17 posts in this topic

Posted

Okay. So a few days ago, I started noticing that on some Google searches, my browser would _vanish_. Both IE, Chrome(iron), firefox (both Mozilla's as palemoon) and Opera had this.
I thought it naturally was Google. Untill yesterday a front page item about antivirus... it got me thinking and looking.

Guess what I found, 2 unkillable processes (Windows 8 really has much to many default processes).
Windows Defender did not recognize it, neither did trend micro. And somehow doubt maybe others can find it yet either.

But my main question is, has anyone encountered this POS? Do you know what it does? What its for, the little info I could find is just generic malware stuff. backdoor, Trojan, remote attacker blabla.


I am not sure how I've gotten this thing on my system, my guess goes out to drive-by in a browser. I use Firefox, Iron and IE all mixed through eachother through the days. So I cant say which one. But on neither browser do I have Java or something enabled. IE comes clean, only 3rd party plugin is LogMeIn.
Firefox only addon is a little addon I've been developing myself. Palemoon imacros/firebug/reloadevery/stylish and my own little addon. Iron is OOTB, have not added anything.
As other then tv-shows I haven't been pirating recent weeks/months.

If anyone has this thing on your system, rightclick the exe's in task manager, open file properties, remove all rights for everyone. add "Everyone" and set it to deny all. Reboot, remove registry and startup entries.
Currently it lies dormant in %APPDATA%/Microsoft/ as I don't have a Linux Live USB laying around to delete it, and under windows I rather leave it "sandboxed" and don't touch it.
1 person likes this

Share this post


Link to post
Share on other sites

Posted

jushed.exe is to do with Java, I believe.

Share this post


Link to post
Share on other sites

Posted

You are infected: run full scan with: http://www.malwarebytes.org/

Share this post


Link to post
Share on other sites

Posted

[quote name='Semtex' timestamp='1365266682' post='595620928']
You are infected: run full scan with: http://www.malwarebytes.org/
[/quote]
If you would read my post, the virus is currently inactive.

Oh also to add, I have malwarebytes setup on my system, I could not access their website directly, luckily I saw a software posting about it recently here on Neowin :) and got it through here. Site cant be accessed directly and the setup wont start at all.

[quote name='matt4444' timestamp='1365266635' post='595620924']
jushed.exe is to do with Java, I believe.
[/quote]
That's jusched.exe The icon is different to, both of jushed.exe and rundil32.exe have some weird black circle with a logo. Not to sure as the files are forcefully hidden and since I've removed all access to it, I cannot see the icons atm
1 person likes this

Share this post


Link to post
Share on other sites

Posted

jushed.exe is Java update scheduler, rundil32.exe a trojan :|

Edit: I've misread, sorry, both are malware.
1 person likes this

Share this post


Link to post
Share on other sites

Posted

Both "programs" are malware. You might have a rootkit considering which ones they're imitating.

Share this post


Link to post
Share on other sites

Posted

[quote name='Davo' timestamp='1365266864' post='595620938']
Both "programs" are malware. You might have a rootkit considering which ones they're imitating.
[/quote]
UEFI, secureboot Windows 8. Havent heard any complaints there. Also since I disabled the exe's, I have not encountered any weird behavior anymore and am constantly keeping an eye on my processes.

People please stop reading the title and first paragraph only, I'm more wondering wth it does cause it's been running on my system close to a week without me noticing **** (and blaming Google).

And also if someone might encounter it and look through the forums, the solution is in the first post.

Share this post


Link to post
Share on other sites

Posted

Mmmmkkkk....

Share this post


Link to post
Share on other sites

Posted

[url="http://www.auditmypc.com/jushed.asp"]http://www.auditmypc.com/jushed.asp[/url]
[quote][font=Georgia, Times,]If you find a program called jushed.exe on your computer, your computer may have been infected with a worm that goes by the name of gaobot.ee.[/font][/quote]
[url="http://www.cloudantivirus.com/en/threat-information/antivirus/Gaobot.EE/44605/"]http://www.cloudantivirus.com/en/threat-information/antivirus/Gaobot.EE/44605/[/url]
[quote][i]Gaobot.EE[/i][color=#000000][font=Verdana, Arial, Helvetica, sans-serif][size=3] is a [/size][/font][/color][color=#000000][font=Verdana, Arial, Helvetica, sans-serif][size=3]worm[/size][/font][/color][color=#000000][font=Verdana, Arial, Helvetica, sans-serif][size=3] with [/size][/font][/color][color=#000000][font=Verdana, Arial, Helvetica, sans-serif][size=3]backdoor[/size][/font][/color][color=#000000][font=Verdana, Arial, Helvetica, sans-serif][size=3] characteristics, that only affects Windows 2003/XP/2000/NT computers.[/size][/font][/color][/quote]
I'm sure I could find the other too. You might try some of the other antiviruses to take care of it (Bitdefender and Panda rank very highly on detection, as well as some others.)

Share this post


Link to post
Share on other sites

Posted

Wow, those file names look pretty close to legit ones, lol. Sneaky ****ers.
I thought that was the Java Update Scheduler at first too. (although some may consider that malware, lol)

Share this post


Link to post
Share on other sites

Posted

[quote name='LUTZIFER' timestamp='1365335949' post='595622198']
(although some may consider that malware, lol)
[/quote]
how could anyone not? :D

Share this post


Link to post
Share on other sites

Posted

[quote name='Shadowzz' timestamp='1365266924' post='595620942']
... it's been running on my system close to a week without me noticing ...
[/quote]

Did you try using [b]System Restore[/b] ... ?

