1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

lsadst.exe?

Discussion in 'Malware and Virus Removal Archive' started by OWRACER, 2006/01/31.

  1. 2006/01/31
    OWRACER

    OWRACER Inactive Thread Starter

    Joined:
    2006/01/31
    Messages:
    2
    Likes Received:
    0
    Anyone have any idea what this executable might be? It is suddenly coming up as the most active application on my firewall (McAfee via Comcast), but it won't make it available to me to disable it.

    As far as I know, none of my normal applications originates from this exe. I've googled the term "lsadst.exe" and searched for it at support.microsoft.com to no avail.

    I'm concerned that I've picked up some malware (or worse) that Spybot, Ad-Aware, etc isn't picking up.

    Any ideas??

    Thanks much!
     
    OWRACER,
    #1
  2. 2006/01/31
    Arie

    Arie Administrator Administrator Staff

    Joined:
    2001/12/27
    Messages:
    15,174
    Likes Received:
    412
    Looks likely :(

    Please read This thread, and post a HJT log in the Removing Spyware & Viruses forum.
     
    Arie,
    #2


  3. to hide this advert.

  4. 2006/02/02
    HumBug

    HumBug Well-Known Member

    Joined:
    2002/06/20
    Messages:
    151
    Likes Received:
    0
    This is on a few of the virus websites.

    Found this information on this website
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_BREPIBOT.A

    This memory-resident backdoor arrives on a system as an attachment to a spammed email message. It may also arrive as a dropped or downloaded file from the Internet.

    It opens TCP port 8080 and connects to a specific Internet Relay Chat (IRC) server. It then joins an IRC channel, where it receives commands from a remote malicious user. It performs the said commands, thus effectively compromising system security and increasing the risk of further attacks on the affected machine.

    Upon execution, it drops a copy of itself using the file name LSADST.EXE in the Windows system folder.

    Moreover, it executes a legitimate system file named NETSH.EXE. The said routine allows it to configure the Windows firewall, thus creating an exception in blocking TCP port 8080, which this backdoor uses for its malicious routines.

    You can also browse these websites
    http://www.bleepingcomputer.com/startups/WindowsProtocolLog-14336.html

    and
    http://www.esecurityplanet.com/alerts/article.php/1031_3581896

    and
    http://www.pc-magazin.de/internet/cm/virenecke/show_sophos.php?id=2402
     
    HumBug,
    #3
  5. 2006/02/02
    OWRACER

    OWRACER Inactive Thread Starter

    Joined:
    2006/01/31
    Messages:
    2
    Likes Received:
    0
    Thanks HumBug!

    Since I couldn't find any earlier reference to the lsadst process on the internet, I went ahead and ended the process (via task manager) and then deleted the instance of the lsadst.exe file on my hard drive (disguised as a pdf icon) while in safe mode. I then downloaded a full copy of Spyware Doctor and it deleted a bunch of other ****. I need to go back and reverify my registry and then check into this port 8080 exception.

    This is a nasty one. Looks to be a keylogger stealing everything you input on the keyboard.
     
    OWRACER,
    #4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...