New Conficker Variant: PC contantly saying it needs DLL

Question

bdb4269 0 Light Poster

15 Years Ago

How can I stop this PC from thinking it needs an infected dll whenever ANYTHING is run?

Literally whenever you open any exe, it says that it can't run because of missing DLL, repeatedly, (like you click OK, and same message comes up again -- between 3-20 times) but then the app eventually opens most of the time. It's like somehow this msjmjh.dll got set as a requirement for all exe's or something.

msjmjh.dll is a randomly named DLL that is identified as Conficker/Downadup/Kido. A few days ago, it was only identified by 4 AV's ( http://www.virustotal.com/analisis/b135f673df4163e301e88a960e2a23d0 ), and now it's identified by 8 AV's. ( http://www.virustotal.com/analisis/c0dd9720c4b2bee7edce9df578745be9 )

The PC in question does not appear to be infected, in that it does not show symptoms of conficker (i.e. disables services etc) -- The only symptom, is that it seems to think it needs this dll to do anything, but the dll is not a real DLL file, google search returns nothing.

p.s. Here is a previous thread from before I was sure it was not a false positive.
http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_24135283.html

windows-virus

3 Contributors
7 Replies
144 Views
3 Weeks Discussion Span
Latest Post 15 Years Ago Latest Post by EsoxLucius

jholland1964 650 Posting Expert

15 Years Ago

I would like to see all new scans please.
Update MBA-M and do a FULL System scan, allow it to REMOVE all found. Save the log.
REBOOT the computer.
Run the ESET Online Scanner and post the ScanLog with your post for assistance.

* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
REBOOT the computer
Run a Full System Scan with HJT and save the log. Exit HJT
Post back here with ALL three logs.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

bdb4269 0 Light Poster · Answer 1 · 2009-02-21T06:28:12+00:00

So I was actually away from the office on vacation until today (was hoping to get some idea's to try once I got back) -- I had not actually tried system restore yet, because the first thing I had noticed was AVG quarantined a file as Downadup/Conficker -- and I didn't think it could be that easy. Anyway -- for some reason, I felt I should at least give it a try, and it did actually work.

I'm still a bit confused as the whole thing was kind of weird. With windows thinking it needed the infected/randomly named dll file for everything. It's like AVG did catch the DLL file, but not whatever something did before that to make windows call the DLL whenever anything is opened.

Anyway -- the problems seems to be resolved. Thanks for all the input!!

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 2 · 2009-02-21T10:44:41+00:00

You should not assume the problem is solved. The computer thought it needed this infected file because the infected file "told it" it was needed. It probably was listed as an auto start, possibly a starting service, very possibly have disabled all of your security programs, though they can look to you like they are working. They may even SAY they are working. System Restore isn't going to fix damaged programs. It might return "some" of the system files back but if your security programs were damaged, it is very possible they are still damaged. You said every program you opened wanted this file...what does that tell you?

You said this is a business computer, though not what operating system you have but you are taking a BIG chance not completing the clean up steps listed. MS issued a security patch several months ago which could possibly have prevented this. But most people who installed the patch were home users, businesses didn't bother, as of mid January, according to the article HERE, it is possible that 1 in every 16 business computers have been infected by this.

I just worked for over ten days on a computer that was highly infected, and ONE of the infections was the Conficker Trojan. Every single security program on the computer was totally trashed and to begin with every single new one I tried was infected immediately. The owner HAD used System Restore to try to correct the fact that her security programs were no longer working and many of her other programs were requesting some strange .dll file in order to run. With her System Restore she did get the programs to stop requesting this file, but her the security programs were damaged.
It is your choice, but if it were my computer I would run the steps.

bdb4269 0 Light Poster · Answer 3 · 2009-02-22T01:26:13+00:00

The computer is (and was to begin with) up to date with patch's.

I did check to see, and the computer has never shown any symptoms of being infected with Conficker. (http://en.wikipedia.org/wiki/Conficker)

The only thing you suggest that I didn't already do, is run ESET online scan. But that is not going to do me much good since ESET (NOD32) is STILL not detecting any infection in the dll file in question. http://www.virustotal.com/analisis/82b28e236bbdee00cf9c847da52f407a (as you can see, still only 14/39 AV's flag the file)

AVG quarantined the DLL before it was even run, resulting in the the error message that the DLL was missing. How did it get set to run? I don't know. Why did AVG let it somehow get set to run, but then caught it before it ran. I don't know

I mean -- I appreciate the warning -- If you have something to suggest that I have not already done, and does not involve an AV brand that doesn't even detect the infected dll at all -- I would be happy to try it. More assurance is great. (I just don't want to waste time running an online scan, that doesn't even detect the infected dll yet. )

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 4 · 2009-02-22T01:57:52+00:00

The choice is yours. I gave you my best advice, which is always it is better to be safe than sorry. You feel this was incorrect and that is fine.
Other scans we recommend here if ESET isn't an option are
• Kaspersky Online Scanner

• Panda Active Scan

• Trend Micro HouseCall

• F-Secure Online Virus Scanner
Some of those onlines will clean some will not. ESET has been recommended most of the time because it will clean what it finds.
But it is your option.
Thanks for posting back.

bdb4269 0 Light Poster · Answer 5 · 2009-03-05T06:44:28+00:00

Just to update....

I did an online scan with Kaspersky**. Also did new scans with MBAM, HJT, and ComboFix, and everything is looking good.

**(last I checked ESET/NOD32 was still not detecting anything in the infected DLL according to virustotal - despite the fact I sent them samples (at samples at eset dot com) way back on 2/12 -- (which was before I even started this thread))

EsoxLucius 0 Newbie Poster · Answer 6 · 2009-03-12T16:17:34+00:00

Win32.Worm.Downadup.C is a new variant that seems to be even harder to trace and to stop. I found out about www.bdtools.net website, from bitdefender that is a site not yet on Downadup's blacklist.
Some info from site:

BitDefender Labs has detected a new and more aggressive Downadup version on Saturday, 07.02.2009. It spreads using a Windows RPC Server Service vulnerability and is called Win32.Worm.Downadup.Gen.