Lsass.Blaster.Keylogger

[EDGE]

So, as of last night I've been having a serious issue that I cannot figure out. I rebooted my PC to refresh everything and hopefully clear up a little screen lag I was noticing while playing a game. After the boot I notice an icon on my desktop that I've never seen, downloaded, nor installed before. The icon is called PC Tools. When the boot is complete, the icon auto runs and starts a 'scan' of my PC finding roughly 39 infected files that are worms or rogues.

The program appears in my system tray and I can not close it or get rid of it. it also hides all my desktop icons and desktop wallpaper. Every time I open a new program such as google chrome, ventrilo, mozilla thunderbird or anything, I get a popup saying

"Chrome.exe is infected with a worm attempting to steal your credit card information. Click here to remove this infection."

Now, I have no clue where this program came from nor do I know how it has appeared on my desktop. I managed to find the process that was running the program. It was something like 054877651568.exe. I terminated the process and the popups stopped as well as the program. Still, each time I reboot the process restarts and I'm in the same spot.

I've searched the worm in google, but haven't found many resources to fix this issue. I have AVG8.5 set to run a full system scan every morning at 5am and it has not picked up this infection and I've checked through the reports to see if I could find it. I also run CCleaner daily and I am currently running Spybot S&D to see if that will help remove the infection.

I'll see if I can get some screenshots to help.

If anyone has any information on how to fix this issue, please let me know.

[Hellfighter]

try this: Malwarebytes' Anti-Malware
site: http://www.malwarebytes.org/

steve turn me on to it some time all go

it found items were other has fail

i use it to scan and Spybot - Search & Destroy one fail the other will pick it up

[MERMITE]

Pay us some money and we'll let you go...con

this was a popular con about 5 years ago the con differs each time but the theme changes, this time it's PCtools??? I wonder if they know???

The clue Edge is in the fact that there is very little on google,
you should email Spybot, did have great support once and email the AVG guys
as thru your google attempts, this may be construed as 'new' possibly east euro, extortion attempt.
Or you may pay the asking price thru your credit card naturally, or wait 2 weeks for the crims to fall apart and one under cut the other with an app.

You have only yourself to blame, AVG is free or should be, you mentioned no fire wall
and I doubt if you ever back up your windows system32 dir.
see theres a clue, search your windows sys32 for date additions

good luck
mermite

[.Simon.]

Reformat. Thats what i usually do in times of trouble ;P

[~MOUSE~]

Start Spybot S&D and select the "Tools" tab then "System Startup" option.
You should get a long list of the programs which run every time your computer starts up.

Find "PC Tools.exe" or "054877651568.exe" etc... and remove the tick next to its name.
Now it should not run when windows starts.
The information should also tell you where the program is located.

[Scott]

Quote:

Originally Posted by EDGE

So, as of last night I've been having a serious issue that I cannot figure out. I rebooted my PC to refresh everything and hopefully clear up a little screen lag I was noticing while playing a game. After the boot I notice an icon on my desktop that I've never seen, downloaded, nor installed before. The icon is called PC Tools. When the boot is complete, the icon auto runs and starts a 'scan' of my PC finding roughly 39 infected files that are worms or rogues.

The program appears in my system tray and I can not close it or get rid of it. it also hides all my desktop icons and desktop wallpaper. Every time I open a new program such as google chrome, ventrilo, mozilla thunderbird or anything, I get a popup saying

"Chrome.exe is infected with a worm attempting to steal your credit card information. Click here to remove this infection."

Now, I have no clue where this program came from nor do I know how it has appeared on my desktop. I managed to find the process that was running the program. It was something like 054877651568.exe. I terminated the process and the popups stopped as well as the program. Still, each time I reboot the process restarts and I'm in the same spot.

I've searched the worm in google, but haven't found many resources to fix this issue. I have AVG8.5 set to run a full system scan every morning at 5am and it has not picked up this infection and I've checked through the reports to see if I could find it. I also run CCleaner daily and I am currently running Spybot S&D to see if that will help remove the infection.

I'll see if I can get some screenshots to help.

If anyone has any information on how to fix this issue, please let me know.

I thought it was impossible to get spyware if you use firefox or chrome

Like Simon says, just reformat. That way you know for sure. However, if you really don't want to format, download http://www.malwarebytes.org/ . Steve mentioned it awhile ago and it's a very good spyware tool.

[EDGE]

I tried downloading malware bytes, but each time I download it, I can't find the .exe to run the program. Installed in C:\Program Files\Malware Bytes with no .exe.

Yes, I do run a firewall, I'm not a complete dumbass. I've had my share of computer classes, so yes I know what I am doing with computers. This issue has stumped me, so I came here to ask for help.

[EDGE]

Ok, i've found and removed the trojan. Searched microsoft and they've published a removal guide for this trojan.

For anyone having this same issues, here's the guide.



What is Lsas.Blaster Keylogger and how to remove it.

Lsas.Blaster.Keyloger is fake Windows Alert which is secretly installed by trojan. It is a part of rogue application. A rogue software application designed to trick users into buying a fake product by using scare tactics. It will bombard you with pop ups in order to try and scam you out of money. This infection can come into after fake video codec installation that usually comes with malware.

Aliases : Lsas.Blaster.Keylogger
Infection Type : Trojan Horse
Risk Level: High Risk
System Affected : Windows Operating Systems

General Symptoms
Displays fake warning messages and “System Security Firewall Alert ” popups alerts.
Flashing icons appear on your system tray (Near of your system clock).
Hijacked homepage to OBSCURE webpage.
Internet Explorer is infected with worm Lsas.Blaster.Keyloger. This worm is trying to send your credit card details using Internet Explorer to connect to remote host.

Manual Removal of Lsas.Blaster.Keyloger

Kill Spyware Processes
692527612.exe, 1313928688.exe, 1806188250.exe

Get rid of Files and Folder
C:\Documents and Settings\All Users\Application Data\1929146152\1313928688.exe
C:\Documents and Settings\All Users\Application Data\1372029626\1806188250.exe
C:\Documents and Settings\All Users\Application Data\870894309\692527612.exe

OR,For auto removal of Lsas.Blaster.Key logger
Download Lsas.Blaster Keylogger removal tool(FREE)

Guide Source: http://darfuns.com/remove-trojan-lsa...ter-keylogger/

[Hellfighter]

my self; i use today Malwarebytes' Anti-Malware it found "Rogure.Eorezo" it was a installer in C-Drive

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

Spybot - Search & Destroy was totally blind to it.

after reading all the trouble you had i think it was my time to check my system out.

[Chrispy]

That's good to hear you've fixed it.

I think if something like that happened to me, the first thing I'd probably do is hit up msconfig (in Run) and see if any malicious startups are there. HijackThis would probably help with processes as well.

[EDGE]

Quote:

Originally Posted by Chrispy

That's good to hear you've fixed it.

I think if something like that happened to me, the first thing I'd probably do is hit up msconfig (in Run) and see if any malicious startups are there. HijackThis would probably help with processes as well.

Yeah, thats actually the first thing I did but at the time I wasn't aware of what the process was running, so I didn't mess with it.

[Sam]

yeah i was about to say use malwarebytes to, my dad and i have tried using panda and avg and Spybot search and destroy but nothing comes up, and the pc is still infected, so we went to malwarebytes and it found the junk right away.