[Add to favorites] disable common trojans and unauthorized Control Software

Source: Internet
Author: User
Tags delete key dameware mini remote control

Http://center.hzau.edu.cn/service/support/20041231/344.htm

The following Trojans and unauthorized remote control software are caused by your failure to correctly set your administrator password. Check whether the passwords of all accounts in the system are safe enough.  
Password setting requirements:
1. The password should be at least 8 characters long;
2. Do not include words in the dictionary or Chinese pinyin that does not include surnames;
3. It also contains multiple types of characters, such
O uppercase letters (A, B, C,. Z)
O lowercase letters (A, B, C. Z)
O number (0, 1, 2 ,... 9)
O punctuation marks (@,#,!, $, % ,&...)
Note: The related paths mentioned below may vary depending on your operating system version. Please make adjustments based on your own system.
Win98 system: C:/Windows/System
Winnt and win2000 systems: C:/winnt/system32
WINXP: C:/Windows/system32
The directory drive letter may vary depending on the system installation path. if the system is installed on disk D, change "C:/Windows" to "D:/Windows ".
Most Trojans can change the default service port. We should take appropriate measures based on the specific situation. A complete check and deletion process is shown in the following example:
For example, clear the port 113 Trojan (applicable only to Windows ):
This is a trojan program based on IRC chat room control.
1. Use the netstat-An command to check whether port 113 is enabled on your system.
2. Use the fport command to check which program is listening to port 113.
For example, we can see the following results using fport:
PID process port proto path
392 svchost-> 113 tcp c:/winnt/system32/vhos.exe
We can confirm that the trojan program at the 113end is vhos.exe, and the program is located in the path C:/winnt/system32.
3. After determining the trojan program name (the program listening to port 113), find the process in the task manager and end the process using the Manager.
4. In start-run, type regedit to run the registry administrator, find the program you just found in the registry, and delete all the related key values.
5. Delete the trojan in the directory where the trojan program is located. Depends on the trojan program, the file is also different, you can check the program generation and modification time to determine other programs related to listening to the Trojan program on port 113)
6. Restart the machine.
The ports listed below are only ports opened by default by the trojan program. perform the following operations based on the actual situation:
  Close port 707:
This port is open, indicating that you may be infected with the Nachi Worm. The worm can be cleared as follows:
1. Stop the two services named wins client and network connections sharing.
2. Delete the DLLHOST. EXE and SVCHOST. EXE files in the C:/winnt/system32/wins/directory.
3. Edit the registry and delete the two key values rpctftpd and rpcpatch In the HKEY_LOCAL_MACHINE/system/CurrentControlSet/services item.
  Close port 1999:
This port is the default service port of the Trojan program backdoor. The method for clearing this trojan is as follows:
1st worker use the process management tool to end the notpa.exe Process
2. Delete the notpa.exe program under C:/Windows/directory
3. Edit the registry and delete the key value that contains C:/Windows/notpa.exe/o = yes in the HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/run.
  Close port 2001:
This port is the default service port of Trojan program black hole 2001. The Trojan cleaning method is as follows:
1. First, use the process management software to kill the process windows.exe.
2. Delete the windows.exeand s_server.exe files under the C:/winnt/system32 directory.
3. Edit the registry and delete the Windows key value in HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/runservices /.
4. Delete winvxd from hkey_classes_root and HKEY_LOCAL_MACHINE/software/classes.
5. Modify C:/winnt/system32/s_server.exe % 1 in hkey_classes_root/txtfile/Shell/Open/command to C:/winnt/notepad. EXE % 1.
6. Modify C:/winnt/system32/s_server.exe % 1 in HKEY_LOCAL_MACHINE/software/classes/txtfile/Shell/Open/command to C:/winnt/notepad. EXE % 1
Close port 2023:
This port is the default service port of the Trojan Ripper. The method for clearing this trojan is as follows:
1. Use the process management tool to prepare the sysrunt.exe process.
2. Delete the sysrunt.exe program file in the C:/Windows directory.
3. Edit the system.ini file, change shell‑policer.exe sysrunt.exe to shell‑policer.exe, and save
4. restart the system
  Close port 2583:
This port is the default service port of the Trojan program WinCrash V2. The Trojan cleaning method is as follows:
1. Edit the registry and delete winmanager = "C:/Windows/server.exe" in HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/run /.
2. Edit the win. ini file, change run = C:/Windows/server.exe to run =, and save and exit.
3. After the system is restarted, delete C:/Windows/system/server. EXE.
  Close port 3389:
Port 3389 is the port opened by the Remote Management Terminal of windows. It is not a Trojan program. Check whether the service is open by yourself. If not, disable the service.
How to disable Win2000:
1. Choose start win2000server> program> Management Tools> services, find the Terminal Services Service item, select the property Option, change the Startup Type to manual, and stop the service.
2. Start win2000pro --> set --> control panel --> management tools --> locate the Terminal Services Service item in the service, select the property Option to change the Startup Type to manual, and stop the service.
How to disable WINXP:
Right-click on my computer and select Properties --> remote, and remove the check box between remote assistance and Remote Desktop.
  Close port 4444:
If your machine opens this port, it may indicate that you are infected with the msblast worm. The method to clear the worm is as follows:
1. Use the process management tool to complete the process of msblast.exe.
2. Edit the registry and delete the "windows auto update" = "msblast.exe" key value in the HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/run item.
3. Delete the msblast.exe file under the C:/winnt/system32directory.
  Close port 4899:
First, port 4899 is a port listened by the remote administrator server. It is not a Trojan program, but it has the remote control function. Generally, anti-virus software cannot detect it, determine whether the service is open by yourself and required. If not, disable it.
Close port 4899:
1. Enter cmd in start --> Run (command below 98), then cd c:/winnt/system32(your system installation directory], input r_server.exe/stop, and press Enter.
Then input r_server/uninstall/silence
2. Delete the r_server.exe admdll. dll raddrv. DLL files in C:/winnt/system32(system directory ).
  Port:
Port 5800,5900 is the default service port of the remote control software VNC, but the VNC will be used in some worms after modification.
Check whether the VNC is open by yourself and required. If not, disable it.
Closing method:
1. First, use the fport command to determine the location of the program listening on ports 5800 and 5900 (usually C:/winnt/fonts/assumer.exe)
2. Kill related processes in the Task Manager (Note that one of them is normal for the system itself, please note! Run C:/winnt/assumer.exe again if the kill is incorrect)
3. Delete the assumer.exe program in C:/winnt/fonts.
4. Delete the Explorer key value in the HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/run entry of the Registry.
5. Restart the machine.
  Close port 6129:
First, it indicates that port 6129 is a port that the remote control software (DameWare nt utilities) server listens to. It is not a Trojan program but has the remote control function, generally, anti-virus software cannot detect it. Check whether the service is installed by yourself and is required. If not, disable it.
Close port 6129:
1. Choose Start> Settings> Control Panel> Management Tools> services.
Right-click the DameWare Mini Remote Control item and select the property option. Change the start type to disabled, and then stop the service.
2. Go to C:/winnt/system32 (system directory) and delete the dwrc. exe program.
3. In the registry, delete the DWRCS key value in HKEY_LOCAL_MACHINE/system/controlset001/services /.
  Close port 6267:
Port 6267 is the default service port for girls outside the trojan program. The Trojan can be deleted as follows:
1. Start to safe mode and delete the diagfg. EXE file under C:/winnt/system32 /.
2. Find the regedit.exe file in the C:/winntdirectory and change the suffix of the file to. com.
3. Choose Start> Run and enter regedit.com to go to the registry editing page.
4. Modify the key value of hkey_classes_root/exefile/Shell/Open/command to "% 1" % *
5. Delete the key value of diagnostic configuration in HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/runservices.
