13187980 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 13691873 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 889.00 mb


User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Priscilla
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

< End of fix log >
OTS by OldTimer - Version fix logfile created on 04162010_235724
Files\Folders moved on Reboot...
File\Folder C:\Users\Priscilla\AppData\Local\Temp\~DF68E5.tmp not found!
File\Folder C:\Users\Priscilla\AppData\Local\Temp\~DF6901.tmp not found!
File move failed. C:\Users\Priscilla\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YGUL904M\JCAGT8JRTCAM8AI4PCAXVL5MWCA1BU0UQCA6RVW2DCAAJY6H6CAL16YO3CADRHOPTCAWOYCHCCAHKJX74CA9DQOZCCA1ACF4WCATM4OQ9CAK8559ZCA0FMROOCAKC1T7JCA6R2DG7CAJICO1ICAWLTCHH.htm scheduled to be moved on reboot.
C:\Users\Priscilla\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H8F9SZZS\idol-can-transform-ya-biggest-ai-makeovers-ever[1].htm moved successfully.
File move failed. C:\Users\Priscilla\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H8F9SZZS\VCA6JBD87CAME3QUKCASMZT1WCAO7QOV5CAFDE1F5CASOW010CAOYFMUMCALD810NCAIBE3E3CA5GKWH3CAPYJRYWCAR3P9LFCAVO62W2CA8Y3HHECAQPHZZHCARDXR3JCART0BAQCASDBIEBCACUZFQS.htm scheduled to be moved on reboot.
File move failed. C:\Users\Priscilla\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C1VN73V6\8CAZAFLHICATD1J7FCATUHXSWCABZILFJCAZ630MJCAS0GD4YCAXYH6N9CAB2X03DCANN1D6PCALU7BJWCA1D4JR9CAVKL6AKCARLDIZYCATK2L54CA8LAT95CAN2DDUMCANUEPG7CAUVGPBDCAK4G94D.htm scheduled to be moved on reboot.
C:\Users\Priscilla\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C1VN73V6\916930-artemis-trojan-problem-programs-shut[1].htm moved successfully.
File move failed. C:\Users\Priscilla\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C1VN73V6\OCAP6Z3GXCAKBP6VZCAW2XB90CALBNIUCCA3J002VCATMC1CWCA7T2CIMCA3A4T0LCANZZEUBCAGTDLL1CA6HWQLKCAX4VHDOCA5UOSBECAZ73641CAAH5YKXCA4W0SNZCA6EWH6WCAHFVAT2CABHFIFN.htm scheduled to be moved on reboot.
C:\Users\Priscilla\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3X1KA6CN\sh15[1].htm moved successfully.
C:\Users\Priscilla\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.
File\Folder C:\Windows\temp\mcafee_RvKUq9mAHTygtxT not found!
File\Folder C:\Windows\temp\mcmsc_BfUgchFHtLLWstF not found!
File\Folder C:\Windows\temp\mcmsc_dYdZdptqNqdg5xq not found!
File\Folder C:\Windows\temp\mcmsc_rdfygbJNZ1dlyaN not found!
File\Folder C:\Windows\temp\mcmsc_RtMIIqO6r5JjzJ7 not found!
File\Folder C:\Windows\temp\mcmsc_VLsDlSKFP551x9O not found!
File\Folder C:\Windows\temp\sqlite_1QprZJUE4AkW28f not found!
File\Folder C:\Windows\temp\sqlite_bfAj2B9R9EDJX76 not found!
File\Folder C:\Windows\temp\sqlite_RYykYZhvrqDrvYu not found!
File\Folder C:\Windows\temp\sqlite_Wn1Cddbkx0iUnS8 not found!
Registry entries deleted on Reboot...

Here is the result from the Malwarebytes' Anti-Malware:

Malwarebytes' Anti-Malware 1.45
Database version: 3999
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000
4/17/2010 1:30:11 AM
mbam-log-2010-04-17 (01-30-11).txt
Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 228442
Time elapsed: 1 hour(s), 12 minute(s), 44 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

And here is the result from Kaspersky Online Scanner:

Saturday, April 17, 2010
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version:
Last database update: Saturday, April 17, 2010 03:03:26
Records in database: 3949730
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
Scan statistics:
Objects scanned: 130616
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 01:40:54
No threats found. Scanned area is clean.
Selected area has been scanned.

From what I can see things are looking good so far :)


Malware Specialist
Oct 22, 2008
Excellent. Let's cleanup.


The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

(If you use Vista or 7 just paste it into the text box that appears next to your start button)

ComboFix /Uninstall

Note: If you have trouble and it doesn't want to uninstall using the method described above, you can rename ComboFix.exe to Uninstall.exe and double click on it to uninstall it.


