Jump to content



Photo

jushed.exe / rundil32.exe anyone heard of it?


  • Please log in to reply
16 replies to this topic

#1 ShadowMajestic

ShadowMajestic

    Neowinian Senior

  • Joined: 16-April 10
  • Location: Netherlands
  • OS: Windows 8 Pro 64bit
  • Phone: Nokia Lumia 920

Posted 06 April 2013 - 16:41

Okay. So a few days ago, I started noticing that on some Google searches, my browser would _vanish_. Both IE, Chrome(iron), firefox (both Mozilla's as palemoon) and Opera had this.
I thought it naturally was Google. Untill yesterday a front page item about antivirus... it got me thinking and looking.

Guess what I found, 2 unkillable processes (Windows 8 really has much to many default processes).
Windows Defender did not recognize it, neither did trend micro. And somehow doubt maybe others can find it yet either.

But my main question is, has anyone encountered this POS? Do you know what it does? What its for, the little info I could find is just generic malware stuff. backdoor, Trojan, remote attacker blabla.


I am not sure how I've gotten this thing on my system, my guess goes out to drive-by in a browser. I use Firefox, Iron and IE all mixed through eachother through the days. So I cant say which one. But on neither browser do I have Java or something enabled. IE comes clean, only 3rd party plugin is LogMeIn.
Firefox only addon is a little addon I've been developing myself. Palemoon imacros/firebug/reloadevery/stylish and my own little addon. Iron is OOTB, have not added anything.
As other then tv-shows I haven't been pirating recent weeks/months.

If anyone has this thing on your system, rightclick the exe's in task manager, open file properties, remove all rights for everyone. add "Everyone" and set it to deny all. Reboot, remove registry and startup entries.
Currently it lies dormant in %APPDATA%/Microsoft/ as I don't have a Linux Live USB laying around to delete it, and under windows I rather leave it "sandboxed" and don't touch it.


#2 matt4444

matt4444

    Neowinian

  • Joined: 29-May 11

Posted 06 April 2013 - 16:43

jushed.exe is to do with Java, I believe.

#3 Semtex

Semtex

    Neowinian

  • Joined: 20-February 11
  • Location: Europa/Poland

Posted 06 April 2013 - 16:44

You are infected: run full scan with: http://www.malwarebytes.org/

#4 OP ShadowMajestic

ShadowMajestic

    Neowinian Senior

  • Joined: 16-April 10
  • Location: Netherlands
  • OS: Windows 8 Pro 64bit
  • Phone: Nokia Lumia 920

Posted 06 April 2013 - 16:45

You are infected: run full scan with: http://www.malwarebytes.org/

If you would read my post, the virus is currently inactive.

Oh also to add, I have malwarebytes setup on my system, I could not access their website directly, luckily I saw a software posting about it recently here on Neowin :) and got it through here. Site cant be accessed directly and the setup wont start at all.

jushed.exe is to do with Java, I believe.

That's jusched.exe The icon is different to, both of jushed.exe and rundil32.exe have some weird black circle with a logo. Not to sure as the files are forcefully hidden and since I've removed all access to it, I cannot see the icons atm

#5 darth_vader

darth_vader

    Neowinian

  • Joined: 13-January 07
  • Location: Tatooine

Posted 06 April 2013 - 16:46

jushed.exe is Java update scheduler, rundil32.exe a trojan :|

Edit: I've misread, sorry, both are malware.

#6 Davo

Davo

    Neowinian

  • Joined: 15-September 06

Posted 06 April 2013 - 16:47

Both "programs" are malware. You might have a rootkit considering which ones they're imitating.

#7 OP ShadowMajestic

ShadowMajestic

    Neowinian Senior

  • Joined: 16-April 10
  • Location: Netherlands
  • OS: Windows 8 Pro 64bit
  • Phone: Nokia Lumia 920

Posted 06 April 2013 - 16:48

Both "programs" are malware. You might have a rootkit considering which ones they're imitating.

UEFI, secureboot Windows 8. Havent heard any complaints there. Also since I disabled the exe's, I have not encountered any weird behavior anymore and am constantly keeping an eye on my processes.

People please stop reading the title and first paragraph only, I'm more wondering wth it does cause it's been running on my system close to a week without me noticing **** (and blaming Google).

And also if someone might encounter it and look through the forums, the solution is in the first post.

#8 Davo

Davo

    Neowinian

  • Joined: 15-September 06

Posted 06 April 2013 - 19:17

Mmmmkkkk....

#9 TheExperiment

TheExperiment

    Reality Bomb

  • Tech Issues Solved: 1
  • Joined: 11-October 03
  • Location: Everywhere
  • OS: 8.1 x64

Posted 07 April 2013 - 11:45

http://www.auditmypc.com/jushed.asp

If you find a program called jushed.exe on your computer, your computer may have been infected with a worm that goes by the name of gaobot.ee.

http://www.cloudanti...aobot.EE/44605/

Gaobot.EE is a worm with backdoor characteristics, that only affects Windows 2003/XP/2000/NT computers.

I'm sure I could find the other too. You might try some of the other antiviruses to take care of it (Bitdefender and Panda rank very highly on detection, as well as some others.)

