Http://Center.hzau.edu.cn/service/support/20041231/344.htm
The following Trojans and unauthorized installed remote control software are caused by the correct settings of your administrator password. Please check if the password of all accounts in the system is set enough. Password setting requirements: 1. Password should not be less than 8 characters; 2. Do not include words in the dictionary, excluding the Chinese Pinyin of the last name; 3. Contains multiple types of characters, such as O uppercase letters (A, B, C, .. Z) o Lixer Letter (A, B, C ...) O Digital (0, 1, 2, ... 9) O Bian Distress Symbol (@, #,!, $,%, & ...) Note: The relevant paths mentioned below are different depending on your operating system version. Please adjust the corresponding adjustment Win98 system according to your own system: C: / Windows C: / Windows / System Winnt and Win2000 system: C: / Winnt C: / Winnt / System32 WinXP System: C: / Windows C: / Windows / System 32 Depending on the path of the system installation, the disk letter where the directory can be different. If the system is installed in the D disk, change C: / windows to D. : / Windows can change the default service port according to this class, and we should take appropriate measures based on the specific situation, a complete inspection and deletion process as shown in the following example: 113 Delivery of Trojans ( Only for Windows systems): This is a Trojan-based Trojan based on IRC chat room. 1. First use the netstat -an command to determine if you have an open 113 port on your own system. 113 TCP C: /WINNT/SYSTEM32/VHOS.EXE We can determine that the Trojan in the 113 port is Vhos.exe and the path is located under C: / WinNT / System32. 3. Determine the Trojan program (the program that is listening to the 113 port), find the process in the task manager and use the manager to end the process. 4. In the start-run, type the regedit run the registry manager, find the program just find that program in the registry, and remove the relevant key values. 5. Remove the Trojan in the directory where the Trojan is located. (Usually Trojans will also include other programs, such as RSCAN.EXE, PSEXEC.EXE, IPCPass.dic, IPCSCAN.TXT, etc. Other programs associated with the Trojan program associated with the monitor 113 port) 6. Restart the machine.
The port listed below is only open to the relevant Trojan, and the corresponding operation is taken according to the specific situation: 707 port is closed: this port is open indicating that you may infect Nachi worm virus, the worm's clearance method is as follows: 1. Stop the service named WINS Client and Network Connections Sharing 2, delete the dllhost.exe and svchost.exe and svchost.exe files in the C: / WinNT / System32 / Wins / Directory, edit the registry, delete hkey_local_machine / system / The closure of the two key values 1999 ports named rpctftpd and rpcpatch in the currentcontrolset / Services item: This port is the default service port of Trojan Backdoor, which is as follows: 1. Using the Process Management Tool to end 2 NOTPA.EXE process 2 , Delete the NOTPA.EXE program 3, edit the registry, delete the HKEY_LOCAL_MACHINE / CURRENTVERSION / RUN item in the hkey_local_machine / currentVersion / Run page contains the key value of c: / windows/notpa.exe / o = yes The 2001 port is closed: this port is the default service port of Trojan Black Cave 2001, which is as follows: 1. First use the process management software to kill the process Windows.exe 2, delete the Windows under the C: / Winnt / System32 directory and S_Server.exe .exe file 3, edit the registry, delete HKEY_LOCAL_MACHINE / Software / Microsoft / Windows / CurrentVersion / RunServices / item called Windows keys 4, the HKEY_CLASSES_ROOT and HKEY_LOCAL_MACHINE / Software / CLASSES items Winvxd delete items 5. Modify the c: /winnt/system32/s_server.exe% 1 in hkey_classes_root / txtfile / shell / open / command item C: /Winnt/NotePad.exe% 1 6, modify hkey_local_machine / Software / Classes / TxtFile / shell / c: / winnt / s in the / open / commist YSTEM32 / S_SERVER.EXE% 1 key value changed to c: /winnt/notepad.exe% 1 2023 port close: This port is the default service port of Trojan Ripper, which is as follows: 1. End of the process management tool SysRunt.exe Process 2, delete the sysRunt.exe program file 3 under the C: / Windows directory, edit the System.ini file, change shell = Explorer.exe sysrunt.exe to shell = Explorer.exe Save 4, restart the system 2583 Port Close: This port is the default service port of Trojan WinCrash V2, which is as follows: 1. Edit the registry, delete the hkey_local_machine / software / microsoft / windows / currentversion / run / winManager = "C: /Windows/server.exe key value 2, edit the win.ini file, change Run = C: /Windows/server.exe to run = Save Exit 3, restart the system after removing C: / Windows / System / Server . EXE 3389 port close:
