ShadowMajestic Posted April 6, 2013 Share Posted April 6, 2013 Okay. So a few days ago, I started noticing that on some Google searches, my browser would _vanish_. Both IE, Chrome(iron), firefox (both Mozilla's as palemoon) and Opera had this. I thought it naturally was Google. Untill yesterday a front page item about antivirus... it got me thinking and looking. Guess what I found, 2 unkillable processes (Windows 8 really has much to many default processes). Windows Defender did not recognize it, neither did trend micro. And somehow doubt maybe others can find it yet either. But my main question is, has anyone encountered this POS? Do you know what it does? What its for, the little info I could find is just generic malware stuff. backdoor, Trojan, remote attacker blabla. I am not sure how I've gotten this thing on my system, my guess goes out to drive-by in a browser. I use Firefox, Iron and IE all mixed through eachother through the days. So I cant say which one. But on neither browser do I have Java or something enabled. IE comes clean, only 3rd party plugin is LogMeIn. Firefox only addon is a little addon I've been developing myself. Palemoon imacros/firebug/reloadevery/stylish and my own little addon. Iron is OOTB, have not added anything. As other then tv-shows I haven't been pirating recent weeks/months. If anyone has this thing on your system, rightclick the exe's in task manager, open file properties, remove all rights for everyone. add "Everyone" and set it to deny all. Reboot, remove registry and startup entries. Currently it lies dormant in %APPDATA%/Microsoft/ as I don't have a Linux Live USB laying around to delete it, and under windows I rather leave it "sandboxed" and don't touch it. goretsky 1 Share Link to comment Share on other sites More sharing options...
matt4444 Posted April 6, 2013 Share Posted April 6, 2013 jushed.exe is to do with Java, I believe. Link to comment Share on other sites More sharing options...
Semtex Posted April 6, 2013 Share Posted April 6, 2013 You are infected: run full scan with: http://www.malwarebytes.org/ Link to comment Share on other sites More sharing options...
ShadowMajestic Posted April 6, 2013 Author Share Posted April 6, 2013 You are infected: run full scan with: http://www.malwarebytes.org/ If you would read my post, the virus is currently inactive. Oh also to add, I have malwarebytes setup on my system, I could not access their website directly, luckily I saw a software posting about it recently here on Neowin :) and got it through here. Site cant be accessed directly and the setup wont start at all. jushed.exe is to do with Java, I believe. That's jusched.exe The icon is different to, both of jushed.exe and rundil32.exe have some weird black circle with a logo. Not to sure as the files are forcefully hidden and since I've removed all access to it, I cannot see the icons atm matt4444 1 Share Link to comment Share on other sites More sharing options...
darth_vader Posted April 6, 2013 Share Posted April 6, 2013 jushed.exe is Java update scheduler, rundil32.exe a trojan :| Edit: I've misread, sorry, both are malware. matt4444 1 Share Link to comment Share on other sites More sharing options...
Davo Posted April 6, 2013 Share Posted April 6, 2013 Both "programs" are malware. You might have a rootkit considering which ones they're imitating. Link to comment Share on other sites More sharing options...
ShadowMajestic Posted April 6, 2013 Author Share Posted April 6, 2013 Both "programs" are malware. You might have a rootkit considering which ones they're imitating. UEFI, secureboot Windows 8. Havent heard any complaints there. Also since I disabled the exe's, I have not encountered any weird behavior anymore and am constantly keeping an eye on my processes. People please stop reading the title and first paragraph only, I'm more wondering wth it does cause it's been running on my system close to a week without me noticing **** (and blaming Google). And also if someone might encounter it and look through the forums, the solution is in the first post. Link to comment Share on other sites More sharing options...
Davo Posted April 6, 2013 Share Posted April 6, 2013 Mmmmkkkk.... Link to comment Share on other sites More sharing options...
spaceelf Posted April 7, 2013 Share Posted April 7, 2013 http://www.auditmypc.com/jushed.asp If you find a program called jushed.exe on your computer, your computer may have been infected with a worm that goes by the name of gaobot.ee. http://www.cloudantivirus.com/en/threat-information/antivirus/Gaobot.EE/44605/ Gaobot.EE is a worm with backdoor characteristics, that only affects Windows 2003/XP/2000/NT computers. I'm sure I could find the other too. You might try some of the other antiviruses to take care of it (Bitdefender and Panda rank very highly on detection, as well as some others.) Link to comment Share on other sites More sharing options...
LUTZIFER Posted April 7, 2013 Share Posted April 7, 2013 Wow, those file names look pretty close to legit ones, lol. Sneaky ****ers. I thought that was the Java Update Scheduler at first too. (although some may consider that malware, lol) Link to comment Share on other sites More sharing options...
spaceelf Posted April 7, 2013 Share Posted April 7, 2013 (although some may consider that malware, lol) how could anyone not? :D Link to comment Share on other sites More sharing options...
