Jucheck.exe wild goose chase
While setting up a brand new Dell laptop with Windows 7 pre-installed, the UAC (User Account Control) dialogue box popped up asking whether I wanted to allow windows\system32\jucheck.exe to run. The publisher was shown as none.
A quick google from another machine threw up some very conflicting information:
jucheck.exe is a Java component which checks for updates but several forums and ‘answers’ sites included posts that said that while a jucheck.exe file in ‘Program Files’ would be valid, any such file with that name in the windows\system32 directory was most certainly a trojan. If this was a trojan, the question remained as to how it could have appeared. The UAC dialogue appeared during the initial start up of Windows; no websites had yet been visited on this brand new machine, no email has yet been set up and the machine was behind a locked down Firebrick firewall. A portscan from shieldsup at grc.com confirmed no ports were open.
Equally, other posts, including this one from Microsoft say that “Java components are installed and present in both Windows folder as well as Program Files”.
A file search showed four copies of jucheck.exe on the machine all with the same date (about two weeks ago, before the machine was even ordered). There were two in the Java Program files directories, one in the 32 bit directory and the other a 64 bit version, different file sizes, a third in windows\system32 (a copy identical to that in the Java 32 bit program files directory) and another in windows\sysWOW64 corresponding to the 64 bit version in the Java 64 bit program files directory. This mirrored precisely the situation in the above Microsoft post.
Additionally, when the Java update in the system tray asked to update, it ran the copy of jucheck.exe in the windows\system32 folder not the one in Program Files, adding weight to this copy being the legitimate one.
I downloaded and installed the Java update manually, and jucheck.exe stopped being run on startup. If this were a trojan then surely it would still be trying to run.
I decided to uninstall Java completely and found that it uninstalled all four files. This poses the question: if the two in the windows directory shouldn’t be there, why would Java’s own un-installer remove them.
I then downloaded and installed the latest version of Java (both 32 bit and 64 bit) and there is now only one copy of jucheck.exe on the machine, interestingly with a date of 18th Feb 2010, older than the four pre-existing versions, suggesting that all four of the others were trojans.
To be honest, I still don’t know whether this was a trojan or not. I’ll wait until Java tries to update itself again and see if any more files appear.
Wow, this is exactly what I am experiencing. I have a new Dell and it’s been giving me a message to install a Java update with an “unknown” publisher. Since that looked suspicious I didn’t install it and then googled the file to see what was up with the jucheck.exe file. What I read suggested it was all fine…others said if java files are in located in Windows/System32 its malicious. (like you I have files in both locations…windows and programs.
I may try what you’ve done and uninstall / reinstall Java to see what happens. Did you have more files appear, or has your Java updated yet?
I haven’t seen an update yet, so don’t know if any other files appear yet.
I’m wondering whether this is part of the disk image that Dell use for new machines. I’ve seen other posts about new Dells showing this warning.
Thanks for the update. Never thought of that (disk image) but that could be it.
I have to call Dell support on another issue so I’ll ask them to see if they can explain it. I have a new Dell laptop on order so it will be nice to have an answer before it arrives.
If I find out anything from Dell I’ll let you know.
Entering your service tag for your computer should show Java listed as pre-installed on the Original System Configuration Tab:
http://supportapj.dell.com/support/topics/topic.aspx/ap/shared/support/my_systems_info/en/details?c=au&l=en&s=gen
Usually you can search for the string “SUN-JRE” on components page to confirm if Java is pre-installed.
It’s usually Java Version 6 update 18 that is pre-installed.
As to why it’s not signed by Sun Microsystems Inc is a very curious question.
Perhaps it is an OEM requirement or the verified signature was accidently stripped from the binary during sysprep?