Closing Ports Opened by Trojans

Computing.Net > Forums > Security and Virus > Closing Ports Opened by Trojans

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Click here to start participating now! Also, check out the New User Guide.

Closing Ports Opened by Trojans

Name: ernie99
Date: June 15, 2008 at 03:33:22 Pacific
OS: XP SP3
CPU/Ram: 2.6GHz / 3 GB
Product: Various

Comment:

Hi everyone, I occasionally get a virus/trojan horse infection on my windows xp workstation. After removing these viruses using various antivirus applications such as Hijack-this, Avast Antivirus and Spybot S & D I run netstat -an from the command prompt. I notice that there are ports open that the virus must have set but I don't know how to close them. For example port 1053 The Thief, port 32000 BDDT, port 3456 Fear, Force, Terror trojan. How can I close these ports?

Sponsored Link

Ads by Google

Response Number 1

Name: Jennifer SUMN
Date: June 15, 2008 at 05:30:53 Pacific

Reply:

Did you Google? I found this:
http://students.stritch.edu/jmdean/...
Life's more painless for the brainless.

Response Number 2

Name: ernie99
Date: June 15, 2008 at 13:37:15 Pacific

Reply:

Thanks for your reply. The website you have listed tells me how to close ports 137, 138, 139 & 445. It also lists ports commonly used by windows xp and by viruses/trojans. This is useful information but it doesn't explain how to close the open ports that I have.
My workstation is "listening on"
TCP
port 17 Skun
port 19 Skun
port 445 Nimda
port 1028 DataSpy Network X, Dosh, Gibbon, KiLo, KWM, Litmus, Paltalk, SubSARI
port 1033 Dosh, KWM, Little Witch, Net Advance
port 1053 The Thief
port 1170 Psyber Stream Server , Voice
port 4449 Oracle
port 1034 KWM
port 1043 Dosh
port 32000 BDDT
and is "established" on
TCP
port 1029 Clandestine, KWM, Litmus, SubSARI
port 1034 KWM
port 1043 Dosh
port 32000 BDDT
I also have
UDP
port 1025 (UDP) - KiLo, Optix Pro , Ptakks, Real 2000, Remote Anything, Remote Explorer Y2K, Remote Storm, Yajing
port 1026 (UDP) - Remote Explorer 2000
port 1032 (UDP) - Akosch4
port 3456 Fear, Force, Terror trojan
port 137 (UDP) - Bugbear, Msinit, Opaserv, Qaz
How can I close these? Does the fact that they're open in the first place mean that I still have an infection on my workstation?

Response Number 3

Name: btk1w1
Date: June 15, 2008 at 21:18:17 Pacific

Reply:

Heya Ernie,
When you run netstat are those the details (the ones in the above post) that appear in the cmd prompt window?! Or have you listed the open ports and what might be using those ports?
Every port on a pc has a legitmate purpose and because they might be open doesn't necessarily mean those ports are being used by malware.
I would run an online scan to check for malware just in case.
Click here to go to Kaspersky Online Scanner
Please be patient with the online scan as they can take a while to complete.
1.Click on "Kaspersky Online Scanner".
2.You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
3.The program will launch and then begin downloading the latest definition files.
4.Once the files have been downloaded click on "NEXT".
5.Now click on "Scan Settings".
6.In the scan settings make that the following are selected:
7.Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
8.Scan Options:
Scan Archives
Scan Mail Bases
9.Click OK.
10.Under select a target to scan, select "My Computer".
The program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Upon completion, click on the "Save as Text" button.
Save the file to your desktop.
If you have any trouble reading the log or find there are entries you are unsure of feel free to post the log back here.
Also to control communications between a pc and the internet a firewall is the best defence... do you have one installed (besides the XP one)?.

