?
Solved

Closing Ports And Editing The Regestry

Posted on 2003-03-11
34
Medium Priority
?
2,230 Views
Last Modified: 2013-12-04
Hi, I am wondering how you can close ports on Windoes 2000 pro. Some Low-Life high school b*****d hacked into my computer and installed a trojan into port 5001. It is caled Sockets de Troie. I made an alias on aim and acted like a fellow hacker to get information from him. He said that i have to delete a bunch of stuff out of the regestry to get rid of it. i went into other questions and it said go to the regestry blah blah blah then go to windows>current version>run something. i dont have that run ____. i have 2 firewalls, zone alarm and my dads company one. i also have Symantec Anti Virus, and a bunch of other scanners. i also have a linkeys router and a wireless card installed on my computer if that has any importance with my question. my email is matt@comprotech.com i would have put this on a higher point value but i only have 80. please help
0
Comment
Question by:hitbyaparkedcar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 19
  • 8
  • 3
  • +2
34 Comments
 
LVL 7

Expert Comment

by:Goldwing
ID: 8115365
Port 5001

port: 5001 - Sockets de Troie, Blazer 5

Pest Name: Blazer 5
Category: RAT.
A Remote Administration Tool, or RAT, is a Trojan that when run, provides an attacker with the capability of remotely controlling a machine via a ""client"" in the attacker's machine, and a ""server"" in the victim's machine. Examples include Back Orifice, NetBus, SubSeven, and Hack'a'tack. What happens when a server is installed in a victim's machine depends on the capabilities of the trojan, the interests of the attacker, and whether or not control of the server is ever gained by another attacker -- who might have entirely different interests. Infections by remote administration Trojans on Windows machines are becoming as frequent as viruses. One common vector is through File and Print Sharing, when home users inadvertently open up their system to the rest of the world. If an attacker has access to the hard-drive, he/she can place the trojan in the startup folder. This will run the trojan the next time the user logs in. Another common vector is when the attacker simply e-mails the trojan to the user along with a social engineering hack that convinces the user to run it against their better judgment.
 
This tool should be able to find and remove the trojan
http://www.snake-basket.de/tfak/TFAK5.zip

Good luck
0
 

Author Comment

by:hitbyaparkedcar
ID: 8115738
o and also it sometimes says this when i try to download something...."Access to the specified device, path, or file is denied." wat does that mean
0
 

Author Comment

by:hitbyaparkedcar
ID: 8115753
like when i tried to download ur thing
0
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

 
LVL 3

Expert Comment

by:Flash828
ID: 8115815
Im pretty sure that port is also a legitamate port... not neccesarily a virus.  Are you sure you were hacked, and are you sure you have a virus?  Just because SARC security check said that you have a trojan doesn't mean you do.. it just mean that port is open, and it might also be a legitamate program.  For instance yahoo chat uses port 5001.  Here is a microsoft example of an application provided by them that uses port 5001:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winsock/winsock/ipv4_only_server_code_2.asp

Its worth checking to see if you have a virus before anything rash is done.  Do any of your scanners pick up a trojan?
0
 
LVL 7

Expert Comment

by:Goldwing
ID: 8115902
...."Access to the specified device, path, or file is denied." wat does that mean

Sounds like a rights problem, are you in the local administrator group on the PC?
0
 

Author Comment

by:hitbyaparkedcar
ID: 8116716
ok, gold wing, my dad is the adminestrater.(or however u spell it) i am not. but i no how to acces my routers web page thing and i no the password. now flash, i scanned my ports iwth 3 different port scanners and they all came up with "Port 5001 infected with Sockets de Troie" i ueed Anit Trojan 5.5 and local port scanner (cheap thing off of downloads.com but it works) and sometin else. another thing that happened is wen i shut down my computer a thing came up syaing IEXPLORER.exe is not responding. i have nerver heard of that file but i HAVE  heard of explorer.exe. to goldwing, how would i fix it, my dads email is tom@comprotech.com , email him saying it was something his son matt asked u to do. wow..i just thought of this problem also. i read another questin and it told me to open netstat -an to check for foreign addresses or sometin like taht but when i id it shut it down right away. then i did netstat and it lasted a while, went through my dads server thing....comprotech.com (then a bunch of different numbers) but it also came up with on called hal-023e.blue.aol wat is that. is that aim. but then aftert that it shut down the box. i am confuised. i am tinkg reformatt my computer but i have alot of things on here that i dont want to lose and i dont feel like burning them onto a disk. please help.(i got way too many problems)
0
 

