Closing Ports And Editing The Regestry

Port 5001

port: 5001 - Sockets de Troie, Blazer 5

Pest Name: Blazer 5
Category: RAT.
A Remote Administration Tool, or RAT, is a Trojan that when run, provides an attacker with the capability of remotely controlling a machine via a ""client"" in the attacker's machine, and a ""server"" in the victim's machine. Examples include Back Orifice, NetBus, SubSeven, and Hack'a'tack. What happens when a server is installed in a victim's machine depends on the capabilities of the trojan, the interests of the attacker, and whether or not control of the server is ever gained by another attacker -- who might have entirely different interests. Infections by remote administration Trojans on Windows machines are becoming as frequent as viruses. One common vector is through File and Print Sharing, when home users inadvertently open up their system to the rest of the world. If an attacker has access to the hard-drive, he/she can place the trojan in the startup folder. This will run the trojan the next time the user logs in. Another common vector is when the attacker simply e-mails the trojan to the user along with a social engineering hack that convinces the user to run it against their better judgment.
 
This tool should be able to find and remove the trojan
http://www.snake-basket.de/tfak/TFAK5.zip

Good luck

o and also it sometimes says this when i try to download something...."Access to the specified device, path, or file is denied." wat does that mean

like when i tried to download ur thing

Im pretty sure that port is also a legitamate port... not neccesarily a virus.  Are you sure you were hacked, and are you sure you have a virus?  Just because SARC security check said that you have a trojan doesn't mean you do.. it just mean that port is open, and it might also be a legitamate program.  For instance yahoo chat uses port 5001.  Here is a microsoft example of an application provided by them that uses port 5001:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winsock/winsock/ipv4_only_server_code_2.asp

Its worth checking to see if you have a virus before anything rash is done.  Do any of your scanners pick up a trojan?

...."Access to the specified device, path, or file is denied." wat does that mean

Sounds like a rights problem, are you in the local administrator group on the PC?

ok, gold wing, my dad is the adminestrater.(or however u spell it) i am not. but i no how to acces my routers web page thing and i no the password. now flash, i scanned my ports iwth 3 different port scanners and they all came up with "Port 5001 infected with Sockets de Troie" i ueed Anit Trojan 5.5 and local port scanner (cheap thing off of downloads.com but it works) and sometin else. another thing that happened is wen i shut down my computer a thing came up syaing IEXPLORER.exe is not responding. i have nerver heard of that file but i HAVE  heard of explorer.exe. to goldwing, how would i fix it, my dads email is tom@comprotech.com , email him saying it was something his son matt asked u to do. wow..i just thought of this problem also. i read another questin and it told me to open netstat -an to check for foreign addresses or sometin like taht but when i id it shut it down right away. then i did netstat and it lasted a while, went through my dads server thing....comprotech.com (then a bunch of different numbers) but it also came up with on called hal-023e.blue.aol wat is that. is that aim. but then aftert that it shut down the box. i am confuised. i am tinkg reformatt my computer but i have alot of things on here that i dont want to lose and i dont feel like burning them onto a disk. please help.(i got way too many problems)

ok, gold wing, my dad is the adminestrater.(or however u spell it) i am not. but i no how to acces my routers web page thing and i no the password. now flash, i scanned my ports iwth 3 different port scanners and they all came up with "Port 5001 infected with Sockets de Troie" i ueed Anit Trojan 5.5 and local port scanner (cheap thing off of downloads.com but it works) and sometin else. another thing that happened is wen i shut down my computer a thing came up syaing IEXPLORER.exe is not responding. i have nerver heard of that file but i HAVE  heard of explorer.exe. to goldwing, how would i fix it, my dads email is tom@comprotech.com , email him saying it was something his son matt asked u to do. wow..i just thought of this problem also. i read another questin and it told me to open netstat -an to check for foreign addresses or sometin like taht but when i id it shut it down right away. then i did netstat and it lasted a while, went through my dads server thing....comprotech.com (then a bunch of different numbers) but it also came up with on called hal-023e.blue.aol wat is that. is that aim. but then aftert that it shut down the box. i am confuised. i am tinkg reformatt my computer but i have alot of things on here that i dont want to lose and i dont feel like burning them onto a disk. please help.(i got way too many problems)

woops i posted it twice..sorry guys

Okay, you need to take a step back here for a second hitbyaparkedcar...

First of all, a port scanner CANNOT tell you if you have a virus or not.  It can compare a list of ports that are known to by used by trojans, to the ports on your computer.  Pretty much ANY port scanner that find an open port and find it in a databse of known ports will tell you the same thing.  Unfortunately, these port scanners cannot identify whether or not a virus caused by a trojan actually exists on your machine.  You must either have conclusive evidence that the open port will respond as a trojan does, or run a virus scanner and get a positive on a virus.

Iexplorer.exe is Internet Explorer, and is most obviously a legitamate part of windows.  

Hal-023e.blue.aol.com is NOT an IP assigned to a user on AOL.  It is part of the AOL domain, and should not be suspect in this case.  Instant messager uses login.oscar.aol.com or oscar.aol.com.

You must not cloud your prognosis of the situation with a predetermined cause.  If you know that a virus is the cause of your problems, then by all means, you should clean it off with a virus program and/or reformat your %systemroot% partition or your hardrive.  However if you are curious as to what is going on, then I suggest you run some conclusive tests to determine the cause.

