"Trojan Detected, Abort Connection?"

[kitsune_baka]

I was browsing Google, I navigated to this website.
w-w-w.mcurtin.com/archives/2006/04/

Suddenly Avast pops up with a message about having detected a Trojan.
It gives me the option of "Abort Connection" which I take, my computer
is instantly shut down and restarted, which freaked me the hell out.

Things seem to have booted okay, I'm running a full scan right now,
it said it found a Trojan in "Juched.exe" which I attempted to repair,
and something else with an A00075 or some other filename in the
System Restore files. Crap like this is very annoying, usually there
are warnings on sites in Google that say "Warning, this site may
potentially harm your computer" but there was none for the above.

G:\System Volume Information\_restore{0135656E-23D8-43AB-95CE-33F149AE1374}\RP163\A0040385.exe
And it also seems to have infected 1964_099.exe, which is an N64 Emulator....

I don't know what "hijack this is" so I will just write everything out here:
C:Program Files\Java\jre1.6.0_01\bin\jucheck.exe - Infection: Win32 Trojan-gen
C: System Volume Information\....\A0040384.exe - Infection: Win32 Trojan-gen
G: Emulation\1964\1964_099.exe - Infection: Win32 Neptunia-NH [trj]
G System Volume Information\....\A0040385.exe - Infection: Win32 Neptunia-NH [trj]

[FreewheelinFrank]

The page is indeed dangerous:

DANGEROUS: LinkScanner Online has found
[link to known exploit site]
Detail:    Exploit: Link To Known Exploit Site
    

This page contains a link to a known exploit site. This link may or may not be active. It may or may not require you to click it to be infected. Some pages with such links automatically download the malicious code without any action on your part. Because of this we automatically block access to such pages.

Please remove the link! We don't want anyone not protected clicking on it!!

The other infections I think are unrelated to the visit to this page. WebShield probably protected you from any exploits on the page.

Please send this file to VirusTotal for analysis:

C:Program Files\Java\jre1.6.0_01\bin\jucheck.exe

The following seems to be a Nintendo emulator. The download from Sourceforge is clean (but a different version number). There are several download sites offering 1964_099.exe, and several different scanners at VirusTotal report the file as infected. If you are using an emulator, make sure you get the file from a reliable source.

http://sourceforge.net/projects/schibo/

G: Emulation\1964\1964_099.exe

Antivirus    Version    Last Update    Result
AhnLab-V3    -    -    -
AntiVir    -    -    -
Authentium    -    -    W32/Malware!1b63
Avast    -    -    Win32:Neptunia-NH
AVG    -    -    -
BitDefender    -    -    Trojan.Generic.79287
CAT-QuickHeal    -    -    -
ClamAV    -    -    -
DrWeb    -    -    -
eSafe    -    -    Suspicious File
eTrust-Vet    -    -    -
Ewido    -    -    -
F-Prot    -    -    W32/Malware!1b63
F-Secure    -    -    -
Fortinet    -    -    -
GData    -    -    -
Ikarus    -    -    -
Kaspersky    -    -    -
McAfee    -    -    -
Microsoft    -    -    -
NOD32v2    -    -    -
Norman    -    -    -
Panda    -    -    -
Prevx1    -    -    System Back Door
Rising    -    -    -
Sophos    -    -    -
Sunbelt    -    -    -
Symantec    -    -    Backdoor.Trojan
TheHacker    -    -    -
VBA32    -    -    -
VirusBuster    -    -    -
Webwasher-Gateway    -    -    BlockReason.0

[kitsune_baka]

When I did the full system scan, I chose to "repair" jucheck.exe
and it said the repairing was sucessful, should I still send the file
to that thingie anyway? And I spaced the link out, hope thats ok.

I also did a boot time scan after the regular scan and turned
up some corrupted/fragmented Thumbs.db files which I deleted.
(I turned off System Restore before peforming the Boot scan)

Did a Safe Mode scan after that, turned up zero infected files.
Then ran Ad Aware (the defs are out of date and Lavasoft has
stopped providing updates for it) and then ran Search & Destroy.

[FreewheelinFrank]

When I did the full system scan, I chose to "repair" jucheck.exe
and it said the repairing was sucessful, should I still send the file
to that thingie anyway? And I spaced the link out, hope thats ok.

I  wonder whether it was a real infection or a false-positive? Thanks for making the link unclicakble.

You can get the new version of Ad-Aware here:

http://www.lavasoftusa.com/products/ad_aware_free.php

[kitsune_baka]

I don't know, all I know is when I went to that website
I immediately got the pop up in Avast saying that it
encountered a virus and to "Abort Connection" after
clicking abort, my machine restarted which scared
me into thinking this was something that was going
to seriously screw up my computer permanently...

My Adaware version is 1.061r Personal,
my defs are from 2007, and when I go
to update them it says "none available"

I'd read that LavaSoft discontinued support
and made the software a Buy Only product.

[FreewheelinFrank]

I don't know, all I know is when I went to that website
I immediately got the pop up in Avast saying that it
encountered a virus and to "Abort Connection" after
clicking abort, my machine restarted which scared
me into thinking this was something that was going
to seriously screw up my computer permanently...

avast! protected you from any exploit: the subsequent detections were coincidental.

For peace of mind, scan your computer for out-of-date and insecure software and update where necessary. This will protect you from the sort of exploits malicious sites use to infect a computer.

http://secunia.com/software_inspector/

My Adaware version is 1.061r Personal,
my defs are from 2007, and when I go
to update them it says "none available"

I'd read that LavaSoft discontinued support
and made the software a Buy Only product.

That's not true. There is a free version of Ad-Aware 2008.

[kitsune_baka]

Okay, cuz that was the main thing keeping using my old version.
I'll go download the new one and install it then run a scan. ^^

[Lisandro]

Okay, cuz that was the main thing keeping using my old version.
I'll go download the new one and install it then run a scan. ^^

Just to comment, there are better and more reliable antispyware scanners than Adaware nowadays.
avast itself has this protection. You can try SuperAntispyware, SpywareTerminator or Malwarebytes Antimalware.

[DavidR]

<snip>
Things seem to have booted okay, I'm running a full scan right now,
it said it found a Trojan in "Juched.exe" which I attempted to repair,
<snip>
I don't know what "hijack this is" so I will just write everything out here:
C:Program Files\Java\jre1.6.0_01\bin\jucheck.exe - Infection: Win32 Trojan-gen
<snip>

If you use the forum search for jusched.exe you will find a similar issue, an out of date JAVA version where the jusched.exe update process is detected, whilst this might be a false positive, it indicates you have an old version of JAVA installed which could leave your system vulnerable.

Ensure you have the latest version of JRE (JAVA Runtime Environment) because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.
Then get the latest update from here http://java.sun.com/javase/downloads/index.jsp
Or JRE version 6 update 6 http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html