Author Comment

by:hitbyaparkedcar
ID: 8116719
ok, gold wing, my dad is the adminestrater.(or however u spell it) i am not. but i no how to acces my routers web page thing and i no the password. now flash, i scanned my ports iwth 3 different port scanners and they all came up with "Port 5001 infected with Sockets de Troie" i ueed Anit Trojan 5.5 and local port scanner (cheap thing off of downloads.com but it works) and sometin else. another thing that happened is wen i shut down my computer a thing came up syaing IEXPLORER.exe is not responding. i have nerver heard of that file but i HAVE  heard of explorer.exe. to goldwing, how would i fix it, my dads email is tom@comprotech.com , email him saying it was something his son matt asked u to do. wow..i just thought of this problem also. i read another questin and it told me to open netstat -an to check for foreign addresses or sometin like taht but when i id it shut it down right away. then i did netstat and it lasted a while, went through my dads server thing....comprotech.com (then a bunch of different numbers) but it also came up with on called hal-023e.blue.aol wat is that. is that aim. but then aftert that it shut down the box. i am confuised. i am tinkg reformatt my computer but i have alot of things on here that i dont want to lose and i dont feel like burning them onto a disk. please help.(i got way too many problems)
0
 

Author Comment

by:hitbyaparkedcar
ID: 8116722
woops i posted it twice..sorry guys
0
 
LVL 3

Expert Comment

by:Flash828
ID: 8117863
Okay, you need to take a step back here for a second hitbyaparkedcar...

First of all, a port scanner CANNOT tell you if you have a virus or not.  It can compare a list of ports that are known to by used by trojans, to the ports on your computer.  Pretty much ANY port scanner that find an open port and find it in a databse of known ports will tell you the same thing.  Unfortunately, these port scanners cannot identify whether or not a virus caused by a trojan actually exists on your machine.  You must either have conclusive evidence that the open port will respond as a trojan does, or run a virus scanner and get a positive on a virus.

Iexplorer.exe is Internet Explorer, and is most obviously a legitamate part of windows.  

Hal-023e.blue.aol.com is NOT an IP assigned to a user on AOL.  It is part of the AOL domain, and should not be suspect in this case.  Instant messager uses login.oscar.aol.com or oscar.aol.com.

You must not cloud your prognosis of the situation with a predetermined cause.  If you know that a virus is the cause of your problems, then by all means, you should clean it off with a virus program and/or reformat your %systemroot% partition or your hardrive.  However if you are curious as to what is going on, then I suggest you run some conclusive tests to determine the cause.

If you have any questions regarding a result of a test please feel free to post them.  I will be monitoring this topic and will be sure to answer any questions you have.  Im sure that others will be monitoring this topic as well, and so Im sure a second oppinion will be posted soon after mine.
0
 

Author Comment

by:hitbyaparkedcar
ID: 8118901
ok,thanks alot. i have smynatec anti virus and i scanned my computer about 100 times with it and no viruses came up. i also doenloaded spybot search and destroy and that foudn about 426 bad fieles in the regestry. including spyware and such. but.....sometimes when i download something it says Access to specific device, path, or (something else) denied. wat does that mean and how do i stop it from doign that.
0
 
LVL 3

Expert Comment

by:Flash828
ID: 8122236
As Goldwing has mentioned, this is probably a user rights issue, or a security permissions issue.  However please note that although you are Administrator, Windows XP will still prevent you from accessing the "System Volume Information" directory which exists off of the root of any NTFS formatted partition.  This behavior is normal, and although you can grant yourself permission to either "Act as part of the operating system" (in group policy), or actually change permissions and allow Adminsitrators to access this directory, I strongly suggest you do not do this, as there is very little potential for good to come out of it.  Not very much you can do in this directory.  It contains your system restore files as well as some others.

