Solved

join.me.exe - quarantined on a windows 2008 server and a windows 2003 server

Posted on 2012-12-26
4
1,113 Views
Last Modified: 2013-11-22
Two of the servers I work with, located as separate schools, which have our Managed Antivirus running, have detected a file called join.me.exe and quarantined it.  Here is the path of the file on one of the servers:

C:\users\administrator\appdata\local\apps\2.0\02D4YAAV.6BL\2Y6ZKXGR.0KX\join..tion_43a0dbe7f0f75062_0001.0000_9871fcdc8aa605d7\join.me.exe

Should I take any action to try and clean my system further, other than deleting this item out of quarantine.  Has anyone seen this file get picked up as a Trojan.win32.generic!bt

Any advice on further action, dealing with this infection?
0
Comment
Question by:redemption7
4 Comments
 
LVL 2

Assisted Solution

by:rmail
rmail earned 250 total points
ID: 38721507
Remediation ideas:
1) Make sure your antivirus definitions are up to date,
2) Run a full scan on the suspect servers
3) Consider using another anti-virus or some anti-spyware for a second opinion, just make sure that you don't run the servers with two active antivirus products afterward. I scan my personal PCs with Malwarebytes (malwarebytes.org).

Prevention ideas:
1) Don't browse the internet as an administrator.
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 250 total points
ID: 38723034
You always want to clean quarantined files.
The name itself indicates that this is a malicious file.

Generally the settings in Windows Explorer are to "Hide extension of known file types"
So this file when included in an email or seen in explorer will only show as "join.me" and the ".exe" is hidden, so people will click on the file.

If you cannot remove the file, then check if you can remove all permissions from this file.
This ensure that the file cannot be excuted by anybody including the system.

For more information on how to remove this trojan, I'd suggest that you view the manufacturers website of the AV software you're using.

Some tips from Symantec:
http://www.symantec.com/business/support/index?page=content&id=TECH122466
0
 

Expert Comment

by:ThreeShield
ID: 38725617
I believe this is a false positive in a recent VMware vCenter Protect (Shavlik) antivirus pattern update.  

Users who used the join.me service (same company as LogMeIn) show up in the quarantine with this file on December 22, 2012 (or subsequent antivirus scan) regardless of download date.  In all cases that we have tested, users downloaded the file directly from the Join.Me website. The parent directory contains other files from the same vendor.

This program is often used by vendors to provide remote support.  It's a well-known product that doesn't deserve a "high risk" rating from VMware/Shavlik. (although by definition, it does provide interactive access to a remote machine -- but only a the user's permission)
0
 

Author Closing Comment

by:redemption7
ID: 38740959
thank you
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question