Response Number 4

Name: ernie99
Date: June 16, 2008 at 16:52:10 Pacific

Reply:

Hi thanks for your reply. In the post above I have listed the ports and what might be using the ports (not what is appearing in my command prompt window). Having Googled many of the port numbers I can't find any legitimate applications that use these ports, all the hits I get are related to trojans that exploit these port numbers.
Thanks for the Kaspersky Link it picked up two viruses that Avast Anti-virus and Spybot S & D did not. They were Win32.Ejik.bp and Win32.RAdmin.30. I have removed these viruses and scans are coming up clean.
My firewall setup is as follows; I have a basic network layer firewall included with my router. This router does not have any open ports that correspond to the open ports showing on my workstation (with the exception of 1 or 2 port numbers that I know are legitimate).
On my workstation I use the windows xp firewall. In the "exceptions" for this firewall I can't see any applications that look suspect. However this is what appears in my command prompt window when I run netstat -an (sorry the formatting is not great). Should I be worried about these open ports?
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:7 0.0.0.0:0 LISTENING
TCP 0.0.0.0:9 0.0.0.0:0 LISTENING
TCP 0.0.0.0:13 0.0.0.0:0 LISTENING
TCP 0.0.0.0:17 0.0.0.0:0 LISTENING
TCP 0.0.0.0:19 0.0.0.0:0 LISTENING
TCP 0.0.0.0:25 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1030 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1053 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1170 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1801 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2103 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2105 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2107 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1033 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1042 127.0.0.1:27015 ESTABLISHED
TCP 127.0.0.1:1097 127.0.0.1:1098 ESTABLISHED
TCP 127.0.0.1:1098 127.0.0.1:1097 ESTABLISHED
TCP 127.0.0.1:1099 127.0.0.1:1100 ESTABLISHED
TCP 127.0.0.1:1100 127.0.0.1:1099 ESTABLISHED
TCP 127.0.0.1:1103 127.0.0.1:12080 ESTABLISHED
TCP 127.0.0.1:1105 127.0.0.1:12080 ESTABLISHED
TCP 127.0.0.1:1107 127.0.0.1:12080 ESTABLISHED
TCP 127.0.0.1:1108 127.0.0.1:12080 ESTABLISHED
TCP 127.0.0.1:1111 127.0.0.1:12080 ESTABLISHED
TCP 127.0.0.1:1117 127.0.0.1:12080 ESTABLISHED
TCP 127.0.0.1:1119 127.0.0.1:12080 ESTABLISHED
TCP 127.0.0.1:1120 127.0.0.1:12080 ESTABLISHED
TCP 127.0.0.1:1125 127.0.0.1:12080 ESTABLISHED
TCP 127.0.0.1:1127 127.0.0.1:12080 ESTABLISHED
TCP 127.0.0.1:12025 0.0.0.0:0 LISTENING
TCP 127.0.0.1:12080 0.0.0.0:0 LISTENING
TCP 127.0.0.1:12080 127.0.0.1:1103 ESTABLISHED
TCP 127.0.0.1:12080 127.0.0.1:1105 ESTABLISHED
TCP 127.0.0.1:12080 127.0.0.1:1107 ESTABLISHED
TCP 127.0.0.1:12080 127.0.0.1:1108 ESTABLISHED
TCP 127.0.0.1:12080 127.0.0.1:1111 ESTABLISHED
TCP 127.0.0.1:12080 127.0.0.1:1117 ESTABLISHED
TCP 127.0.0.1:12080 127.0.0.1:1119 ESTABLISHED
TCP 127.0.0.1:12080 127.0.0.1:1120 ESTABLISHED
TCP 127.0.0.1:12080 127.0.0.1:1125 ESTABLISHED
TCP 127.0.0.1:12080 127.0.0.1:1127 ESTABLISHED
TCP 127.0.0.1:12110 0.0.0.0:0 LISTENING
TCP 127.0.0.1:12119 0.0.0.0:0 LISTENING
TCP 127.0.0.1:12143 0.0.0.0:0 LISTENING
TCP 127.0.0.1:27015 0.0.0.0:0 LISTENING
TCP 127.0.0.1:27015 127.0.0.1:1042 ESTABLISHED
TCP 192.168.1.2:139 0.0.0.0:0 LISTENING
TCP 192.168.1.2:1104 219.88.186.72:80 ESTABLISHED
TCP 192.168.1.2:1106 219.88.186.72:80 ESTABLISHED
TCP 192.168.1.2:1109 219.88.186.65:80 ESTABLISHED
TCP 192.168.1.2:1110 219.88.186.65:80 ESTABLISHED
TCP 192.168.1.2:1112 219.88.186.67:80 ESTABLISHED
TCP 192.168.1.2:1118 219.88.186.64:80 ESTABLISHED
TCP 192.168.1.2:1121 74.125.19.147:80 CLOSE_WAIT
TCP 192.168.1.2:1122 74.125.19.147:80 CLOSE_WAIT
TCP 192.168.1.2:1126 74.125.19.99:80 CLOSE_WAIT
TCP 192.168.1.2:1128 66.102.1.93:80 CLOSE_WAIT
TCP 192.168.1.2:1137 72.5.124.55:80 ESTABLISHED
TCP 192.168.1.2:1138 219.88.186.81:80 ESTABLISHED
UDP 0.0.0.0:7 *:*
UDP 0.0.0.0:9 *:*
UDP 0.0.0.0:13 *:*
UDP 0.0.0.0:17 *:*
UDP 0.0.0.0:19 *:*
UDP 0.0.0.0:161 *:*
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1025 *:*
UDP 0.0.0.0:1026 *:*
UDP 0.0.0.0:1027 *:*
UDP 0.0.0.0:1029 *:*
UDP 0.0.0.0:1434 *:*
UDP 0.0.0.0:3456 *:*
UDP 0.0.0.0:3527 *:*
UDP 0.0.0.0:4500 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1066 *:*
UDP 127.0.0.1:1082 *:*
UDP 127.0.0.1:1094 *:*
UDP 127.0.0.1:1900 *:*
UDP 192.168.1.2:123 *:*
UDP 192.168.1.2:137 *:*
UDP 192.168.1.2:138 *:*
UDP 192.168.1.2:1900 *:*