First, the 3389 port is the port opened by the remote management terminal of Windows. It is not a Trojan. Please determine if the service is open. If you don't have it, please turn off the service. Win2000 Close Up: 1. Win2000 Server Start -> Program -> Administrative Tools -> The Terminal Services service item is found. Check the property option to change the start type to manual and stop the service. 2, Win2000Pro Start -> Settings -> Control Panel -> Administrative Tools -> The Terminal Services service item is found, select the property option to change the start type to manual and stop the service. WINXP Close Up: Right click on my computer -> Remote, remove the 勾 远 远 远 远 选 选.. 勾4444 Close: If you find your machine open this port, you may indicate that you are infected with the MSBlast worm, the method of clearance the worm is as follows: 1. Using the Process Management Tool End Msblast.exe Process 2, edit the registry, remove HKEY_LOCAL_MACHINE / "Windows Auto Update" = "MSBlast.exe" = "msblast.exe" = "msblast.exe" = "MSBLAST.EXE" = "MSBLAST.EXE" = "MSBLAST.EXE" = "MSBLAST.EXE" = "MSBLAST.EXE" = "MSBlast.exe" = " Is a remote control software (Remote Administrator) server listening port, he can't be a Trojan, but there is a remote control function, usually the anti-virus software is unable to find it, please make sure that the service is open and is compulsory. If not, close it. Turn off 4899 port: 1, please enter the CMD in the start -> run (98 or less), then CD C: / WinNT / System32 (your system installation directory), enter R_Server.exe / stop, press Enter. Then remove the R_Server / Uninstall / Silence 2, to the C: / WinNT / System32 (System Directory) to delete the R_Server.exe Admdll.dll Raddrv.dll three files 5800, 5900 port: First, the 5800, 5900 port is a remote control software The default service port of VNC, but VNC will be used in certain worms after modification. Please confirm whether the VNC is open and it is necessary. If you don't turn off the closing method: 1, first use the fport command to determine the program in the list of 5800 and 5900 ports (usually C: / WinNT / FONTS /EXPLORER.EXE) 2, kills related processes in the task manager (note that one is normal, please note! If you miss the kill, you can re-run C: /WinNT/EXPLORER.EXE) 3, delete C: / Winnt / Fonts / Explorer.exe program. 4. Delete the EXPLORER key value in the Registry HKEY_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / RUN item. 5, restart the machine. 6129 Close: First, the 6129 port is a remote control software (Dameware NT Utilities) server listening port, he is not a Trojan, but there is a remote control function, usually anti-virus software is unable to find it.
Please make sure that the service is installed and it is necessary, if not, please close. Turn off the 6129 port: 1, select Start -> Settings -> Control Panel -> Administrative Tools -> Services Find the Dameware Mini Remote Control Item Click Right click to select the property option, change the start-up type to disabled and stop the service. 2. Remove the DWRCS.exe program under C: / WinNT / System32 (System Directory).
3. Remove the DWRCS key value in HKEY_LOCAL_MACHINE / System / ControlSet001 / Services / item in the registration table: 6267 The port is the default service port of the Trojan, the Trojan deletion method is as follows: 1, start to In safe mode, delete the Diagfg.exe file 2 under the C: / WinNT / System 32, to find the regedit.exe file in the C: / Winnt directory, change the suffix name of the file to .com 3, select Start -> Run Enter regedit.com Enter the Registry Edit page 4 For the key value of Diagnostic Configuration, change the regedit.com under the C: / WinNT to the closing of the regedit.exe 6670, 6771: These ports are Trojan Deepthroat V1.0 - 3.1 default service port, clearing the Trojan The method is as follows: 1. Edit the registry, delete the 'System32' = C: /Windows/system32.exe key value (version 1.0) or 'systemtray' = 'SYSTRAY The .exe 'key value (version 2.0-3.0) key value 3, Remove the machine after removing the machine C: /Windows/system32.exe (version 1.0) or C: /Windows/system/systray.exe (version 2.0-3.0) 6939 Close port: this port is a Trojan horse program Indoctrination default service port, remove the trojan as follows: 1, edit the registry, delete HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Run / HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / RunServices / HKEY_LOCAL_ After the key MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / RunOnce / HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / RunServicesOnce / four all contain Msgsrv16 = "msgserv16.exe" 2, restart the machine to delete C: / Windows The msgserv16.exe file 6969 port under / system / directory: This port is the default service port of Trojer Priority, and the method of clearing the Trojan is as follows: 1. Editing the registry, delete hkey_local_machine / software / microsoft / windows / currentversion / "PServer" = C: /Windows/system/pserver.exe key value 2 in the Run Services item, restart the system after deleting the PServer.exe file 7306 port under the C: / Windows / system / directory: This port is The default service port of the Trojan network wizard, the Trojan delete method is as follows:
1. You can use the fPort to view 7306 port from which program listen, write down the program name and the path 2, if the program is named Netspy.exe, you can enter the program in the command to enter the program Netspy.exe / REMOVE to delete Trojans 3, if it is a program of other names, first ending the program in the process, then remove the program in the corresponding directory 4, edit the registry, will hkey_local_machine / Software / Microsoft / Windows / CurrentVersion / Run Item and HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CURRENTVERSION / RunServices Term The key value related to the program is closed. 7511 is the closure of the program, which is the default connection port of the Trojan smart gene, which is as follows: 1. First use the process first The management tool kills the MbbManager.exe process 2. Delete the MbbManager.exe and Explore32.exe files in the C: / WinNT (System Installation Directory), delete the editor.exe file 3, editor.exe file 3, edit registry, delete the registry HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Run key content is C: /WinNT/MBBManager.exe key named MainBroad BackManager item 4, modify the registry HKEY_CLASSES_ROOT / txtfile / shell / open / command C: /Winnt/System32/Editor.exe% 1 Change to C: /Winnt/NotePad.exe% 1 5, modify the registry hkey_local_machine / soft / classes / hlpfile / shell / open / command entry C: / Winnt / Explore32.exe% 1 key value is changed to C: /Winnt/winhlp32.exe% 1 7626 Close: 7626 is the default open port of the Trojan Horse (this port can be changed), the Trojan delete method is as follows: 1, start the machine In safe mode, edit the registry, delete the HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / RUN item in C: /Winnt/system32/Kernel32.exe 2 keys, delete HKEY_LOCAL_MACHINE / software / microsoft / Windows / CurrentVersion / Runservices item content is C: /Windows/system32/Kernel32.exe 3 keys, modify the HKEY_CLASSES_ROOT / txtfile / shell / Open / Command Under Under Under Under C: /WinNT/NOTEPAD.EXE% 1 4, to C: / Windows / System32 / Under Delete File Kernel32.exe and SYSEXPLR.EXE The 8011 port is closed: 8011 Port is the default service port of Trojan Way2.4, which is as follows: 1. First use the process management tool to kill the msgsvc.exe process 2, to the c: / windows / system directory to delete Msgsvc.exe file 3, editing the registry, delete hkey_local_machine / software / microsoft / windows / currentversion / run item in C: /Windows/system/msgsvc.exe key value 9989 port:
This port is the default service port of Trojan Inikiller, which is as follows: 1. Editing the registry, delete the expedition = "c: /Windows/bad.exe in hkey_local_machine / software / microsoft / windows / currentversion / run / item "Key value 2, restart the system after removing the C: / windows directory Bad.exe program file 19191 port is closed: This port is the default Telnet port of the Trojan blue flame, the Trojan closing method is as follows: 1, use Management Tools Tasksvc.exe 2, Delete Tasksvc.exe, SyseXPL.exe, SysexPl.exe, BFhook.dll, Edit Registry, Delete HKEY_LOCAL_MACHINE / CURRENTVERSION / MICROFT / Windows / CurrentVersion / Network Services = C: /Windows/system/tasksvc.exe key value 4 in the RUN item, the C: / Windows/System/SYSEXPL.EXE "% 1" in the registry hkey_classes_root / txtfile / shell / open / command item The key value is changed to the c: / windows/notepad.exe "% 1" key value 5, will register hkey_local_machine / Software / Classes / TxtFile / shell / open / command/system/syXPL.EXE " % 1 key value "Change to C: /Windows/NotePad.exe"% 1 "1029 port and 20168 port: The two ports are the backdoor ports open by the Lovgate worm. For worm information, please refer to: lovgate worm you can download a special killing tool: fixlgate.exe How to use: After downloading, run directly, then restart the machine after running the machine after running again.
23444 Close method: This port is the default service port of Trojan Network Bull. The method of closing the Trojan is as follows: 1. Enter the security mode, delete the checkdll.exe file 2 under the C: / WinNT / System32 / under the system. The size of the following file is compared to the file size in the normal system. If the size is different, please remove it, then copy the normal file back, you need to check the files including: notepad.exe; write.exe, regedit.exe, Winmine.exe Winhelp.exe 3, replace the normal file After entering the registry editing state, delete "Checkdll.exe" = "c: /winnt/system32/checkdll.exe" in the hkey_current_user / currentversion / runbean 4 keys, delete HKEY_LOCAL_MACHINE / Software / Microsoft / Windows / CurrentVersion / RunServices in "CheckDll.exe" = "C: /WinNT/SYSTEM32/CheckDll.exe" 5 keys, delete HKEY_USERS / .DEFAULT / Software / Microsoft / "Checkdll.exe" = "c: /winnt/system32/checkdll.exe" key value in Windows / CurrentVersion / Run, please note that the virus may also be bundled on other applications, please check if your software size is different. If there is any way to uninstall 27374 port, the closing method is reloaded: This port is the default service port of the Trojan Sub7, close the Trojan method as follows: 1. First use the FPORT software to determine which program is opened, write down the program name And the path. 2, edit the registry, will HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Run entry contains just use fport look at the file name of the 3 key to delete the HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / RunServic items included I just removed the key value of the file name of the file that I just viewed, killed the file process you just saw, if you can't kill, please reach the service to the service (the service name should be registered Table RunServic seeing) 5, editing the win.ini file, check the file name after "run =", if there is a delete 6, edit the System.ini file, check "shell = explorer.exe" Is there any file just now, if you delete it 7, to delete the file I just found in the corresponding directory.