Hum Posted April 7, 2013 Share Posted April 7, 2013 ... it's been running on my system close to a week without me noticing ... Did you try using System Restore ... ? System Restore is a recovery feature in Windows 8 that allows you to restore your computer to a previous state. This is useful if your computer starts to function poorly or crashes and you cannot determine what the cause is. To resolve these types of issues, you can use System Restore to restore your computer back to a previous state that was saved before your problems started occurring. This will allow your computer to start operating correctly again. http://www.bleepingcomputer.com/tutorials/windows-8-system-restore-guide/ Link to comment Share on other sites More sharing options...
cork1958 Posted April 7, 2013 Share Posted April 7, 2013 Wow, those file names look pretty close to legit ones, lol. Sneaky ****ers. I thought that was the Java Update Scheduler at first too. (although some may consider that malware, lol) After reading just the topic, that was instantly what I thought also. Was going to ask if those were typos! Could also try Malwarebytes new anti rootkit tool http://www.malwareby.../products/mbar/ I second that recommendation for Panda AV and also would suggest SuperAntiSpyware, http://www.superanti...ANTISPYWAREFREE or http://superantispyware.com/ The first link is directly to the download page. The second link is their home page. Make sure to get the free version and then disable the SAS process in administrative tools. Link to comment Share on other sites More sharing options...
ShadowMajestic Posted April 12, 2013 Author Share Posted April 12, 2013 http://www.auditmypc.com/jushed.asp http://www.cloudantivirus.com/en/threat-information/antivirus/Gaobot.EE/44605/ I'm sure I could find the other too. You might try some of the other antiviruses to take care of it (Bitdefender and Panda rank very highly on detection, as well as some others.) Thanks, could find little info googling it. But I'm on Windows 8, I guess it isn't limited to older OS'. UAC enabled, Windows Defender enabled (no excludes). Malwarebytes found one of the 2, jushed.exe, it failed to recognize rundil32.exe though. Link to comment Share on other sites More sharing options...
ShadowMajestic Posted April 12, 2013 Author Share Posted April 12, 2013 Did you try using System Restore ... ? System Restore is a recovery feature in Windows 8 that allows you to restore your computer to a previous state. This is useful if your computer starts to function poorly or crashes and you cannot determine what the cause is. To resolve these types of issues, you can use System Restore to restore your computer back to a previous state that was saved before your problems started occurring. This will allow your computer to start operating correctly again. http://www.bleepingcomputer.com/tutorials/windows-8-system-restore-guide/ Thanks for the suggestion. But the virus is inactive now. One exe still remains, hidden and closed down in my %APPDATA%/Microsoft folder. But it cannot do any harm at this point. I've kept a close eye on my system. Checking everything regularly . I do not touch the file, I need to make a usb boot/live disk and remove it, but as its inactive, still haven't gotten to it yet. The file has no rights, nothing has access to it. All registry entries removed (just a few auto start up ones), it got into task scheduler too, gone there. And it hasn't returned as of this moment. Plus I installed Windows 8 from Windows 7 by mounting the ISO :) My DVD drive is IDE and my motherboard has no IDE slot :p So I rather not kill/flash Windows 8. (I do still have Windows 7 on my 2nd drive though which I could add back to the boot menu and boot into if required). After reading just the topic, that was instantly what I thought also. Was going to ask if those were typos! Could also try Malwarebytes new anti rootkit tool http://www.malwareby.../products/mbar/ I second that recommendation for Panda AV and also would suggest SuperAntiSpyware, http://www.superanti...ANTISPYWAREFREE or http://superantispyware.com/ The first link is directly to the download page. The second link is their home page. Make sure to get the free version and then disable the SAS process in administrative tools. I've tried Malwarebytes, it found jushed.exe, but not rundil32.exe. I'll make some time tomorrow or Saturday and either boot into save mode or setup a debian live CD on my usb stick and get the exe's. (malwarebytes still requires a reboot for cleanup hehe). I want to upload them to the online viruschecker, I am wondering which one detects them. Since it gotten through Windows 8's security without anything stopping it, while according to the link posted above... it seems to been designed for OS's released over a decade ago. I am certain this has been a drive-by download. It is only in the last 2 weeks it has entered my system. And besides a PDF, the recent TV shows and basically pictures of cats, nothing has been downloaded to my system. I use IE10, Palemoon and Iron all mixed up. Generally I use IE10, but at this moment I also have Palemoon and Iron for a few websites (they still seem to spur out IE6-8 specific code). So I can't say which one it has been. My personal guess would be Iron (I use Iron allot for porn, hehe). PS: I see a 2nd post made isn't automatically merged for some reason :p Link to comment Share on other sites More sharing options...
spaceelf Posted April 12, 2013 Share Posted April 12, 2013 But I'm on Windows 8, I guess it isn't limited to older OS'. No, but it could be ineffective in Windows 8. Just because it runs doesn't mean it does what it was trying to do. But I'm not an expert on any particular virus so take that as you wish. Link to comment Share on other sites More sharing options...
+Raze Subscriber² Posted April 12, 2013 Subscriber² Share Posted April 12, 2013 Some info about the rundil32.exe (if you haven't found any) - http://www.bleepingcomputer.com/startups/rundIl32.exe-12980.html Link to comment Share on other sites More sharing options...
Recommended Posts