System Restore is a recovery feature in Windows 8 that allows you to restore your computer to a previous state. This is useful if your computer starts to function poorly or crashes and you cannot determine what the cause is. To resolve these types of issues, you can use System Restore to restore your computer back to a previous state that was saved before your problems started occurring. This will allow your computer to start operating correctly again.

http://www.bleepingcomputer.com/tutorials/windows-8-system-restore-guide/

Share this post


Link to post
Share on other sites

Posted

[quote name='LUTZIFER' timestamp='1365335949' post='595622198']
Wow, those file names look pretty close to legit ones, lol. Sneaky ****ers.
I thought that was the Java Update Scheduler at first too. (although some may consider that malware, lol)
[/quote]

After reading just the topic, that was instantly what I thought also. Was going to ask if those were typos!

Could also try Malwarebytes new anti rootkit tool [url="http://www.malwarebytes.org/products/mbar/"]http://www.malwareby.../products/mbar/[/url]

I second that recommendation for Panda AV and also would suggest SuperAntiSpyware, [url="http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE"]http://www.superanti...ANTISPYWAREFREE[/url] or [url="http://superantispyware.com/"]http://superantispyware.com/[/url] The first link is directly to the download page. The second link is their home page. Make sure to get the free version and then disable the SAS process in administrative tools.

Share this post


Link to post
Share on other sites

Posted

[quote name='Deranged' timestamp='1365335118' post='595622186']
[url="http://www.auditmypc.com/jushed.asp"]http://www.auditmypc.com/jushed.asp[/url]

[url="http://www.cloudantivirus.com/en/threat-information/antivirus/Gaobot.EE/44605/"]http://www.cloudantivirus.com/en/threat-information/antivirus/Gaobot.EE/44605/[/url]

I'm sure I could find the other too. You might try some of the other antiviruses to take care of it (Bitdefender and Panda rank very highly on detection, as well as some others.)
[/quote]
Thanks, could find little info googling it.
But I'm on Windows 8, I guess it isn't limited to older OS'.
UAC enabled, Windows Defender enabled (no excludes).

Malwarebytes found one of the 2, jushed.exe, it failed to recognize rundil32.exe though.

Share this post


Link to post
Share on other sites

Posted

[quote name='Hum' timestamp='1365338130' post='595622238']


Did you try using [b]System Restore[/b] ... ?

System Restore is a recovery feature in Windows 8 that allows you to restore your computer to a previous state. This is useful if your computer starts to function poorly or crashes and you cannot determine what the cause is. To resolve these types of issues, you can use System Restore to restore your computer back to a previous state that was saved before your problems started occurring. This will allow your computer to start operating correctly again.

http://www.bleepingcomputer.com/tutorials/windows-8-system-restore-guide/
[/quote]
Thanks for the suggestion. But the virus is inactive now. One exe still remains, hidden and closed down in my %APPDATA%/Microsoft folder. But it cannot do any harm at this point. I've kept a close eye on my system. Checking everything regularly .
I do not touch the file, I need to make a usb boot/live disk and remove it, but as its inactive, still haven't gotten to it yet. The file has no rights, nothing has access to it. All registry entries removed (just a few auto start up ones), it got into task scheduler too, gone there. And it hasn't returned as of this moment.
Plus I installed Windows 8 from Windows 7 by mounting the ISO :) My DVD drive is IDE and my motherboard has no IDE slot :p So I rather not kill/flash Windows 8. (I do still have Windows 7 on my 2nd drive though which I could add back to the boot menu and boot into if required).

[quote name='cork1958' timestamp='1365338162' post='595622240']


After reading just the topic, that was instantly what I thought also. Was going to ask if those were typos!

Could also try Malwarebytes new anti rootkit tool [url="http://www.malwarebytes.org/products/mbar/"]http://www.malwareby.../products/mbar/[/url]

I second that recommendation for Panda AV and also would suggest SuperAntiSpyware, [url="http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE"]http://www.superanti...ANTISPYWAREFREE[/url] or [url="http://superantispyware.com/"]http://superantispyware.com/[/url] The first link is directly to the download page. The second link is their home page. Make sure to get the free version and then disable the SAS process in administrative tools.
[/quote]
I've tried Malwarebytes, it found jushed.exe, but not rundil32.exe.

I'll make some time tomorrow or Saturday and either boot into save mode or setup a debian live CD on my usb stick and get the exe's. (malwarebytes still requires a reboot for cleanup hehe).
I want to upload them to the online viruschecker, I am wondering which one detects them. Since it gotten through Windows 8's security without anything stopping it, while according to the link posted above... it seems to been designed for OS's released over a decade ago.

I am certain this has been a drive-by download. It is only in the last 2 weeks it has entered my system. And
besides a PDF, the recent TV shows and basically pictures of cats, nothing has been downloaded to my system.
I use IE10, Palemoon and Iron all mixed up. Generally I use IE10, but at this moment I also have Palemoon and Iron for a few websites (they still seem to spur out IE6-8 specific code). So I can't say which one it has been. My personal guess would be Iron (I use Iron allot for porn, hehe).

PS: I see a 2nd post made isn't automatically merged for some reason :p

Share this post


Link to post
Share on other sites

Posted

[quote name='Shadowzz' timestamp='1365737848' post='595632386']
But I'm on Windows 8, I guess it isn't limited to older OS'.
[/quote]
No, but it could be ineffective in Windows 8. Just because it runs doesn't mean it does what it was trying to do.

But I'm not an expert on any particular virus so take that as you wish.

Share this post


Link to post
Share on other sites

Posted

Some info about the rundil32.exe (if you haven't found any) - [url="http://www.bleepingcomputer.com/startups/rundIl32.exe-12980.html"]http://www.bleepingcomputer.com/startups/rundIl32.exe-12980.html[/url]

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.