Port 113 Trojan cleaning (applicable only to windows ):
This is a trojan program based on irc chat room control.
1. Use the netstat-an command to check whether port 113 is enabled on your system.
2. Use the fport command to check which program is listening to port 113.
Fport tool download
For example, we can see the following results using fport:
Pid Process Port Proto Path
392 svchost-> 113 tcp c: WINNTsystem32vhos.exe
We can determine that the trojan program at the end of is vhos.exe, and the path of the program is
C: winntsystem32.
3. After determining the trojan program name (the program listening to port 113), find the process in the task manager,
And use the manager to end the process.
4. In start-run and type regedit to run the registry administrator. in the registry, find the program you just found,
Delete all related key values.
5. Delete the trojan in the directory where the trojan program is located. (Trojans usually include other programs, such
Rscan.exe%psexec.exe%ipcpass.dic、ipcscan.txt, etc., according
Different Trojans have different files. You can check the time when the program is generated and modified to determine
Listen to other programs related to Trojan programs on port 113)
6. Restart the machine.
Close port 3389:
Port 3389 is the port opened by the Remote Management Terminal of windows. It is not a Trojan program.
Determine whether the service is open by yourself. If not, disable the service.
How to disable win2000:
Start win2000server --> program --> management tool --> locate the Terminal Services Service item in the service,
Select the property Option to change the start type to manual and stop the service.
Start win2000pro --> set --> control panel --> management tools --> Terminal Services in the service
Service, select the property Option to change the Startup Type to manual, and stop the service.
How to disable winxp:
Right-click on my computer and select Properties --> remote, and remove the check box between remote assistance and Remote Desktop.
Close port 4899:
Port 4899 is a port listened by the remote administrator server.
It can be regarded as a Trojan program, but it has remote control function. Generally, anti-virus software cannot find it. Please confirm the server first.
Whether you are open and necessary. If not, disable it.
Close port 4899:
Enter cmd (command below 98) in start --> run, and then cd C: winntsystem32 (your system
Enter r_server.exe/stop and press Enter.
Then input r_server/uninstall/silence
To C: winntsystem32(system Directory], delete three files: r_server.exe admdll. dll radbrv. dll.
Port:
1. First, use the fport command to determine the location of the program listening on ports 5800 and 5900 (usually c: winntfonts
Assumer.exe)
2. Kill related processes in the Task Manager (Note that one of them is normal for the system itself, please note! If the kill is incorrect, you can try again.
Run c: winntexplorer.exe)
3. Delete the assumer.exe program in C: winntfonts.
4. Delete
Explorer.
5. Restart the machine.
Close port 6129:
Port 6129 is a remote control software (dameware nt utilities) server listening port.
A Trojan program, but with remote control, usually cannot be detected by anti-virus software. Determine the service first
Whether it is your own installation and required. If not, disable it.
Close port 6129:
Choose Start> Settings> Control Panel> Management Tools> services
Right-click the DameWare Mini Remote Control item and select the property option.
Stop the service.
To c: winntsystem32 (system directory), delete the dwrc. EXE program.
In the registry, delete the HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesDWMRCS table item.
Port 1029 and port 20168:
These two ports are the Backdoor Ports opened by the lovgate worm.
For more information about worms, see Lovgate worm: http://it.rising.com.cn/newSite/Channels/anti_virus/Antivirus_Base/
TopicExplorerPagePackage/lovgate.htm
You can download kill tool: http://it.rising.com.cn/service/technology/RS_LovGate_download.htm
Usage: download and run the program directly. After the program is run, restart the machine and run the program again.
Port 45576:
This is the control port of a proxy software. Make sure that the agent software is not installed by yourself.
For additional traffic)
Disable agent software:
1. Use fport to check the location of the agent software.
2. Close the Service (usually SkSocks) in the service and disable the service.
3. Delete the program in the directory where the program is located.