please help !

[carlwt2007]

i keep running my avast and i keep getting warnings that I'm infected with a Sign of "Win32:DllMod [Wrm]
i have put them in my virus chest and then deleted them but they keep coming back! there is so many files that this worm has infected that its a nightmare! i cant even find any info on this worm on the net?

i hope someone can help?

[Pondus]

Check your computer for Malware with

Malwarebytes Antimalware http://filehippo.com/download_malwarebytes_anti_malware/
after install click UPDATE and run quick scan, click on REMOVE SELECTED to quarantine anything found

SUPERAntiSpyware http://filehippo.com/download_superantispyware/
Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

If anything is found come back and post the scan logs here

[carlwt2007]

ive tried both super and mal both dont find anything? only avast finds its?

[Pondus]

Norman Malware Cleaner http://www.norman.com/support/support_tools/58732/en-uk
Dr.Web CureIt! http://www.freedrweb.com/cureit/?lng=en
How Do I Use Dr.Web CureIt!? http://www.freedrweb.com/cureit/how_it_works/

If this does not work, then Essexboy is next.....

Follow this guide from Essexboy and post the log`s here so he can have a look
http://forum.avast.com/index.php?topic=53253.0

[DavidR]

i keep running my avast and i keep getting warnings that I'm infected with a Sign of "Win32:DllMod [Wrm]
i have put them in my virus chest and then deleted them but they keep coming back! there is so many files that this worm has infected that its a nightmare! i cant even find any info on this worm on the net?

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

[carlwt2007]

3/22/2010 5:28:05 PM   SYSTEM   1168   Sign of "Win32:DllMod [Wrm]" has been found in "C:\windows\system32\DmkoVvtb.dll" file. 

[essexboy]

Hi there lets have a quick look at the system first and see what the problem areas are

Two programmes to run - if you could attach the logs it will make it easier on you

GMER Rootkit Scanner - Download - Homepage

• Download GMER
• Extract the contents of the zipped file to desktop.
• Double click GMER.exe.

• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
  
  Click the image to enlarge it
  

• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt" 
  
• Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

THEN

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.*
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    

[DavidR]

3/22/2010 5:28:05 PM   SYSTEM   1168   Sign of "Win32:DllMod [Wrm]" has been found in "C:\windows\system32\DmkoVvtb.dll" file. 

I was half expecting it to be in the drivers sub-folder of system32 as I suspect there may be a rootkit at work hiding the source of the restoration of the file after removal.

Is it always the same location and file name that comes back or just what appears to be a randomly generated file name (zero hits on google) in the system32 folder ?

Now essexboy is on the case, hopefully he will get to the bottom of this.

[carlwt2007]

waiting on gmer to stop!

[carlwt2007]

my computer shut itself down now i have to do this all over again :'(

[essexboy]

OK skip GMER We will revisit that later

[carlwt2007]

tried to post the otl  and the extras but it said that it exceeds the 10000 amount of space!

[essexboy]

Could you attach them - select the additional options on the left hand side when you are composing a reply  - then browse to the OTL log and then post both as attachments

[carlwt2007]

ok here they are!

[carlwt2007]

ok here they are!