There's a jucheck.exe from an unknown publisher in the system32 folder on my g/f's PC. It keeps getting caught by windows asking for permission to change the harddrive. The option to deny it from doing so is being taken, but still, annoying and bad. Avast and AVG aren't picking up on it, and they're as recent as last night for AVG and... two weeks ago for Avast. So I'm guessing it's not a virus but some kind of spyware.

I haven't used windows myself for 2 and a half editions. I left XP in its early, still having people complaining about it days after my highschool desktop crashed and fried the motherboard. So I've been on a mac since then so I'm *ahem* a bit rusty.

A simple google search has led to idiots going on about how it's the java update utility yet forgetting that it's not appearing in the appropriate location and doesn't have the appropriate credentials to be part of Java, so there's been no actual information on what to do to get rid of it other than disabling internet, manually finding it in the system 32, disabling the process, and deleting the entry in the dllcache before it can start up the process again.

However, since this is the only piece of information that even seems like it could be put to use in the sea of nonsense I found it in, I figured I should run it by some other eyes.

And a better forum to run this sort of stuff by would be nice if any of you have one to recommend.

Try Spybot: Search and Destroy.

End any suspicious processes, googling the name of said processes afterwards. Chances are you'll find one of them on a malware database. One of those ones that tells you what the malware does and how to remove it.

On a quick google, I saw that jucheck has an extremely high chance of being dangerous (94%) if in the System32 folder. Disable Java updates and remove it (I'm assuming you saw the eHow article by your post) and see how that works.

Reinstall your operating system, except instead of reinstalling your operating system, put Linux on it instead.

Solved. :smallsmile:

I once had a virus that McAfee AND Spybot could find. But as soon as it would get caught, it would cause my computer to shut down. Quite annoying, but easily solved by cutting it off- aka, safe mode (I was then able to remove it). If it can't be removed in safe mode or with any spyware finder you can get (I use MalwareBytes now), then the best bet is to just restore the computer back to factory settings.


Good luck. These things suck.

The best free anti virus stuffs for hijacking:

Dr Web's CureIt. Try this first. the site downloads a randomly named antivirus program that you should run while in safe mode.

Rkill is good to get control back of your system
Mbam is usually good for most stuff
SuperAntiSpyware
Zone Alarm to get control of your network presense
Hijack this is good to find out what's questionable in your registry, but go to www.bleepingcomputer.com or other sites like it (found on the hijack this site)
for assistance in using their tools, which include the way overpowerfull combofix, which, while it will most likely find the problem, will also kill all your restores, so use it as a last resort, preferably only AFTER posting on the assistance site.

Coidzor: what windows edition is your girlfriend's PC? If it's Vista or Windows 7, I may have a solution:

Download Killbox.exe at http://killbox.net/, install it, and open it up.

The next time the virus activates, open up Task Manager. If the virus appears on the Applications tab, right click on it and click on "go to process". You'll be switched over to the "Processes" tab with the virus process highlighted.

Right click on the virus process and click on "Properties". The properties menu will show you EXACTLY where the virus is. Copy the virus' file location (C:\Wherever the file is) and paste it into the address box in Killbox (the big white box right under Full Path of File to Delete"). Then, at the end of the file location, type in the name of the virus ("jucheck.exe").

Click on the big red button to the far right of the address box ("Delete File").


This seemed to have worked quite well for me in deleting rogue antivirus programs, at least.

It's windows 7, because she bought it... IS a Dell... this spring break... so... uh... 3-4 weeks ago.

She won't let me just reformat the bugger due to not wanting to reinstall WoW.

As it is, it's either snuck off, or deleting it after shutting off the process worked.

Two reboots since and it hasn't popped up again. But I'm going to double check the ehow stuff...

Now we've just got to deal with Spybot thinking we're not running it on the admin profile when there's only the one profile and it's the admin profile. :smallfurious:

Well, that and she somehow got a toolbar popup, even in PROTECTED MODE of IE...

Of some shopperreports website. Don't go there, as I believe they'll take that as approving their ToS and trying to hijack your browser.

Just checking on something in this situation, have you run msconfig to find its registry entry and then remove it? Some viruses are programmed to weasel out of standard methods of deletion. This is the method used by most AVs to "quarantine", and some viruses mask themselves against these programs or hijack them.

At the very least it'll be a registry error you're fixing.

I knew there was something I forgot to do.

Actually, I've never run msconfig or messed with registries before. How would one go about it?

Now we've just got to deal with Spybot thinking we're not running it on the admin profile when there's only the one profile and it's the admin profile. :smallfurious:



Actually, you're supposed to run it in admin mode, not just in the admin profile. Right-click on the program icon, click on "Run as Administrator". That should do the trick.

I knew there was something I forgot to do.

Actually, I've never run msconfig or messed with registries before. How would one go about it?

In the bottom left corner of the start menu there's a search bar/kind of cmd. Just type in msconfig and regedit respectively. Most trojans show up, of course, as a startup application, but check the non-microsoft services as well.

...So I'm guessing it's not a virus but some kind of spyware...

Spyware is a type of virus. If it is this type of virus, Spybot should catch it.

Spyware is a type of virus.
Incorrect. A virus is a program that spreads itself across multiple computers. A piece of spyware is a program that watches what a computer is doing.

Incorrect. A virus is a program that spreads itself across multiple computers. A piece of spyware is a program that watches what a computer is doing.

Spyware does both. It gets into the computer the same ways as any other virus, is never wanted, and can be just as malicious. It merely has an additional qualifier: It watches.

So somehow slowing down someone's computer with something they don't know about is perfectly alright, as long as you use that time for looking at what's going on and possibly sending the information somewhere... I really don't see how so many people (mostly the antivirus app devs) apparently consider that to be true.

No, spyware doesn't necessarily use the same vectors that a virus does. Frequently, it's installed with the user's permission because they didn't fully read an EULA, or it's just dropped from a drive-by download from site (which is not how a virus functions).

Oh, and I never said that spyware was "fine"; I said it wasn't a virus. Not every type of bad program is a virus. Hence why the term "malware" was created, as a handy catch-all term for every type of unwanted software.

http://en.wikipedia.org/wiki/Computer_virus