#10 LUTZIFER

LUTZIFER

    Resident Evil

  • Joined: 09-January 02
  • Location: Vancouver Island, BC CANADA

Posted 07 April 2013 - 11:59

Wow, those file names look pretty close to legit ones, lol. Sneaky ****ers.
I thought that was the Java Update Scheduler at first too. (although some may consider that malware, lol)

#11 TheExperiment

TheExperiment

    Reality Bomb

  • Tech Issues Solved: 1
  • Joined: 11-October 03
  • Location: Everywhere
  • OS: 8.1 x64

Posted 07 April 2013 - 12:01

(although some may consider that malware, lol)

how could anyone not? :D

#12 Hum

Hum

    totally wAcKed

  • Tech Issues Solved: 11
  • Joined: 05-October 03
  • Location: Odder Space
  • OS: Windows XP, 7

Posted 07 April 2013 - 12:35

... it's been running on my system close to a week without me noticing ...


Did you try using System Restore ... ?

System Restore is a recovery feature in Windows 8 that allows you to restore your computer to a previous state. This is useful if your computer starts to function poorly or crashes and you cannot determine what the cause is. To resolve these types of issues, you can use System Restore to restore your computer back to a previous state that was saved before your problems started occurring. This will allow your computer to start operating correctly again.

http://www.bleepingc...-restore-guide/

#13 cork1958

cork1958

    Neowinian

  • Tech Issues Solved: 2
  • Joined: 04-October 02

Posted 07 April 2013 - 12:36

Wow, those file names look pretty close to legit ones, lol. Sneaky ****ers.
I thought that was the Java Update Scheduler at first too. (although some may consider that malware, lol)


After reading just the topic, that was instantly what I thought also. Was going to ask if those were typos!

Could also try Malwarebytes new anti rootkit tool http://www.malwareby.../products/mbar/

I second that recommendation for Panda AV and also would suggest SuperAntiSpyware, http://www.superanti...ANTISPYWAREFREE or http://superantispyware.com/ The first link is directly to the download page. The second link is their home page. Make sure to get the free version and then disable the SAS process in administrative tools.

#14 OP ShadowMajestic

ShadowMajestic

    Neowinian Senior

  • Joined: 16-April 10
  • Location: Netherlands
  • OS: Windows 8 Pro 64bit
  • Phone: Nokia Lumia 920

Posted 12 April 2013 - 03:37

http://www.auditmypc.com/jushed.asp

http://www.cloudanti...aobot.EE/44605/

I'm sure I could find the other too. You might try some of the other antiviruses to take care of it (Bitdefender and Panda rank very highly on detection, as well as some others.)

Thanks, could find little info googling it.
But I'm on Windows 8, I guess it isn't limited to older OS'.
UAC enabled, Windows Defender enabled (no excludes).

Malwarebytes found one of the 2, jushed.exe, it failed to recognize rundil32.exe though.

#15 OP ShadowMajestic

ShadowMajestic

    Neowinian Senior

  • Joined: 16-April 10
  • Location: Netherlands
  • OS: Windows 8 Pro 64bit
  • Phone: Nokia Lumia 920

Posted 12 April 2013 - 03:42

Did you try using System Restore ... ?

System Restore is a recovery feature in Windows 8 that allows you to restore your computer to a previous state. This is useful if your computer starts to function poorly or crashes and you cannot determine what the cause is. To resolve these types of issues, you can use System Restore to restore your computer back to a previous state that was saved before your problems started occurring. This will allow your computer to start operating correctly again.

http://www.bleepingc...-restore-guide/

Thanks for the suggestion. But the virus is inactive now. One exe still remains, hidden and closed down in my %APPDATA%/Microsoft folder. But it cannot do any harm at this point. I've kept a close eye on my system. Checking everything regularly .
I do not touch the file, I need to make a usb boot/live disk and remove it, but as its inactive, still haven't gotten to it yet. The file has no rights, nothing has access to it. All registry entries removed (just a few auto start up ones), it got into task scheduler too, gone there. And it hasn't returned as of this moment.
Plus I installed Windows 8 from Windows 7 by mounting the ISO :) My DVD drive is IDE and my motherboard has no IDE slot :p So I rather not kill/flash Windows 8. (I do still have Windows 7 on my 2nd drive though which I could add back to the boot menu and boot into if required).

After reading just the topic, that was instantly what I thought also. Was going to ask if those were typos!

Could also try Malwarebytes new anti rootkit tool http://www.malwareby.../products/mbar/

I second that recommendation for Panda AV and also would suggest SuperAntiSpyware, http://www.superanti...ANTISPYWAREFREE or http://superantispyware.com/ The first link is directly to the download page. The second link is their home page. Make sure to get the free version and then disable the SAS process in administrative tools.

I've tried Malwarebytes, it found jushed.exe, but not rundil32.exe.

I'll make some time tomorrow or Saturday and either boot into save mode or setup a debian live CD on my usb stick and get the exe's. (malwarebytes still requires a reboot for cleanup hehe).
I want to upload them to the online viruschecker, I am wondering which one detects them. Since it gotten through Windows 8's security without anything stopping it, while according to the link posted above... it seems to been designed for OS's released over a decade ago.

I am certain this has been a drive-by download. It is only in the last 2 weeks it has entered my system. And
besides a PDF, the recent TV shows and basically pictures of cats, nothing has been downloaded to my system.
I use IE10, Palemoon and Iron all mixed up. Generally I use IE10, but at this moment I also have Palemoon and Iron for a few websites (they still seem to spur out IE6-8 specific code). So I can't say which one it has been. My personal guess would be Iron (I use Iron allot for porn, hehe).

PS: I see a 2nd post made isn't automatically merged for some reason :p