Julychina?

[digitalxni]

Hey guys,

I have a weird problem that I think is somehow related to my printer connected to a server running Win 2k3. When I've turn on the printed and connected to the server I get an I/O Error 87 and a 'Windows Cannot Find Disk' error even though all my hard drives are there. There is also a small blank window that has 'julychina' in the titlebar. A google search tells me (only a couple of results) that this is a virus/spyware. I've also noticed a couple of rogue processes running: taskmgr.exe, svhist.exe and spool.exe. I've tried removing these with a couple of different anti-virus programs but no luck. Any ideas?

Thanks,

/xni

[essexboy]

Start off with MBAM and if the problem persists we will look deeper

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

[digitalxni]

Here is the log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4140

Windows 5.2.3790 Service Pack 2
Internet Explorer 7.0.5730.13

24/05/2010 21:56:26
mbam-log-2010-05-24 (21-56-26).txt

Scan type: Quick scan
Objects scanned: 111289
Time elapsed: 3 minute(s), 10 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
C:\WINDOWS\system32\spool.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\WINDOWS\system32\taskmg.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\WINDOWS\system32\svhist.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windowsdriver (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_WindowsDRIVER (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\spool.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\taskmg.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svhist.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

All looks well I hope?

[essexboy]

Hmm looking at those it might be worth looking for some hangers on - have you noticed an improvement ?

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Check the box that says Scan All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90

• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Post both logs

[digitalxni]

OK, just ran OTL. So basically everything seemed fine until this morning when I plugged in a usb drive to grab some stuff. I couldn't remove it from windows and then the svhist and taskmg processes started again. From having a quick scan at the logs I can see julysoft.exe and cnfmon.exe which according to google aren't very nice and aren't being picked up by MBAM.

Here are the logs.

[essexboy]

Sounds like your USB may be infected we will clear that first

1 - Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.
[/list]

THEN

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

Code: [Select]

:OTL
[2010/05/24 21:42:56 | 000,000,094 | ---- | M] () -- C:\WINDOWS\System32\sys1.ini
[2010/05/24 21:05:18 | 000,051,200 | ---- | M] () -- C:\WINDOWS\System32\drivers\sfi.dat
2010/05/11 10:15:29 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\julysoft.exe
[2010/05/07 21:40:13 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\cnfmon.exe

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

FINALLY

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[digitalxni]

Ok, here are the logs from OTL. First is the log that was created after running your fix (looks like it missed julysoft.exe) and the second is the custom scan after running the fix. I tried running combofix but it doesn't seem compatible with Server 2k3.

[essexboy]

Ooops forgot that CF doesn't run on 2k - but I have another programme that does

1. Please download The Avenger by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code: [Select]

Begin copying here:

Files to delete:
C:\WINDOWS\System32\julysoft.exe

Note: the above code was created specifically for this user.  If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
  
• You can also click on this window and  press (Ctrl+V) to paste the contents of the clipboard.
  
• Click on Execute
  
• Answer "Yes" twice when prompted.
  

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions.  This log file will be located at  C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

5. Please copy/paste the content of c:\avenger.txt into your reply

[digitalxni]

The Avenger doesn't like me either! It will only run on Win 2k, XP or Vista and I'm running Server 2003

[essexboy]

Server 2003 is later than 2k so it should work - OK let me investigate another tool to kill it

Meanwhile we will try OTL again

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

Code: [Select]

:Files
C:\WINDOWS\System32\julysoft.exe



• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

[digitalxni]

Looks like that fix worked:

Code: [Select]

========== FILES ==========
C:\WINDOWS\System32\julysoft.exe moved successfully.
 
OTL by OldTimer - Version 3.2.5.0 log created on 05272010_220409

Here is the log produced from a quick scan. Am I right in thinking that all this program has done is move the bad files and that the cleanup button will remove them permanantly?

[essexboy]

Yes it has put it in quarantine.  I rechecked the last result and noticed that OTL did not attempt to move it - so it may have been missed when you copied the script over

What problems do you have now ?