Your computer is infected with malicious software? Do you have popups on your PC?
If so, search this blog for removal instructions or find computer threats by category.

Sunday, July 17, 2011

Remove Jucheck.exe Trojan (Uninstall Guide)

Tell your friends:
Jucheck.exe is the Java update verification process which notifies users about new updates available for the Java software installed on your computer. Unfortunately, it's not uncommon for malicious software authors to use well known and legit file names to confuse users and in some cases to avoid detection. We previously wrote about a Trojan horse masquerading as msiexec.exe. There's also an IRC backdoor Trojan which uses another legitimate file name jusched.exe to trick users into running malicious code on their computers. So, how do you determine whether it's a virus or a legitimate application?

First of all, you should verify that the file is digitally signed and verified by the distributor of software. Jucheck.exe should be digitally signed by Sun Microsystems, Inc., but if the publisher is Unknown then it's probably some kind of malware.

Secondly, you should verify the file location. Legitimate Java software updater runs from C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe. This part \jre1.6.0_01\ may vary depending on the version of the Java software installed on your computer. Malicious software usually runs from Windows temporary folder (%Temp%) or Windows system folder (%Windir%). If the jucheck.exe runs from C:\Users\AppData\Local\Temp\jucheck.exe folder or from C:\Windows\jucheck.exe then you shouldn't allow it to run.

Finally, you can upload the suspicious file to VirusTotal, Jotti or VirScan to determine whether it's malicious or not. If the file is infected, you should get similar results:

If you got the User Account Control (UAC) message about jucheck.exe from Unknown publisher asking you to make changes to your computer, please click No and scan your computer with legitimate anti-malware software.

Download recommended anti-malware software and run a full system scan to remove this Trojan from your computer.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

If you need help removing the jucheck.exe malware, please a comment below. Good luck and be safe online!


Anonymous said...

So I had this on my computer, and I accidently clicked yes to the UAC. I removed the program from appdata/temp, I ran a couple of virus scans including MalwareBytes and avast. How do I know if I actually removed and or undid any damage?

When I clicked yes, it ran for a sec and then stopped, I am assuming that it installed some malware... But I don't know what malware.

Anonymous said...

Trying to use the VirusTotal and VirScan pages above, I cannot find my jucheck.exe file to upload to it. However, when I browse my System32 folder normally, it appears.

I have not yet accepted jucheck.exe into my computer, and it continues to ask to be approved. I wish this threat to be removed, but not quite sure how.

Neither of the Malware scans above are detecting this file. Neither are my normal anti-virus programs. What does this mean?

Anonymous said...

i was having this problem and it was a relatively easy fix. after turning on the hidden folders, i opened malwarebytes and under the more tools tab there was fileASSASSIN. i used this and went to (C:\users\username\AppData\Local\Temp)
and selected the juscheck.exe and clicked open, which opens the file in fileASSASSIN and completely removes it from your computer. i havent had the popup ever since.

Anonymous said...

malwarebyte's fileASSASSIN worked great for me. thanks so much for the recommendation.

if you can't find the appdata folder, manually type in C:\Users\username\AppData\

then click local, then temp, then jucheck.

(make sure you are doing this in malwarebyte's fileASSASSIN and not just exploring the folder in windows)

Anonymous said...

I can not find a folder called appdata. Could it be somewhere else?

Anonymous said...

The prompt to allow this keeps coming up no matter how many times I say not to allow it to run. How do I get rid of it???

Cat said...

I went through the process mentioned above and used the FileASSASSIN, and removed it from my comp. I did have to do the manual searching but I did find it and got rid of it. The problem is this was a week ago, and for some reason it's back again. When I click don't allow it just pops rite back up again, and this time I went through the process again, but i can't find it at all this time. Anyone else know what I have to do to make it stop?

Anonymous said...

Switch to linux or get a Mac!!

TPfeifle said...

To anyone who is seeing the UAC popup, but your anti-malware software is not detecting malware: Did you read the UAC popup to verify that the publisher was unknown? The "article" specifically states that if it's signed by Sun Microsystems, you're safe. Seems to me that if you're trying more than one scan and coming up with nothing, that there is nothing.

To the anonymous troll that said to switch to Linux or get a Mac: NO computer is impervious to viruses and other malware. The only reason you don't hear of Linux or Mac systems being hit is because hackers think about market-share... the vast majority of computers are Windows-based... so... write your malware to attack Windows computers. Duh.

Linux and Mac computers can be attacked by malware, as well... it's just less common. Why else would anti-malware software exist for both types of operating systems.

Get an education and stop believing hype.

bgarlock said...

Hi, as soon as a wacko troll on FB (known to be a programmer) started tormenting me, I got several email attempts to dump a virus, which I deleted. I blocked this nutcake & soon after got a notice to update Java with jucheck.exe. It "looked" OK, but the Sun Microsystems certificate expired almost a year ago -- surely Sun keeps up their digital certificates? Anyway, this is the path -- do you think it's OK?:

C:\Program Files\Common Files\Java\Java Update\jucheck.exe - auto"

My McAfee antivrus scan didn't detect a problem but I will keep hitting "no" on the invitation to update 'til I hear from you.

...BTW, I haven't been able to *find* the file despite many searches, & thus don't know how to delete it or upload it to the Spyware program you mentioned.

Thank you for being there for the rest of us!

bgarlock said...

ps - I finally found it on my computer! fyi, this file was "last modified" almost a year ago - does that seem reasonable for a current Java update?

And its 496 kb - is that a typical size for a valid jucheck.exe?

Thanks again!

Richard Thomson said...

I recently got hit by some malware similar to this one. Instead of jucheck.exe, it was named java.exe and no matter how many times I said "No", it just popped up the dialog again. When this dialog pops up, your entire desktop is frozen so you can't go to Task Manager or anything else. Your only choice is to click the "Change when these notifications appear" to get your desktop back, then run msconfig and disable the malware startup option and reboot. I had to scrub the entries in the registry for startup, the "Startup" folder under the menu structure for my account and the registry entry that says "launch this program whenever you launch cmd.exe" Tenacious little bugger! Scrubbing all of those out of my machine, I then went to delete the file. They had diddled the permissions such that I couldn't just delete it; first I had to give my user account full control in order to delete the file. I finally got it all removed, but I can see how any less technically inclined user (I'm a software developer) would just give in and click "Yes"