Disable common trojans and unauthorized Control Software

If there are Trojans and unauthorized remote control software in the computer, other people will not only be able to get all your privacy information and account passwords, but also take control of the computer at any time, this article describes how to disable these two types of software.

It should be noted that the various Trojans and remote control software installed without authorization described in this article exist because the system is infiltrated due to incorrect administrator password settings. Therefore, check whether the passwords of all accounts in the system are safe enough.

Password setting requirements:

1. The password should be at least 8 characters long;

2. Do not include words in the dictionary or Chinese pinyin that does not include surnames;

3. it also contains multiple types of characters, such as uppercase letters (A, B, C ,.. z), lowercase letters (a, B, c .. z), number (0, 1, 2 ,... 9). punctuation marks (@,#,!, $, % ,&...).

Note: The related paths mentioned below may vary depending on your operating system version. Please make adjustments based on your own system.

Win98 system: c: Windows, c: Windowssystem
Winnt and Win2000 systems: c: Winnt, c: Winntsystem32
Winxp: c: Windows, c: Windowssystem32
 
The drive letter of the directory may vary depending on the system installation path. if the system is installed on drive D, change C: Windows to drive D: Windows.

Most Trojans can change the default service port. We should take appropriate measures based on the specific situation. A complete check and deletion process is shown in the following example:

For example, port 113 Trojan is cleared (only for Windows): This is a trojan program based on irc chat room control.

1. Run the netstat-an command to check whether port 113 is enabled on your system;

2. Use the fport command to check which program is listening to port 113;

For example, we can see the following results using fport:

Pid ProcessPort Proto Path
392 svchost-> 113 TCP
C: WinNTsystem32vhos.exe
 
We can ensure that the trojan program in the 113port is vhos.exe and the program is located in the c: Winntsystem32 directory.

3. After determining the trojan program name (the program listening to port 113), find the process in the task manager and end the process using the Manager.

4. In start-run, type regedit to run the registry administrator, find the program you just found in the registry, and delete all the related key values.

5. Delete the trojan in the directory where the trojan program is located. Depends on the trojan program, the file is also different, you can check the program generation and modification time to determine other programs related to listening to the Trojan program on port 113 ).

 
6. Restart the machine.

The ports listed below are only ports opened by default by the trojan program. perform the following operations based on the actual situation:

Close port 707:

This port is open, indicating that you may be infected with the nachi Worm. The worm can be cleared as follows:

1. Stop the two services named WinS Client and Network Connections Sharing;
2. Delete the DLLHOST. EXE and SVCHOST. EXE files in the c: WinntSYSTEM32WinS directory;
3. Edit the registry and delete the two key values RpcTftpd and RpcPatch in the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices item.
 
Close port 1999:

This port is the default service port of the Trojan program BackDoor. The method for clearing this trojan is as follows:

1、use the process management tool to end the notpa.exe process;
2. Delete the notpa.exe program in the c: Windows directory;
3. Edit the registry and delete the key value of c: Windowsotpa.exe/o = yes in the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun entry.
 
Close port 2001:

This port is the default service port of Trojan program black hole 2001. The Trojan cleaning method is as follows:

1. First, use the process management software to kill the process windows.exe;
2. Delete the windows.exeand s_server.exe files under the c: winntsystem32directory;
3. Edit the registry and delete the Windows key value in the HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices item;
4. Delete Winvxd from HKEY_CLASSES_ROOT and HKEY_LOCAL_MACHINESoftwareCLASSES;
5. Modify c: Winntsystem32S_SERVER.EXE % 1 in the HKEY_CLASSES_ROOTxtfileshellopencommand item to C: WinNTNOTEPAD. EXE % 1;
6. Modify the c: Winntsystem32S_SERVER.EXE % 1 key value in the HKEY_LOCAL_MACHINESoftwareCLASSESxtfileshellopencommand item to C: WinNTNOTEPAD. EXE % 1.
 
Close port 2023:

This port is the default service port of the Trojan Ripper. The method for clearing this trojan is as follows:

1. Use the process management tool to prepare the sysrunt.exe process;
2. Delete the sysrunt.exe program file in the c: Windows directory;
3. Edit the system.ini file, change shell‑policer.exe sysrunt.exe to shell‑policer.exe, and save the file;
4. restart the system.
 
Close port 2583:

This port is the default service port of the Trojan program Wincrash v2. The Trojan cleaning method is as follows:

1. Edit the registry and delete the WinManager = "c: Windowsserver.exe" key value in the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun item;
2. Edit the Win. ini file, change run = c: Windowsserver.exe to run =, and save and exit;
3. restart the system and delete C: Windowssystem SERVER. EXE.
 
Close port 3389:

Port 3389 is the port opened by the Remote Management Terminal of Windows. It is not a Trojan program. Check whether the service is open by yourself. If not, disable the service.

How to disable Win2000:

1. Win2000server

Choose Start> program> Administrative Tools> Services to find the Terminal Services Service item, select Properties to change the Startup Type to manual, and stop the service.

2. Win2000pro

Choose "start"> "Settings"> "Control Panel"> "Administrative Tools"> "Services", find the Terminal Services Service item, select the property Option, change the Startup Type to manual, and stop the service.

How to disable Winxp:

Right-click on my computer and select Properties --> remote, and remove the check box between remote assistance and Remote Desktop.

Close port 4444:

If your machine opens this port, it may indicate that you are infected with the msblast worm. The method to clear the worm is as follows:

1. Use the process management tool to complete the process of msblast.exe;
2. Edit the registry and delete the "Windows auto update" = "msblast.exe" key value in the HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun item;
3. Delete the msblast.exe file under the c: winntsystem32directory.
 
Close port 4899:

First, port 4899 is a port listened by the remote administrator server. It is not a Trojan program, but it has the remote control function. Generally, anti-virus software cannot detect it, determine whether the service is open by yourself and required. If not, disable it.

Close method:

1. Enter cmd in start --> Run (command below 98), then cd C: winntsystem32(your system installation directory], input r_server.exe/stop, and press Enter.

Then input r_server/uninstall/silence;

2. Delete the r_server.exe admdll. dll raddrv. dll files in the C: winntsystem32(system directory.
 
Port:

Port 5800,5900 is the default service port of the remote control software VNC, but the VNC will be used in some worms after modification. Check whether the VNC is open and required. If not, disable it.

Closing method:

1. First, use the fport command to determine the location of the program listening on ports 5800 and 5900 (usually c: Winntfontsexplorer.exe );
2. Kill related processes in the Task Manager (Note that one of them is normal for the system itself, please note! Run c: Winntexplorer.exe again if the kill fails );
3. Delete the assumer.exe program in C: winntfonts;
4. Delete the Explorer key value in the HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun entry of the Registry;
5. Restart the machine.
 
Close port 6129:

First, it indicates that port 6129 is a port that the remote control software (dameware nt utilities) server listens to. It is not a Trojan program but has the remote control function, generally, anti-virus software cannot detect it. Check whether the service is installed by yourself and is required. If not, disable it.

Close method:

1. Choose Start> Settings> Control Panel> Management Tools> services.
Right-click the DameWare Mini Remote Control item and choose Properties option. Change the start type to disabled, and then stop the service;
2. To c: Winntsystem32 (system directory), delete the dwrc. EXE program;
3. In the registry, delete the DWRCS key value in the HKEY_LOCAL_MACHINESYSTEMControlSet001Services item.