113 Clear of Trojans (for Windows systems only):
This is a Trojan that is controlled based on IRC chat room.
1. First use the netstat -an command to determine if your system is open 113 ports.
2. Use the fport command to see which program is listening to the 113 port.
FPORT Tools Download
For example, we see the following results with fport:
PID Process Port Proto Path
392 SVCHOST -> 113 TCP C: /WINNT/SYSTEM32/VHOS.exe
We can determine that the Trojan in the 113 port is Vhos.exe and the path where the program is located is
C: / winnt / system32.
3. After identifying the Trojan program (the program is listening to the 113 port), find the process in the task manager,
And use the manager to end the process.
4. Type the regedit running the registry manager in the start-run, find that the program just found in the registry,
And remove the related key values.
5. Remove the Trojan in the directory where the Trojan is located. (Usually Trojans will also include other programs, such as
Rscan.exe, psexec.exe, ipcpass.dic, ipcscan.txt, etc.
Different Trojans, the documents are different, you can determine the time by viewing the generation and modification of the program.
Monitor other programs related to Trojans about the 113 port)
6. Restart the machine.
3389 Close up:
First, the 3389 port is the port opened by the remote management terminal of Windows. It is not a Trojan, please first
Determine if the service is open. If you don't have it, please turn off the service.
Win2000 Close Up:
Win2000 Server Start -> Program -> Administrative Tools -> The Terminal Services service item is found.
Select the property option to change the start type to manual and stop the service.
Win2000Pro Start -> Settings -> Control Panel -> Administrative Tools -> Services in Terminal Services
Service item, select the property option to change the start type to manual and stop the service.
WINXP closes:
Right-click on my computer -> Remote, remove the 勾 远 远 远 勾 勾
4899 Close:
First, the 4899 port is a port of remote control software (REMOTE Administrator) server listening to the port, he can't
It is a Trojan, but has a remote control function, usually anti-virus software is unable to find it, please determine the service first.
Whether you are open and it is necessary. If not, close it.
Close 4899 port:
Enter CMD in Start -> Run (98 or less for Command), then CD C: / WinNT / System32 (Your System
Install the directory), press Enter to enter R_Server.exe / STOP.
Then enter r_server / uninstall / Silence
To the C: / WinNT / System32 (System Directory) to remove the R_Server.exe Admdll.dll Radbrv.dll three files
5800, 5900 port:
1. First use the fport command to determine the program where the monitors at 5800 and 5900 ports (usually C: / WinNT / FONTS /
Explorer.exe)
2. Kill relevant processes in the task manager (note that one is normal, please pay attention! If you miss it, you can re-
Run C: /Winnt/Explorer.exe)
3. Delete the Explorer.exe program in the C: / WinNT / Fonts. 4. Delete Registry HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Run
Explorer item.
5. Restart the machine.
6129 Close up:
First, the 6129 port is a remote control software (Dameware NT Utilities) server monitoring port, he is not
A Trojan, but there is a remote control function, and the usual anti-virus software is unable to come. Please determine the service first
Is it installed in yourself and it is necessary, if not, close.
Turn off the 6129 port:
Select Start -> Settings -> Control Panel -> Administrative Tools -> Services
Find the DameWare Mini Remote Control item Click Right click to select the property option, change the start type to disabled
Stop the service.
Delete the DWRCS.exe program under the C: / WinNT / System32 (system catalog).
Remove the HKEY_LOCAL_MACHINE / SYSTEM / Controlset001 / Services / DWMRCS entry within the registry.
1029 port and 20168 port:
These two ports are the back door ports open by the Lovgate worm.
For worm information, please see: lovgate worm:
Http://it.rising.com.cn/newsite/channels/anti_virus/antivirus_base/
TopicExplorerPagePackage / Lovgate.htm
You can download a special killing tool:
Http://it.rising.com.cn/service/technology/rs_lovgate_download.htm
How to use: After downloading, run directly, then restart the machine after running the machine, run again.
45576 port:
This is a control port of a proxy software. Please make sure the agent software is not your own installation (the agent software will give you the machine.
Additional traffic)
Turn off the agent:
1. Please use the fPort to view the location of the agent software.
2. Close the service in the service (usually SKSOCKS) and turn it off.
3. Remove the program in the directory where the program is located.
