Sunday, 17 July 2011

Remove Jucheck.exe Trojan (Uninstall Guide)

Jucheck.exe is the Java update verification process which notifies users about new updates available for the Java software installed on your computer. Unfortunately, it's not uncommon for malicious software authors to use well known and legit file names to confuse users and in some cases to avoid detection. We previously wrote about a Trojan horse masquerading as msiexec.exe. There's also an IRC backdoor Trojan which uses another legitimate file name jusched.exe to trick users into running malicious code on their computers. So, how do you determine whether it's a virus or a legitimate application?

First of all, you should verify that the file is digitally signed and verified by the distributor of software. Jucheck.exe should be digitally signed by Sun Microsystems, Inc., but if the publisher is Unknown then it's probably some kind of malware.

Secondly, you should verify the file location. Legitimate Java software updater runs from C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe. This part \jre1.6.0_01\ may vary depending on the version of the Java software installed on your computer. Malicious software usually runs from Windows temporary folder (%Temp%) or Windows system folder (%Windir%). If the jucheck.exe runs from C:\Users\AppData\Local\Temp\jucheck.exe folder or from C:\Windows\jucheck.exe then you shouldn't allow it to run.

Finally, you can upload the suspicious file to VirusTotal, Jotti or VirScan to determine whether it's malicious or not. If the file is infected, you should get similar results:

If you got the User Account Control (UAC) message about jucheck.exe from Unknown publisher asking you to make changes to your computer, please click No and scan your computer with legitimate anti-malware software.

Download recommended anti-malware software and run a full system scan to remove this Trojan from your computer.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

If you need help removing the jucheck.exe malware, please a comment below. Good luck and be safe online!

No comments:

Post a Comment