ok, please help me
i have possible trojans

this is the report from anti trojan:

"Port 1047 open. Possible trojans. GateCrasher.b , GateCrasher.c
Port 5000 open. Possible trojans. Sockets de Troie, Blazer 5"

now, i'm pretty sure port 5000 is nothing, however, i'm unsure about port 1047

when i do a netstat -a, i get this:

Active Connections

Proto Local Address Foreign Address State
TCP a:epmap a:0 LISTENING
TCP a:microsoft-ds a:0 LISTENING
TCP a:1025 a:0 LISTENING
TCP a:1026 a:0 LISTENING
TCP a:1030 a:0 LISTENING
TCP a:1032 a:0 LISTENING
TCP a:1047 a:0 LISTENING
TCP a:3280 a:0 LISTENING
TCP a:5000 a:0 LISTENING
TCP a:40019 a:0 LISTENING
TCP a:1030 216.239.59.99:http ESTABLISHED
TCP a:1032 216.239.59.99:http ESTABLISHED
TCP a:1046 a:0 LISTENING
TCP a:1046 localhost:1047 ESTABLISHED
TCP a:1047 localhost:1046 ESTABLISHED
UDP a:microsoft-ds *: *
UDP a:isakmp *: *
UDP a:1034 *: *
UDP a:1054 *: *
UDP a:ntp *: *
UDP a:1900 *: *
UDP a:ntp *: *
UDP a:1900 *: *
UDP a:2051 *: *

can anyone help, please

when i run anti trojan, no trojan files are found in registry or files...

thanks in advance

Can it be that Anit-Trojan is warning you that an open port 1047 is vulnerable to Gatecrasher.b and .c instead of you're already infected with a trojan???


edit: taken from Anti-Trojan site info about port 5000 http://www.anti-trojan.net/en/faq50006.aspx

http://www.anti-trojan.net/en/trojportlist.aspx there is a list of known trojans and the ports they normally prefer to use. As you can see 1047 is the port Gatecrasher would use, so it doens't mean you have this Trojan but it means that this port is open and so Gatecrasher could (if you had it) use this port. I assume you ran Anti-Trojan and Gatecrasher wasn't found?

port 5000 used to be a trojan port..... by that being open im guessing you have xp... port 40019 <--- has me a bit worried cos it is so high...1047 could be anything like icq for instance
you need to shut everthing down that is on the net web browser everything wait a few minutes then do a netstat....

well, i&#39;ve just formatted there
after the format, i only installed necessary drivers and nod32
i updated nod32 and it then found 11 infected files (brought up svchost.exe and dllhost.exe)
wtf is going on here?

Originally posted by 3rd gen noob@25 October 2003 - 20:04
well, i&#39;ve just formatted there
after the format, i only installed necessary drivers and nod32
i updated nod32 and it then found 11 infected files (brought up svchost.exe and dllhost.exe)
wtf is going on here?
"svchost.exe" isn&#39;t a virus it&#39;s just your clock which tries to syncronize with the internet time from a site I don&#39;t remember.

dllhost.exe is win32.nachia i thinks, its a virus ne ways, assoicated with the blaster type virus&#39;s

Do you have a firewall?
it sounds like you need one
get ZoneAlarm here (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?lid=pdb_za1)

Originally posted by leonidas+26 October 2003 - 06:05--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (leonidas &#064; 26 October 2003 - 06:05)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin-3rd gen noob@25 October 2003 - 20:04
well, i&#39;ve just formatted there
after the format, i only installed necessary drivers and nod32
i updated nod32 and it then found 11 infected files (brought up svchost.exe and dllhost.exe)
wtf is going on here?
"svchost.exe" isn&#39;t a virus it&#39;s just your clock which tries to syncronize with the internet time from a site I don&#39;t remember. [/b][/quote]
svchost.exe <--- plenty of worm/viri use that as a name....

EDIT: im %95 sure this is what you had....tells you all about it (http://www.pchell.com/virus/welchia.shtml)

Originally posted by exeus+26 October 2003 - 13:03--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (exeus &#064; 26 October 2003 - 13:03)</td></tr><tr><td id='QUOTE'>
Originally posted by leonidas@26 October 2003 - 06:05
<!--QuoteBegin-3rd gen noob@25 October 2003 - 20:04
well, i&#39;ve just formatted there
after the format, i only installed necessary drivers and nod32
i updated nod32 and it then found 11 infected files (brought up svchost.exe and dllhost.exe)
wtf is going on here?
"svchost.exe" isn&#39;t a virus it&#39;s just your clock which tries to syncronize with the internet time from a site I don&#39;t remember.
svchost.exe <--- plenty of worm/viri use that as a name....

EDIT: im %95 sure this is what you had....tells you all about it (http://www.pchell.com/virus/welchia.shtml) [/b][/quote]
I&#39;m sorry i didn&#39;t know that.
So That would explain why I &#39;ve got 4 processes of it running on windows task manager :huh: Thanks for the information. ;)
But damn I have NAV Corp 2003, NPF 2003, Spybot, Adaware & Anti-trojan &#33;
Why the hell don&#39;t they work&#33;??&#33;?&#33;:angry:

Originally posted by leonidas+26 October 2003 - 21:23--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (leonidas &#064; 26 October 2003 - 21:23)</td></tr><tr><td id='QUOTE'>
Originally posted by exeus@26 October 2003 - 13:03

Originally posted by leonidas@26 October 2003 - 06:05
<!--QuoteBegin-3rd gen noob@25 October 2003 - 20:04
well, i&#39;ve just formatted there
after the format, i only installed necessary drivers and nod32
i updated nod32 and it then found 11 infected files (brought up svchost.exe and dllhost.exe)
wtf is going on here?
"svchost.exe" isn&#39;t a virus it&#39;s just your clock which tries to syncronize with the internet time from a site I don&#39;t remember.
svchost.exe <--- plenty of worm/viri use that as a name....

EDIT: im %95 sure this is what you had....tells you all about it (http://www.pchell.com/virus/welchia.shtml)
I&#39;m sorry i didn&#39;t know that.
So That would explain why I &#39;ve got 4 processes of it running on windows task manager :huh:

Thanks for the information. :) [/b][/quote]
no multible instances of that running is normall(i spose that is why some programmers take advantage of that when writteing mallicous code)

a bit of info here if u are wondering what thay are (http://support.microsoft.com/?kbid=314056)

EDIT:dont use "run" like it says at ms start the command prompt yourself