Event ID - 7030

Port No7030
Service NameTrojanDropper
RFC Doc0
ProtocolTCP
DescriptionThis Trojan drops a copy of itself in the %Windows%\temp folder using the following file name:

51pywg´«Éñ.exe


(Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.)

It then executes the said copy, which in turn drops several files on the affected machine, including the following malware: TROJ_LEGMIR.A
TROJ_LMIR.RK

This Trojan runs on Windows NT, 2000, and XP.
Reference LinkTrojanDropper
AttackSolution:

Removing Malware Entries from the Registry

Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft
Windows>CurrentVersion>Setup
Locate and delete the subkey:
{4E70CB6D-E87A-46C2-847E-037E8C911386}

Restoring Registry Modifications

Still in the Registry Editor, in the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows NT>CurrentVersion>Winlogon
In the right panel, locate the entry:
Shell = "Explorer.exe scanregw.exe"
and change this to its default value:
Shell = "Explorer.exe"
Close Registry Editor.


NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions


Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.