To clean up OldTimer's tools, along with a few others, do the following:

  • Run OTS.exe by double clicking on it
  • Click on the "CleanUp" button on the top.
  • You will be asked if you wish to reboot your system, select "Yes"


Remove any other tools or files we used by right-clicking on them or any folders they created, hold down the Shift key, and select "Delete" by clicking on it. This will delete the files without sending them to the RecycleBin.

You can also uninstall the other programs (HijackThis or MalwareBytes if we used them) by going to Start > Control Panel > Add/Remove programs (The Control Panel is different in different versions of Windows. It will be Programs and Features in Vista and Programs > Uninstall a Program in 7)

You might want to keep MalwareBytes AntiMalware though and that's fine :) Make sure you update it before you run the scans in the future.

All Clean

, your system is now clean. Now that your system is safe we would like you to keep it that way. Take the time to follow these instructions and it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
To update Windows
Go to (Start) > (All) Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates

Install WinPatrol
Download it HERE
You can find information about how WinPatrol works HERE and HERE

Note: This program will work alongside all other security programs without conflicts. It might ask you to allow certain actions that security programs perform often, but if you tell Scotty to remember the action by checking the option, the alerts will lessen.

Other Software Updates
It is very important to update the other software on your computer to patch up any security issues you may have. Go HERE to scan your computer for any out of date software. In particular make sure you download the updates for Java and Adobe as these are subject to many security vulnerabilities.

Setting up Automatic Updates
So that it is not necessary to have to remember to update your computer regularly (something very important to securing your system), automatic updates should be configured on your computer. Microsoft has guides for XP and Vista on how to do this. See HERE for Windows 7.

Read further information HERE, HERE, and HERE on how to prevent Malware infections and keep yourself clean.

Please mark this thread as Solved by clicking on the button at the top of this page. Let me know if you need anything else.


Thread Starter
Apr 14, 2010
Thanks so much for your help, NeonFx. I will be sure to take your advice on updating my system more often. I think I left myself open to problems becuase I usually hibernate my computer when I'm done with it and put off updating things. I have uninstalled/deleted everything and left MalwareBytes as you suggested.

However, I have a question about uninstalling ComboFix. When I tried to uninstall ComboFix, my computer couldn't find it. I couldn't even find it on my desktop where I had downloaded it. That's a little strange. Is that something that I can disregard?

[EDIT] Another thing... I was just going over my recent logs in McAfee and I saw that it had the information of the first Artemis trojan (that I mentioned in the first post) and that it was quarantined... never removed. The next log said that I had a different type of Artemis trojan and the file that it was associated with was from a temporary folder that had ComboFix[1].exe at the end of it and it said the process was from using ieuser.exe. It did say it removed the trojan. This log was right around the time I was installing ComboFix. There was another log report had the same information as the second one except it came from a different temporary folder but it still had ComboFix[1].exe at the end of it. That was around the time when the ComboFix was done installing. The fourth log report also had ComboFix.exe in the file but this one was from the desktop (where I had downloaded it to.) The log said the process was through iexplore.exe. That was almost an hour after I had installed ComboFix.

In addition, the last three that are associated with ComboFix are all the same trojan and McAfee did say those last three trojans were removed (repaired). The quarantined one is nowhere in sight so it seems from the latest logs I had given you unless quarantined trojans are usually not visible. The last three scans were done through a Real Time Scan. The first one was done through a Quick Scan. Does this all mean that ComboFix was the one that detected the trojan and McAfee worked through it or does it mean that the trojan came in through ComboFix? However, this would explian why I couldn't find ComboFix anywhere on my system when I was trying to delete it earlier since McAfee said it deleted the trojan files that had ComboFix.exe at the end of them. What do you think?

And a final note... while I was surfing the internet just now, I heard a click and saw the green bar at the bottom of the browser (what you usually see when you click on a link) when I was reading the page but I hadn't clicked on anything. Could that be hidden spyware or is it nothing at all?


Malware Specialist
Oct 22, 2008
Haha, I was wondering where I had heard that name before (Artemis). Yes you are correct, it is a false positive and McAfee has forever battled with ComboFix even though they're both on the same side. I should have checked for you.

There are two things that would explain why it couldn't find combofix when you tried to uninstall it: McAfee deleted it, or you ran the OTS cleanup script before trying to uninstall ComboFix. The cleanup script will remove ComboFix leftovers just in case everything wasn't removed when uninstalling it. If McAfee deleted it, you could try downloading it again, renaming it to "Uninstall" and double clicking on it to have it uninstall everything it put on the system before. You're probably ok just ignoring it though.

And a final note... while I was surfing the internet just now, I heard a click and saw the green bar at the bottom of the browser (what you usually see when you click on a link) when I was reading the page but I hadn't clicked on anything. Could that be hidden spyware or is it nothing at all?
Some advertisements embedded in webpages will cause that symptom at times. It happens to me too. I'm confident you're clean at this time.
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online