Lsas.Trojan-Spy.DOS.Keycopy
Lsas.Trojan-Spy.DOS.Keycopy is a bogus trojan virus that appears in fake security alert pop-ups launched by rogue spyware remover Malware Destructor 2009. The Lsas.Trojan-Spy.DOS.Keycopy pop-up reads as follows:
"WINDOWS SECURITY ALERT!
Lsas.Trojan-Spy.DOS.Keycopy is suspected to have infected your PC.
This type of virus intercepts entered data and transmits it to a remote server.
Windows Internet Explorer 8
"C:\WINDOWS\ie8\spuninst
Data interception was detected while visiting a website: http://"
The purpose of this fake security alert is to scare you into purchasing Malware Destructor 2009 by making you think your system is infected with the bogus Lsas.Trojan-Spy.DOS.Keycopy trojan virus. Remove as soon as possible.
File System Modifications
- The following files were created in the system:
# File Name 1 %Documents and Settings%\All Users\Application Data\345d567 2 %Documents and Settings%\All Users\Application Data\345d567\384.mof 3 %Documents and Settings%\All Users\Application Data\345d567\MD345d.exe 4 %Documents and Settings%\All Users\Application Data\345d567\MdestrSys 5 %Documents and Settings%\All Users\Application Data\345d567\MDestrSys\vd952342.bd 6 %Documents and Settings%\All Users\Application Data\345d567\mozcrt19.dll 7 %Documents and Settings%\All Users\Application Data\345d567\sqlite3.dll 8 %Documents and Settings%\All Users\Application Data\MdestrSys 9 %Documents and Settings%\All Users\Application Data\MDestrSys\mdestr.cfg 10 %UserProfile%\Application Data\Malware Destructor 2009 11 %UserProfile%\Application Data\Malware Destructor 2009\cookies.sqlite 12 %UserProfile%\Application Data\Malware Destructor 2009\Instructions.ini 13 %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Destructor 2009.lnk 14 %UserProfile%\Desktop\Malware Destructor 2009.lnk 15 %UserProfile%\Local Settings\Temp\del.bat 16 %UserProfile%\Recent\ANTIGEN.exe 17 %UserProfile%\Recent\ANTIGEN.sys 18 %UserProfile%\Recent\cb.drv 19 %UserProfile%\Recent\energy.exe 20 %UserProfile%\Recent\energy.tmp 21 %UserProfile%\Recent\FS.sys 22 %UserProfile%\Recent\FS.tmp 23 %UserProfile%\Recent\FW.dll 24 %UserProfile%\Recent\hymt.exe 25 %UserProfile%\Recent\kernel32.drv 26 %UserProfile%\Recent\PE.dll 27 %UserProfile%\Recent\PE.tmp 28 %UserProfile%\Recent\tempdoc.exe 29 %UserProfile%\Recent\tjd.tmp 30 %UserProfile%\Start Menu\Malware Destructor 2009.lnk 31 %UserProfile%\Start Menu\Programs\Malware Destructor 2009.lnk 32 %WINDOWS%\Temp\IMT7.xml 33 %WINDOWS%\Temp\IMT8.xml 34 %WINDOWS%\Temp\IMT9.xml
Registry Modifications
- The following newly produced Registry Values are:
HKEY..\..\..\..{Subkeys}HKEY_LOCAL_MACHINE\SOFTWARE\MicrosoftHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HKEY..\..\..\..{RegistryKeys}HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}HKEY_CLASSES_ROOT\MD345d.DocHostUIHandler
still don't know what happened to my pc. you guys are the bomb. thanks for giving the malware scanner. i registered and it works like a charm. no more malware here!