|
Hardware and Software Discuss hardware, software and security related stuff |
|
Thread Tools | Search this Thread | Display Modes |
#1
|
|||
|
Lsass.Blaster.Keylogger
So, as of last night I've been having a serious issue that I cannot figure out. I rebooted my PC to refresh everything and hopefully clear up a little screen lag I was noticing while playing a game. After the boot I notice an icon on my desktop that I've never seen, downloaded, nor installed before. The icon is called PC Tools. When the boot is complete, the icon auto runs and starts a 'scan' of my PC finding roughly 39 infected files that are worms or rogues.
The program appears in my system tray and I can not close it or get rid of it. it also hides all my desktop icons and desktop wallpaper. Every time I open a new program such as google chrome, ventrilo, mozilla thunderbird or anything, I get a popup saying "Chrome.exe is infected with a worm attempting to steal your credit card information. Click here to remove this infection." Now, I have no clue where this program came from nor do I know how it has appeared on my desktop. I managed to find the process that was running the program. It was something like 054877651568.exe. I terminated the process and the popups stopped as well as the program. Still, each time I reboot the process restarts and I'm in the same spot. I've searched the worm in google, but haven't found many resources to fix this issue. I have AVG8.5 set to run a full system scan every morning at 5am and it has not picked up this infection and I've checked through the reports to see if I could find it. I also run CCleaner daily and I am currently running Spybot S&D to see if that will help remove the infection. I'll see if I can get some screenshots to help. If anyone has any information on how to fix this issue, please let me know.
__________________
Quote:
|
#2
|
||
|
try this: Malwarebytes' Anti-Malware
site: http://www.malwarebytes.org/ steve turn me on to it some time all go it found items were other has fail i use it to scan and Spybot - Search & Destroy one fail the other will pick it up
__________________
* altnews sources [getmo & others news] not found main FNN: realrawnews.com *Discord: Unknown77#7121 Playing now days: EA Games> swtor [star wars old republic] |
#3
|
||
|
Pay us some money and we'll let you go...con
this was a popular con about 5 years ago the con differs each time but the theme changes, this time it's PCtools??? I wonder if they know??? The clue Edge is in the fact that there is very little on google, you should email Spybot, did have great support once and email the AVG guys as thru your google attempts, this may be construed as 'new' possibly east euro, extortion attempt. Or you may pay the asking price thru your credit card naturally, or wait 2 weeks for the crims to fall apart and one under cut the other with an app. You have only yourself to blame, AVG is free or should be, you mentioned no fire wall and I doubt if you ever back up your windows system32 dir. see theres a clue, search your windows sys32 for date additions good luck mermite |
#4
|
||
|
Reformat. Thats what i usually do in times of trouble ;P
|
#5
|
||
|
Start Spybot S&D and select the "Tools" tab then "System Startup" option.
You should get a long list of the programs which run every time your computer starts up. Find "PC Tools.exe" or "054877651568.exe" etc... and remove the tick next to its name. Now it should not run when windows starts. The information should also tell you where the program is located. |
#6
|
|||
|
Quote:
Like Simon says, just reformat. That way you know for sure. However, if you really don't want to format, download http://www.malwarebytes.org/ . Steve mentioned it awhile ago and it's a very good spyware tool.
__________________
04' Dodge SRT-4, Mopar Stage 3, 406whp/436wtq |
#7
|
|||
|
I tried downloading malware bytes, but each time I download it, I can't find the .exe to run the program. Installed in C:\Program Files\Malware Bytes with no .exe.
Yes, I do run a firewall, I'm not a complete dumbass. I've had my share of computer classes, so yes I know what I am doing with computers. This issue has stumped me, so I came here to ask for help.
__________________
Quote:
|
#8
|
|||
|
Ok, i've found and removed the trojan. Searched microsoft and they've published a removal guide for this trojan.
For anyone having this same issues, here's the guide. What is Lsas.Blaster Keylogger and how to remove it. Lsas.Blaster.Keyloger is fake Windows Alert which is secretly installed by trojan. It is a part of rogue application. A rogue software application designed to trick users into buying a fake product by using scare tactics. It will bombard you with pop ups in order to try and scam you out of money. This infection can come into after fake video codec installation that usually comes with malware. Aliases : Lsas.Blaster.Keylogger Infection Type : Trojan Horse Risk Level: High Risk System Affected : Windows Operating Systems General Symptoms Displays fake warning messages and “System Security Firewall Alert ” popups alerts. Flashing icons appear on your system tray (Near of your system clock). Hijacked homepage to OBSCURE webpage. Internet Explorer is infected with worm Lsas.Blaster.Keyloger. This worm is trying to send your credit card details using Internet Explorer to connect to remote host. Manual Removal of Lsas.Blaster.Keyloger Kill Spyware Processes 692527612.exe, 1313928688.exe, 1806188250.exe Get rid of Files and Folder C:\Documents and Settings\All Users\Application Data\1929146152\1313928688.exe C:\Documents and Settings\All Users\Application Data\1372029626\1806188250.exe C:\Documents and Settings\All Users\Application Data\870894309\692527612.exe OR,For auto removal of Lsas.Blaster.Key logger Download Lsas.Blaster Keylogger removal tool(FREE) Guide Source: http://darfuns.com/remove-trojan-lsa...ter-keylogger/
__________________
Quote:
|
#9
|
||
|
my self; i use today Malwarebytes' Anti-Malware it found "Rogure.Eorezo" it was a installer in C-Drive
Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully. Files Infected: C:\Program Files\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully. Spybot - Search & Destroy was totally blind to it. after reading all the trouble you had i think it was my time to check my system out.
__________________
* altnews sources [getmo & others news] not found main FNN: realrawnews.com *Discord: Unknown77#7121 Playing now days: EA Games> swtor [star wars old republic] |
#10
|
||
|
That's good to hear you've fixed it.
I think if something like that happened to me, the first thing I'd probably do is hit up msconfig (in Run) and see if any malicious startups are there. HijackThis would probably help with processes as well.
__________________
Intel Core Duo E7300 2.66GHz // SuperTalent DDR2 800 2GB // ASUS nVidia GeForce 8400GS 512MB // Western Digital 7200RPM 320GB SATA // LG GH-20LS 20X SATA DVD-RAM // Windows XP Pro 32-bit // Thermaltake XP550 NP 430W // Thermaltake SOPRANO SECC Black |
#11
|
|||
|
Yeah, thats actually the first thing I did but at the time I wasn't aware of what the process was running, so I didn't mess with it.
__________________
Quote:
|
#12
|
||
|
yeah i was about to say use malwarebytes to, my dad and i have tried using panda and avg and Spybot search and destroy but nothing comes up, and the pc is still infected, so we went to malwarebytes and it found the junk right away.
__________________
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
[Spyware] Keylogger virus trojan horse | Hellfighter | General Chat | 4 | 02-09-2006 01:02 PM |
lsass.exe | Mauser 98K | Tech Support | 20 | 01-03-2006 01:05 PM |
New on the run: "Blaster Redux" Virus type worm | Hellfighter | General Chat | 3 | 04-30-2004 08:36 AM |