When you ran Symantec anti-virus, were you using the latests definitions?

I reviewed your original post again for more clues (and quite honestly to review what it is exactly you are asking).  If your question was regarding registry entries, please note that there a few run points in the Windows Registry.  The most common are at these locations:

I use abbreviations here for the root keys, for example HKLM means HkeyLocalMachine, and HKCU means HkeyCurrentUser.

Programs Run At Winlogon's desktop context switch (in laymans terms, the stuff that runs as you see your desktop):

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Programs that run only ONE time (your next reboot) at winlogon's desktop context switch:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

Call to your windows shell (explorer.exe):

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\WinLogon
For this one, only the key "Shell" is of interest, and it should contain only the REG_SZ value "Explorer.exe" by itself.  If there is something after it, its being run by explorer, and is a VERY abnormal thing for a legitamate program to do.

Check your startup folder in your start menu, this will also call programs once the shell is invoked (explorer.exe).

There are other less common ways of getting programs to run (for instance similar keys in HKCU), however they are less likely to be interesting.

If you have any questions regarding any of this, what keys appear dangerous, what keys are legitamate, dont hesitate to ask.

Also, as you might be able to tell, im a little lost regarding what the question/problem we are attempting to troubleshoot is.  If you can phrase your problem in the form of a question I will hopefully be able to assist you further.

Good luck with the registry.  As Microsoft, and anyone who is proficient in the Windows registry will tell you, BACK UP YOUR REGISTRY before making any modifications, and be extremely carefull as to what you change in the registry.  If you are unsure, do not make the change, and ask first.
0
 
LVL 3

Expert Comment

by:Flash828
ID: 8122684
I have noticed from the other page where you are putting posts that you are also having a problem with netstat.  Please note that you should run netstat from the command prompt, not the run dialog.  If you go to start->run then type in netstat, it will fly by and not be very helpful.  However if you go to start->run, then type in cmd and hit enter, and THEN type in "netstat -na", you will see the output or be able to use the scrollback buffer.  

One more thing, I haven't been on this board for very long, but I dont think its cool to post questions in other peoples topics.  Just a heads up
0
 

Author Comment

by:hitbyaparkedcar
ID: 8122700
ok. i need to no how to close a port. but i aksed someguy and he sais i need to delete somethings out of the regestry. i have another question. whenever i try to run netstat -an or any thing with netstat it shuts the box down as soon as i open it.
0
 
LVL 3

Accepted Solution

by:
Flash828 earned 320 total points
ID: 8122806
Regarding shutting down a port, this is not something that is done through the registry unless a certain application that is being run from the registry is opening the port.  So while the guy you asked is partially right in that you can stop programs from loading in the registry and as a side effect stop a port from responding, thats not technically accurate.  A port is a logical concept, much like a channel on a tv.  The channels exist on your tv regardless if there is anything being broadcasted on them.  For instance, you can turn on channel 2, and there will be an image, but channel 103 may not have an image.  Either way the channel 103 exists on your tv (bear with me on this.. I know if you have digital cable then probably there are 300 channels which means that 103 probably does have an image... but you get the drift).

In order to close a port from responding, you have to disable the program that is listening on that port.  Otherwise, you can install a firewall and tell the firewall to not allow traffic on that "logical" port.  For example if you had an FTP server on your computer, but wanted a firewall to block it without shutting down the FTP server (for whatever reason), then you tell the firewall to block port 21.

Some windows services listen on ports on your computer.  These ports can be closed by shutting down the service in the services MMC snapin (accesible directly by going to start->run, then typing in services.msc).  Please not however that some services are required for windows to function as you expect.  In addition, some services depend on other services to be running in order to function properly.  Basically this means that unless you are certain you do not need it, then dont disable it.

I think the best idea for you is to get a firewall such as zonealarm, and set rules which block all incoming connections on all ports you want to block.