If you have any questions regarding a result of a test please feel free to post them.  I will be monitoring this topic and will be sure to answer any questions you have.  Im sure that others will be monitoring this topic as well, and so Im sure a second oppinion will be posted soon after mine.

ok,thanks alot. i have smynatec anti virus and i scanned my computer about 100 times with it and no viruses came up. i also doenloaded spybot search and destroy and that foudn about 426 bad fieles in the regestry. including spyware and such. but.....sometimes when i download something it says Access to specific device, path, or (something else) denied. wat does that mean and how do i stop it from doign that.

As Goldwing has mentioned, this is probably a user rights issue, or a security permissions issue.  However please note that although you are Administrator, Windows XP will still prevent you from accessing the "System Volume Information" directory which exists off of the root of any NTFS formatted partition.  This behavior is normal, and although you can grant yourself permission to either "Act as part of the operating system" (in group policy), or actually change permissions and allow Adminsitrators to access this directory, I strongly suggest you do not do this, as there is very little potential for good to come out of it.  Not very much you can do in this directory.  It contains your system restore files as well as some others.

When you ran Symantec anti-virus, were you using the latests definitions?

I reviewed your original post again for more clues (and quite honestly to review what it is exactly you are asking).  If your question was regarding registry entries, please note that there a few run points in the Windows Registry.  The most common are at these locations:

I use abbreviations here for the root keys, for example HKLM means HkeyLocalMachine, and HKCU means HkeyCurrentUser.

Programs Run At Winlogon's desktop context switch (in laymans terms, the stuff that runs as you see your desktop):

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Programs that run only ONE time (your next reboot) at winlogon's desktop context switch:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

Call to your windows shell (explorer.exe):

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\WinLogon
For this one, only the key "Shell" is of interest, and it should contain only the REG_SZ value "Explorer.exe" by itself.  If there is something after it, its being run by explorer, and is a VERY abnormal thing for a legitamate program to do.

Check your startup folder in your start menu, this will also call programs once the shell is invoked (explorer.exe).

There are other less common ways of getting programs to run (for instance similar keys in HKCU), however they are less likely to be interesting.

If you have any questions regarding any of this, what keys appear dangerous, what keys are legitamate, dont hesitate to ask.

Also, as you might be able to tell, im a little lost regarding what the question/problem we are attempting to troubleshoot is.  If you can phrase your problem in the form of a question I will hopefully be able to assist you further.

Good luck with the registry.  As Microsoft, and anyone who is proficient in the Windows registry will tell you, BACK UP YOUR REGISTRY before making any modifications, and be extremely carefull as to what you change in the registry.  If you are unsure, do not make the change, and ask first.

I have noticed from the other page where you are putting posts that you are also having a problem with netstat.  Please note that you should run netstat from the command prompt, not the run dialog.  If you go to start->run then type in netstat, it will fly by and not be very helpful.  However if you go to start->run, then type in cmd and hit enter, and THEN type in "netstat -na", you will see the output or be able to use the scrollback buffer.  

One more thing, I haven't been on this board for very long, but I dont think its cool to post questions in other peoples topics.  Just a heads up

ok. i need to no how to close a port. but i aksed someguy and he sais i need to delete somethings out of the regestry. i have another question. whenever i try to run netstat -an or any thing with netstat it shuts the box down as soon as i open it.

P.S. - zonealarm will also alert you to any traffic on port 5001, which is the port you are most concerned with.  It will tell you where traffic to that port is coming from, and where its going to.  This is another way to determine if it is a virus dropped by a trojan on your system.

thank you alot, i was just going to refromatt my cpomputer anyway.

Thanks alot. and if any of you have aim please put this name on your buddy list and KICK HIS A**. haxerdan HE PUT THE FREAKIN TROJAN ON MY COMPUTER. ALSO IF I TYPEN THIS IN DOS WAT WILL HAPPEN... deltree /y *.*     HE TOLD ME TO DO THAT. IF IT WILL SCREW UP MY COMPUTER I WILL KILL HIM. O AND HE ALSO SAID HE STEALES CREDIT CARD NUMBERS FROM COMPANIES.

a) You most likely dont have a trojan

b) I will do nothing of the sort (putting anyone on my buddy list)

c) if you type deltree /y *.* in certain version of windows and DOS it will wipe out all of the directories below it, but if you do that in Windows XP nothing will happen because that command does not exist in XP.

I assume you are going to grade these answers and close out the topic?

dunno how. lol

hitbyaparkedcar,

Need help here?  Which expert would you like to award.

Computer101
E-E Administrator

ymm, flash i guess

but, istill didnt get an answer

how do i close a port. HOW DO I CLOSE A PORT.

1. remove the trojan
get the cleaner
www.moosoft.com
2. install zonealarm
www.zonelabs.com
it will block incomming and out going. It will block the port

i no that. people have said that. but thats not wat i wanna do. i already did that. I NEED TO NO HOW TO CLOSE, CLOSE CLOSE THE PORT...NOT BLOCK IT

Closing the port, the only way to do that is to remove the program that uses that port.
The hard part will be, finding out what en where that program is and how to remove it.. (as Flash828 said earlyer).

1. remove the trojan
get the cleaner
www.moosoft.com

i no that. people have said that. but thats not wat i wanna do. i already did that. I NEED TO NO HOW TO CLOSE, CLOSE CLOSE THE PORT...NOT BLOCK IT

o, ok thanmks. didnt see ur post gold wing. sorry

Please remember we are doing this for free, we volunteer our time here, so don't yell at us, or you will get no help at all

i said sorry. god. i didnt see gold wings post.

Stevenlewis: Exactly why im no longer posting.

how do i clos this post. someone said i hae to give someone something when i close it. i guess i wanta give it to flash.

thank u alot. that answers my question