6. Change regedit.comunder C:/winntto regedit.exe.
  Close ports 6670 and 6771:
These ports are the default service ports of the Trojan program deepthroat V1.0-3.1. The method to clear the trojan is as follows:
1. Edit the registry and delete the 'system32' = C:/Windows/system32.exe key value (version 1.0) in the HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/run item) or 'systemrule' = 'cmdray.exe 'key value (Version 2.0-3.0)
3. After the machine is restarted, delete C:/Windows/system32.exe (version 1.0) or C:/Windows/system/groovray.exe (Version 2.0-3.0)
  Close port 6939:
This port is the default service port of the Trojan program indoctrination. The method to clear this trojan is as follows:
1. Edit and delete the registry.
HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/run/
HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/runservices/
HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/runonce/
HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/runservicesonce/
All the key values that contain msgsrv16 = "msgserv16.exe"
2. After the machine is restarted, delete the msgserv16.exe file in the C:/Windows/system/directory.
  Close port 6969:
This port is the default service port of the Trojan program priority. The method to clear this trojan is as follows:
1. Edit the registry and delete the "pserver" = C:/Windows/system/pserver.exe key value in the HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/run services item.
2. After the system is restarted, delete the pserver.exe file under the C:/Windows/system/directory.
  Close port 7306:
This port is the default service port of the Trojan program network genie. The method for deleting this trojan is as follows:
1. You can use fport to check which program listens to port 7306, and write down the program name and Path
2. If the program name is netspy.exe, you can enter the command line netspy.exe/remove in the program directory to delete Trojans.
3. If it is a program with another name, terminate the process of the program in the process, and then delete the program in the corresponding directory.
4. Edit the registry and delete key values related to the program in HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/run and HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/runservices.
  Close port 7511:
7511 is the default connection port for the smart genes of the Trojan program. The method for deleting the trojan is as follows:
1. First, use the process management tool to kill the mbbmanager.exe process.
2. Delete the mbbmanager.exeand javase32.exe files in the C:/winnt(system installation directory) and the editor.exe files in the C:/winnt/system32directory
3. Edit the registry and delete the key "mainbroad backmanager" from the HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/Run "key.
4. Modify C:/winnt/system32/editor.exe % 1 in hkey_classes_root/txtfile/Shell/Open/command to C:/winnt/notepad. EXE % 1.
5. Modify the C:/winnt/javase32.exe % 1 key value in the HKEY_LOCAL_MACHINE/software/classes/hlpfile/Shell/Open/command entry to C:/winnt/winhlp32.exe % 1.
  Close port 7626:
7626 is the default open port of Mama glacier (this port can be changed). The Trojan is deleted as follows:
1. Start the machine to safe mode, edit the registry, and delete the key value of C:/winnt/system32/Kernel32.exe in HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/run.
2. Delete the key value C:/Windows/system32/Kernel32.exe in HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/runservices.
3. Modify C:/winnt/system32/sysexplr.exe % 1 under hkey_classes_root/txtfile/Shell/Open/command to C:/winnt/notepad.exe % 1
4. Delete the kernel32.exeand sysexplr.exe files in C:/Windows/system32 /.
  Close port 8011:
Port 8011 is the default service port of the Trojan program way2.4. The Trojan can be deleted as follows:
1. First, use the process management tool to kill the msgsvc.exe process.
2. Delete the msgsvc.exe file in the C:/Windows/systemdirectory.
3. Edit the registry and delete the key value in the HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/run item C:/Windows/system/msgsvc.exe.
  Close port 9989:
This port is the default service port of the Trojan program inikiller. The Trojan can be deleted as follows:
1. Edit the registry and delete the "C:/Windows/bad.exe" key value in the HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/run/item.
2. restart the system and delete the bad.exe program file under the C:/windowsdirectory.
  Close port 19191:
This port is the default telnet port opened by the trojan blue flame. The method for disabling this trojan is as follows:
1. Use the management tool tasksvc.exe
2. Delete the tasksvc.exe‑sysexpl.exe and bfhook. DLL files in the C:/Windows/systemdirectory.
3. Edit the registry and delete the network services = C:/Windows/system/tasksvc.exe key value in the HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/run item.
4. Change the C:/Windows/system/sysexpl.exe "% 1" key value in the hkey_classes_root/txtfile/Shell/Open/command entry of the Registry to C: /Windows/notepad.exe "% 1" key value
5. Change C:/Windows/system/sysexpl.exe "% 1 key value" in the HKEY_LOCAL_MACHINE/software/classes/txtfile/Shell/Open/command entry of the Registry to C: /Windows/notepad.exe "% 1"
  Port 1029 and port 20168:
These two ports are the Backdoor Ports opened by the lovgate worm.
For more information about worms, see lovgate worm.
You can download the kill tool fixlw..exe
Usage: download and run the program directly. After the program is run, restart the machine and run the program again.
  How to disable port 23444:
This port is the default service port of the Trojan program network bull. The method to disable this trojan is as follows:
1. Go to security mode and delete the checkdll.exe file under C:/winnt/system32 /.
2. Compare the size of the following files in the system with that in the normal system. If the size is different, delete the files and copy them back. The files to be checked include:
Notepad.exe+write.exe,regedit.exe,winmine.exe,winhelp.exe
3. After the file is replaced with a normal file, go to the registry editing status and delete "checkdll.exe" = "C: /winnt/system32/checkdll.exe "key value
4. Delete the "checkdll.exe" = "C:/winnt/system32/checkdll.exe" key value in HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/runservices
5. Delete HKEY_USERS /. "checkdll.exe" = "C: /winnt/system32/checkdll.exe "key value. Note that the virus may be bound to other application software. Check whether the size of your software is different. If yes, uninstall and reinstall it.
  How to disable port 27374:
This port is the default service port of the Trojan program sub7. The method to disable this trojan is as follows:
1. Use the fport software to determine which program opened port 27374 and write down the program name and path.
2. Edit the registry and delete the key value in the HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/run entry that contains the file name you just viewed using fport.
3. Delete the key value in the HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/runservic item that contains the file name just viewed using fport.
4. In the process, kill the file process you just viewed. If it cannot be killed, go to the service and turn off the service that is associated with the program (the service name should be seen in the Registry runservic just now)
5. Edit the win. ini file and check whether there is a file name after "run =". If yes, delete it.
6. Edit the system.ini file and check whether the file has been deleted after mongoshell‑policer.exe.
7. delete the file you just found in the corresponding directory.
  Close port 30100:
This port is the default service port of the Trojan program NetSphere. The method to clear this trojan is as follows:
1. Edit the registry and delete nssx = "C:/Windows/system/nssx.exe" in HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/run /.
2. Delete the nssx = "C:/Windows/system/nssx.exe" key value in HKEY_CURRENT_USER/software/Microsoft/Windows/CurrentVersion/run.
3. Delete the nssx = "C:/Windows/system/nssx.exe" key value in HKEY_USERS/*****/software/Microsoft/Windows/CurrentVersion/run.
4. After the system is restarted, delete the nssx.exe file in the C:/Windows/system/directory.
  Close port 31337:
This port is the default service port of the Trojan program bo2000. The method to clear this trojan is as follows:
1. Start the machine to safe mode.
2. Edit the registry, delete/HEKY-LOCAL-MACHINE/software/Microsoft/Windows/CurrentVersion/runservicseitem with the umgr32.exe key value
3. Delete the umgr32.exe program under the/Windows/systemdirectory
4. Restart the machine.
  Port 45576:
This is the control port of a proxy software. Please first make sure that this agent software is not installed by yourself (the agent software will bring additional traffic to your machine)
Disable agent software:
1. Use fport to check the location of the agent software.
2. Close the Service (usually sksocks) in the service and disable the service.
3. Delete the program in the directory where the program is located.
  Close port 50766:
This port is the default service port of the Trojan schwindler. The method to clear this trojan is as follows:
1. Edit the registry and delete the user.exe = "C:/Windows/user.exe" key value in HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/run /.
2. After the machine is restarted, delete the user.exe file in the C:/Windows/directory.
  Close port 61466:
This port is the default service port of the Trojan program telecommando. The method to disable this trojan program is as follows:
1. Edit the registry and delete systemapp = "ODBC. EXE" in HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/run /.
2. Restart the machine and delete the ODBC. EXE file in the C:/Windows/system/directory.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.