Found a trojan downloader on my system

Discussion in 'malware problems & news' started by danebe, Feb 8, 2008.

Thread Status:
Not open for further replies.
  1. danebe

    danebe Registered Member

    Joined:
    Feb 8, 2008
    Posts:
    3
    Hi,

    My PC has been kind of running slow since the last couple of days and when I opened NOD32 Control Center today I got that message:

    probably a variant of Win32/Genetik trojan found in operating memory. System memory infection originated from file C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe.


    Here's an example of threats found and that I deleted:

    C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe - probably a variant of Win32/Genetik trojan

    It mentioned that these files could be deleted, which I did.
    I hope this is what I had to do and that I did not damage my pc even more.

    Can someone help me with this please? What do do with the trojan downloader that I can't delete while running the scan?

    Thanks,
    Sylvie
     
    Last edited: Feb 8, 2008
  2. ASpace

    ASpace Guest

    @ Sylvie


    Hello! You'd better have posted in ESET's section .

    C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

    While it is possible for the above to be fake ones , in my opinion this is a false positive detection . Make sure your ESET software is up-to-date and perform full scan

    Running slow doesn't always mean you are infected.
     
  3. larryb52

    larryb52 Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    1,126
    run SAS it'll find it...
     
  4. danebe

    danebe Registered Member

    Joined:
    Feb 8, 2008
    Posts:
    3
    I runned Spybot.

    Then I runned NOD32 again and it is no longer there.

    I deleted all the files that NOD32 indicated I could delete the first time I did the scan.

    I'll bring my pc to a friend who is way more knowledgeable than I and he will see if it has been deleted or not.

    Thanks for your help,
    Sylvie
     
    Last edited: Feb 9, 2008
  5. ccsito

    ccsito Registered Member

    Joined:
    Jul 27, 2006
    Posts:
    1,579
    Location:
    Nation's Capital
    Another person who got that trojan used Combofix and SAS to remove the infection. Also they updated their Java program since trojans tend to attack outdated Java versions. You can go to any tech support forum to ask for help in reading your system log reports to be sure that the system is clean.
     
  6. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    In my humble opinion this is likely to have been a false detection. These aren't unusual, with most security programs, from time to time. Anytime the detection has the words "generic" or "heuristic" included is a bit of a clue; means that it thinks the program exhibits behaviour similar to the flagged item. Means it's quite possibly malware, or malware-like, but not necessarily.
    In this case, jusched is the auto updater for Java (which I've found does nothing, really, except slightly slow the system startup, since it puts itself in the start list.)
    So you are better off checking your Java updates manually.
    I think the current version is 1.6.040.
    If you just "google" "verify java" and click on the first sun java entry that matches the search term, you'll be taken to the sun java page that can check this for you.
     
  7. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    It is special purpose utility for removing some malware samples and it can repair registry issues too. But if it hasn't got some sample in the database, it doesn't remove it. It generates logfile. It includes informations, which are important for other using this utility (only advanced users can use it ;) ).


    danebe: Maybe there can be infector.
     
  8. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    always use Drwebs Cureit, to cure your computer ;)
     
  9. danebe

    danebe Registered Member

    Joined:
    Feb 8, 2008
    Posts:
    3
    Thanks everyone for your replies.

    My friend told me that NOD32 had been corrupted so we removed it and installed AVG and runned a full scan as well as ad-adware and both came back normal with no threats found. They had NOD32 installed on every PC at his work place and he downloaded it from there in my PC last year...my version was up-to-date.

    I wonder if I should keep AVG or install Norton Internet Security 2008 that I just bought.

    My PC works just fine now.

    I did check Java and it is up-to-date.

    What do you mean when you talk about a false positive detection?

    I am not computer litterate and I forgot to ask my friend about that.

    Sylvie
     
  10. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    False positive means false detection (when AV detects correct e.g. system file as malware).
     
  11. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    Also check that there are no old Java versions left behind. If the old version is still present (and the old version isn't removed by installing the new) any vulnerability the old version has can still be there.

    If the computer runs well with AVG, and you like it, that's good. If it also runs well with Norton, and you've paid for it, seems a shame to waste the purchase price. Up to you.
     
Loading...
Thread Status:
Not open for further replies.