Event ID - 2774

Port No2774
Service NameBackDoor-G2
RFC Doc0
ProtocolTCP
DescriptionThis server component of a backdoor malware, TROJ_Sub7. It drops a Petite compressed Win32API.EXE file in the Windows system directory and in another directory to a random name. It also creates a copy of Win32API.EXE to a different name and modifies the Windows registry so that it executes upon Windows startup.
Reference LinkBackDoor-G2
AttackSolution:

Click Start>Run, type Regedit then hit the Enter key.
In the left panel of the Registry Editor, click the plus sign (+)
left of the following:
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion
RunServices
In the right panel of the Registry Editor, look for and delete this
registry value:
MicrosoftAPI = “C:\WINDOWS\SYSTEM\Win32API.exe”
In the left panel of the Registry Editor click the plus sign (+)
left of the following:
HKEY_LOCAL_MACHINE
Software
Microsoft
Active Setup
Installed Components

In the right panel of the Registry Editor, look for and delete the
following value:
StubPath = “C:\WINDOWS\SYSTEM\Win32API.exe>”
In the left panel of the Registry Editor click the plus sign (+)
left of the following:
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
Current Version
Explorer
User Shell Folders.
In the right panel of the Registry Editor, look for and delete the
following value:
Common Startup = “C:\WINDOWS\SYSTEM\containing Win32API.exe>”
In the left panel of the Registry Editor click the plus sign (+)
left of the following:
HKEY_LOCAL_MACHINE
Software
Microsoft
ENC
Right click ENC and then delete.
Restart your system.

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.