please help !

i keep running my avast and i keep getting warnings that I’m infected with a Sign of "Win32:DllMod [Wrm]
i have put them in my virus chest and then deleted them but they keep coming back! there is so many files that this worm has infected that its a nightmare! i cant even find any info on this worm on the net?

i hope someone can help?

Check your computer for Malware with

Malwarebytes Antimalware http://filehippo.com/download_malwarebytes_anti_malware/
after install click UPDATE and run quick scan, click on REMOVE SELECTED to quarantine anything found

SUPERAntiSpyware http://filehippo.com/download_superantispyware/
Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

If anything is found come back and post the scan logs here

ive tried both super and mal both dont find anything? only avast finds its?

Norman Malware Cleaner http://www.norman.com/support/support_tools/58732/en-uk
Dr.Web CureIt! http://www.freedrweb.com/cureit/?lng=en
How Do I Use Dr.Web CureIt!? http://www.freedrweb.com/cureit/how_it_works/

If this does not work, then Essexboy is next…

Follow this guide from Essexboy and post the log`s here so he can have a look
http://forum.avast.com/index.php?topic=53253.0

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

3/22/2010 5:28:05 PM SYSTEM 1168 Sign of “Win32:DllMod [Wrm]” has been found in “C:\windows\system32\DmkoVvtb.dll” file.

Hi there lets have a quick look at the system first and see what the problem areas are

Two programmes to run - if you could attach the logs it will make it easier on you

http://www.geekstogo.com/misc/guide_icons/gmer.png
GMER Rootkit Scanner - Download - Homepage
[] Download GMER
[
] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif

[*] If it gives you a warning about rootkit activity and asks if you want to run a full scan…click on NO, then use the following settings for a more complete scan…
[*] In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
[] IAT/EAT
[
] Drives/Partition other than Systemdrive (typically C:)
[*] Show All (don’t miss this one)

http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg

Click the image to enlarge it

[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “ark.txt”
[*]Save the log where you can easily find it, such as your desktop.
Caution
Rootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries

Please copy and paste the report into your Post.

THEN

Download OTL to your Desktop

[]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[
]Under the Custom Scan box paste this in

[b]netsvcs
%SYSTEMDRIVE%*.*
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles
%systemroot%\system32\drivers*.sys /lockedfiles
%systemroot%\System32\config*.sav

[/b]

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

I was half expecting it to be in the drivers sub-folder of system32 as I suspect there may be a rootkit at work hiding the source of the restoration of the file after removal.

Is it always the same location and file name that comes back or just what appears to be a randomly generated file name (zero hits on google) in the system32 folder ?

Now essexboy is on the case, hopefully he will get to the bottom of this.

waiting on gmer to stop!

my computer shut itself down now i have to do this all over again :cry:

OK skip GMER We will revisit that later

tried to post the otl and the extras but it said that it exceeds the 10000 amount of space!

Could you attach them - select the additional options on the left hand side when you are composing a reply - then browse to the OTL log and then post both as attachments

ok here they are!

ok here they are!

ok here they are!

OK I see it

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [Qcekesi] C:\windows\asonoyivoqubub.DLL File not found
O20 - AppInit_DLLs: (aPWmNePKy.dll) - File not found

:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

here is the new otl scan

That looks better - just the combofix log now

here is the combofix log