Jutched.exe/worm/Trojan
Symantec: W32.Yimfoca.B
Don't mistake it for Jusched.exe. That one is a process launched for the updating Java on your machine. Jutched.exe is a worm and a very dangerous one. It was able to run on almost all the platforms of Windows except the new Windows 7 due to the several changes brought in Seven's file system allocation. Like all the other worms, this one also creates multiple copies of itself in the target system. Apart from this, the worm also modifies several registry entries that allow it to launch during every startup. It was also seen injecting itself into several windows processes. It attempts to open up a port and connect to a specific address from which it downloads malware to the temporary folder. This malware is being executed thus causing further more damage to the target system. It adds itself to the list of applications authorized by the Windows Firewall so that it does not get blocked while connecting to the ports. Whenever the user signs into a Messenger, it automatically sends a link of itself to all the contacts present in the address book of the user. This way, it spreads itself through all the messengers including GTalk, Yahoo, Skype, MSN and ICQ. Not only that, it adds a directory along with a copy of itself into any removable disk detected by it. An autorun.inf is added along with these so that the worm gets launched once the disk is opened in another computer. Since the worm also comprises the qualities of a Trojan, it can be very dangerous to the computer and hence must be removed as early as possible. Follow the instructions below to remove this worm.
Manual instructions to remove jutched.exe:
Posts that might help you here:
Enabling Safe Mode booting, Enabling the Registry , Enable Hidden files and folders option and Enabling the Command Prompt.
Don't mistake it for Jusched.exe. That one is a process launched for the updating Java on your machine. Jutched.exe is a worm and a very dangerous one. It was able to run on almost all the platforms of Windows except the new Windows 7 due to the several changes brought in Seven's file system allocation. Like all the other worms, this one also creates multiple copies of itself in the target system. Apart from this, the worm also modifies several registry entries that allow it to launch during every startup. It was also seen injecting itself into several windows processes. It attempts to open up a port and connect to a specific address from which it downloads malware to the temporary folder. This malware is being executed thus causing further more damage to the target system. It adds itself to the list of applications authorized by the Windows Firewall so that it does not get blocked while connecting to the ports. Whenever the user signs into a Messenger, it automatically sends a link of itself to all the contacts present in the address book of the user. This way, it spreads itself through all the messengers including GTalk, Yahoo, Skype, MSN and ICQ. Not only that, it adds a directory along with a copy of itself into any removable disk detected by it. An autorun.inf is added along with these so that the worm gets launched once the disk is opened in another computer. Since the worm also comprises the qualities of a Trojan, it can be very dangerous to the computer and hence must be removed as early as possible. Follow the instructions below to remove this worm.
Manual instructions to remove jutched.exe:
- Before you begin, restart your system in the Safe Mode. Click here if you're having trouble booting in the Safe Mode.
- The copies created by the worm are mostly hidden. So you'll need Command Prompt to delete them. Go to Start --> Run and type
cmdfor the Command Prompt to open. The default location would beC:\Documents and Settings\Usernamein XP. Use the commandcd "Application Data"to change the directory. Now when you typedir /w/ain the Command Line, you'll find a directory that looks similar toHEX-5823-6893-6818. Go to this directory using the cd command and typedel jutched.exeto delete the exe file of the worm. Vista users type thecdcommand to go toC:\Users\Public\HEX-5823-6893-6818\folder and delete the worm using the same commands. Also type%temp%in your Run to open the temporary folder and delete all the files including the hidden ones. By doing so, you're also deleting the files that might have been downloaded by the worm. - Now that the exe of the virus has been deleted, its time to undo the changes done to the registry. Type
regeditin the Run box. This would open the Registry Editor. Navigate to the following locations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Delete the entry
"Java Update Manager" = "C:\Documents and Settings\Administrator\Application Data\HEX-5823-6893-6818\jutched.exe"
Also go to
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
and
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Delete the value
"C:\Documents and Settings\Administrator\Application Data\HEX-5823-6893-6818\jutched.exe" = "C:\Documents and Settings\Administrator\Application Data\HEX-5823-6893-6818\jutched.exe:*:Enabled:Java Update Manager" - The worm injects itself into several windows processes. Due to this, we'll have to search for all the entries in the registry. To do so, press
Ctrl + F
when the registry is active. In the find box, typejutched.exefollowed by return. Whenever an entry consisting of this word appears, open the entry and remove the pathC:\Documents and Settings\Administrator\Application Data\HEX-5823-6893-6818\jutched.exefrom it. This would prevent the launching of the worm along with the processes. - Check if any removable disks are inserted and delete any suspicious files using instructions specified here. You may also use an anti-virus to scan the disk or format the disk directly if you don't have any useful information on it.
- Congratulations! You've successfully deleted the worm.
Posts that might help you here:
Enabling Safe Mode booting, Enabling the Registry , Enable Hidden files and folders option and Enabling the Command Prompt.