Response Number 5

Name: btk1w1
Date: June 16, 2008 at 17:17:22 Pacific

Reply:

Below is a link to a free utility that allows you to scan your systems open ports and analyse what is using them.
I'm not sure how SP3 will affect it's scanning ability, but it might be worth a shot. The bottom link (their homepage), has a small command to run to increase the functionality.
http://www.snapfiles.com/opinions/S...
http://www.foundstone.com/us/resour...

test port open windows application port numbers pc to pc communication open port linux vsftpd ports open UDP Port 53 libSDL-1.2.so.0 iptables port open how to close ports how to close ports	ports used by gpo open UDP port windows RDP port 445 ping udp port port used by remote registry check ports open termservdevices 1108 close port 21 unix close port com1 port open error
See More

Response Number 6

Name: najitech
Date: June 18, 2008 at 04:59:06 Pacific

Reply:

For a diagnosis of your PC's open ports, you might want to try the following link:
www.grc.com
Click on the button that says Common Ports.
1 Corinthians 15:3-4

Cannot access C and D dri...

C: With Red X Icon, POS T...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Closing Ports Opened by Trojans

Ports linked to trojans

Summary

www.computing.net/answers/security/ports-linked-to-trojans/3348.html

close port

Summary

www.computing.net/answers/security/close-port/2868.html

Close port 139

Summary

www.computing.net/answers/security/close-port-139/2998.html

From the Geek Dictionary
FUBAR - F---ed Up Beyond All Recognition

Ask a Question!

Weekly Poll
Do you think Comcast should have bought NBC?

Poll Finishes In 2 Days.
Discuss in The Lounge
Poll History

Recent Posts
Musicmatch Plugin for RCA K@zoo

info for college project

recommended cable modems

Random Shut down

.htaccess for Caching and GZip

All Awaiting Reply

Tom's News
Modern Warfare 2 Censored in Japan, Germany

LucasArts Making 'Star Wars Legends' Game?

Sony: Next Firmware Update Brings Minis to PS3

Wireless HD Video Transfer Standard Final

1 Gbps Wi-Fi In Development

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE