ScoobyNet.com - Subaru Enthusiast Forum

ScoobyNet.com - Subaru Enthusiast Forum (https://www.scoobynet.com/)
-   Computer & Technology Related (https://www.scoobynet.com/computer-and-technology-related-34/)
-   -   Anyone know a fix for this? (https://www.scoobynet.com/computer-and-technology-related-34/502601-anyone-know-a-fix-for-this.html)

Ballistic 25 March 2006 07:03 PM
Anyone know a fix for this?
 
My Pc has become infected by a Trojan that repeatedly attempts to send out spam emails.
I first became aware of it when McAfee alerted me to potential worm activity.
Doing a virus scan with McAfee doesn't detect anything.
I've just done an on-line scan with Kaspersky and it detected 'Trojan-Proxy.win32.lager.ag' but isn't able to fix it. I've done a search for this trojan and drawn a blank. Does anyone here know of a fix.........please help!!

jpor 25 March 2006 07:18 PM
Originally Posted by Ballistic
My Pc has become infected by a Trojan that repeatedly attempts to send out spam emails.
I first became aware of it when McAfee alerted me to potential worm activity.
Doing a virus scan with McAfee doesn't detect anything.
I've just done an on-line scan with Kaspersky and it detected 'Trojan-Proxy.win32.lager.ag' but isn't able to fix it. I've done a search for this trojan and drawn a blank. Does anyone here know of a fix.........please help!!
Try here: http://www.symantec.com/avcenter/sma...ools.list.html

Ballistic 25 March 2006 07:21 PM
jpor

That link doesn't list the trojan I appear to have.

jpor 25 March 2006 07:38 PM
This is the closest I could find for that one:

http://www.viruslist.com/en/viruses/...virusid=111699

Ballistic 27 March 2006 10:37 AM
Thanks jpor

andyr 27 March 2006 12:23 PM
Also here
http://www.pctools.com/anti-virus/en...Win32.Lager.r/
and
http://www.sophos.com/virusinfo/analyses/trojorsed.html

Info from the first that might be useful :
Once launched, the Trojan copies itself to the Windows system directory as "win32.exe "

%System%\win32.exe
It then registers this file in the system registry, ensuring that the Trojan file will be launched each time Windows is rebooted on the victim machine:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"wupd" = "%System%\win32.exe"
The Trojan also creates a file called "zlbw.dll" in the Windows system directory:

%System%\zlbw.dll
The Trojan opens a random port on the victim machine and installs itself as a proxy-server. This enables a malicious remote user to work on the network via the victim mamchine.

The Trojan also establishes a connection to 217.159.***.176 and sends the remote malicious user information about the victim machine (IP address etc.)

Ballistic 27 March 2006 12:36 PM
Thanks for that information andyr

Not being an expert on these matters is it suggesting I delete files win32.exe and zlbw.dll and/or block assess to certain ports/addresses.

What concerns me the most is that a malicious user may be working from and storing files on my machine.

andyr 27 March 2006 01:48 PM
I've reached the limit of my knowledge there !
If you've a firewall then I guess you could block outgoing access to the 217.159.***.176 IPs - can't see any probelm with that ?
Is it worth contacting McAfee directly to see if they can help you since you (hopefully) have bought and paid for anti-virus software ?
Always dangerous to delete any files if you don't know what you are doing : I had a homepage hijack problem a year or so ago and did exactly that : I ended up having to reinstall Win XP because of 1 file that I was suspicious of that I renamed out of the way !


All times are GMT +1. The time now is 12:28 AM.


© 2024 MH Sub I, LLC dba Internet Brands