Regarding your netstat issue, please read my previous post.  Are you running netstat from the command prompt or from the start->run dialog?
0
 
LVL 3

Expert Comment

by:Flash828
ID: 8122822
P.S. - zonealarm will also alert you to any traffic on port 5001, which is the port you are most concerned with.  It will tell you where traffic to that port is coming from, and where its going to.  This is another way to determine if it is a virus dropped by a trojan on your system.
0
 

Author Comment

by:hitbyaparkedcar
ID: 8122920
thank you alot, i was just going to refromatt my cpomputer anyway.
0
 

Author Comment

by:hitbyaparkedcar
ID: 8123212
Thanks alot. and if any of you have aim please put this name on your buddy list and KICK HIS A**. haxerdan HE PUT THE FREAKIN TROJAN ON MY COMPUTER. ALSO IF I TYPEN THIS IN DOS WAT WILL HAPPEN... deltree /y *.*     HE TOLD ME TO DO THAT. IF IT WILL SCREW UP MY COMPUTER I WILL KILL HIM. O AND HE ALSO SAID HE STEALES CREDIT CARD NUMBERS FROM COMPANIES.
0
 
LVL 3

Expert Comment

by:Flash828
ID: 8123631
a) You most likely dont have a trojan

b) I will do nothing of the sort (putting anyone on my buddy list)

c) if you type deltree /y *.* in certain version of windows and DOS it will wipe out all of the directories below it, but if you do that in Windows XP nothing will happen because that command does not exist in XP.

I assume you are going to grade these answers and close out the topic?
0
 

Author Comment

by:hitbyaparkedcar
ID: 8124279
dunno how. lol
0
 
LVL 1

Expert Comment

by:Computer101
ID: 8125066
hitbyaparkedcar,

Need help here?  Which expert would you like to award.

Computer101
E-E Administrator
0
 

Author Comment

by:hitbyaparkedcar
ID: 8125152
ymm, flash i guess
0
 

Author Comment

by:hitbyaparkedcar
ID: 8125157
but, istill didnt get an answer
0
 

Author Comment

by:hitbyaparkedcar
ID: 8125160
how do i close a port. HOW DO I CLOSE A PORT.
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 8125214
1. remove the trojan
get the cleaner
www.moosoft.com
2. install zonealarm
www.zonelabs.com
it will block incomming and out going. It will block the port
0
 

Author Comment

by:hitbyaparkedcar
ID: 8127331
i no that. people have said that. but thats not wat i wanna do. i already did that. I NEED TO NO HOW TO CLOSE, CLOSE CLOSE THE PORT...NOT BLOCK IT
0
 
LVL 7

Expert Comment

by:Goldwing
ID: 8127783
Closing the port, the only way to do that is to remove the program that uses that port.
The hard part will be, finding out what en where that program is and how to remove it.. (as Flash828 said earlyer).
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 8128701
1. remove the trojan
get the cleaner
www.moosoft.com
0
 

Author Comment

by:hitbyaparkedcar
ID: 8131053
i no that. people have said that. but thats not wat i wanna do. i already did that. I NEED TO NO HOW TO CLOSE, CLOSE CLOSE THE PORT...NOT BLOCK IT
0
 

Author Comment

by:hitbyaparkedcar
ID: 8131622
o, ok thanmks. didnt see ur post gold wing. sorry
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 8132233
Please remember we are doing this for free, we volunteer our time here, so don't yell at us, or you will get no help at all
0
 

Author Comment

by:hitbyaparkedcar
ID: 8132597
i said sorry. god. i didnt see gold wings post.
0
 
LVL 3

Expert Comment

by:Flash828
ID: 8133065
Stevenlewis: Exactly why im no longer posting.
0
 

Author Comment

by:hitbyaparkedcar
ID: 8133334
how do i clos this post. someone said i hae to give someone something when i close it. i guess i wanta give it to flash.
0
 

Author Comment

by:hitbyaparkedcar
ID: 8133364
thank u alot. that answers my question
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses
Course of the Month13 days, 5 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question