Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan 'lmok D', Please Help.


  • This topic is locked This topic is locked
21 replies to this topic

#16 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:26 AM

Posted 19 September 2008 - 02:12 PM

Alright... Lmok D is a False Positive on the part of CA.

According to the database here:
http://www.systemlookup.com/lists.php?list...bfdfea60&s=

From your log:

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll

CA is seeing this and thinking it's the malware CLSID (The thing in brackets). But as this entry has the possibility of being legitimate, as it is on your system, CA should not flag it. But it is.

It's the program's fault. This malware is not on your system.

See if CA can remove the Netzip one by itself. I think this may be another false positive as well. (CA (Formerly Pest Patrol) is well known for detecting phantoms). The issue with that infection is that it can't install itself. You would have had to specificly install a program called Netzip. And it'd be detecting more than one registry entry.

Hope that's good news to you :thumbsup:

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

BC AdBot (Login to Remove)

 


#17 raymeister

raymeister
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Asia
  • Local time:04:26 PM

Posted 19 September 2008 - 02:19 PM

Alright man, definitely good news! Thanks Bill.. You've been a great help!

I removed both Netzip & Lmok using CA but when I boot up my computer all over again, these 2 popped up again in the CA scan. Let's say if these 2 are actually malicious, will removing them upon each & every boot up help?

Anyway, any recommendations on which Anti-Virus as well as Anti-Spyware programs to use?

#18 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:26 AM

Posted 19 September 2008 - 02:41 PM

Hello, raymeister.

You're very welcome :D

Alright.. I did some more research on the other one and that looks to be a messup on CA as well.

That line looks like it can be legitimate, only sometimes messed with by malware. And if it really was that infection there'd be more than that listed there.

Lets get a third opinion on this system and if then we'll discuss A/Vs and stuff :thumbsup:

Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply, please include the following:
  • Kaspersky's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#19 raymeister

raymeister
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Asia
  • Local time:04:26 PM

Posted 19 September 2008 - 09:02 PM

Hi Bill, as you instructed.


Saturday, September 20, 2008
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, September 19, 2008 18:46:59
Records in database: 1249356

Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\

Scan statistics
Files scanned 89581
Threat name 1
Infected objects 2
Suspicious objects 0
Duration of the scan 01:16:55

File name Threat name Threats count
C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Users\user\Documents\My Completed Downloads\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

The selected area was scanned.

I've deleted SmitfraudFix.exe, should I do the same for the other one?

Edited by raymeister, 19 September 2008 - 09:23 PM.


#20 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:26 AM

Posted 19 September 2008 - 10:57 PM

That's a F/P on KAV's part. SFF is a common tool we use around here. But it's only designed to target specific infections. Not something that should be run on a regular basis.

From SmitFraudFix's documentation:

process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


You look all clean to me :thumbsup:

You asked about AVs earlier.
I'd recomend tools already mentioned (spyware blaster) and the like, MbAM ( http://malwarebytes.org/mbam.php ), and a good anti-virus.
Two good antivirus programs free for non-commercial home use are Avast! and Antivir
Two good paid for antivirus programs are NOD32 and Bitdefender

Hope that helps :)

Do you have any more questions?

Billy3

Edited by Billy O'Neal, 19 September 2008 - 10:58 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#21 raymeister

raymeister
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Asia
  • Local time:04:26 PM

Posted 20 September 2008 - 04:03 AM

Okay man.. now that I am clean, I shouldn't be troubling you anymore! :thumbsup:

Hopefully I won't have to come back here for help but even if I do, I know I have helpful and dedicated people like you to help me out. Once again, thanks for your help..

#22 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:26 AM

Posted 21 September 2008 - 12:18 AM

Hello, raymeister.
Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users