Help - Search - Members
Full Version: firewall TCPview issue
Kaspersky Lab Forum > English User Forum > Protection for Home Users > Kaspersky Internet Security & Anti-Virus for Windows
con2rol
hi
i have been told that checking for a listening value in a connection made by the computer is a good way of spotting trojans.. so i ran microsoft TCPview and found the following "listening" even though i had kis 7 firewall obly allowing the bare minimum...




avp.exe:904 mypcname:110 mypcname:0 listening
alg.exe:220 mypcname:1028 mypcname:0 listening
system:4 mypcname:netbios-ssn mypcname:0 listening
system:4 mypcname:microsoft-ds mypcname:0 listening
svchost.exe:1464 mypcname:epmap mypcname:0 listening
iexplore.exe528 mypcname:33233 mypcname:0 listening


what does this mean what should i do to these listening connections



i terminated the one named svchost.exe:1464 epmap and the computer showed a warning that the RPC has been unexpectedally terminated and that windows is shutting down and a count down began that ended by a restart..when it opened again i noticed that the apperance of my desktop has changed it got streched out that some files that were on the desktop are not reachable, i tried in the propeties >settings to center it but no and i also noticed that the resoultion avalabile has shrink.. before i could choose between 3 diffrent screen resoultions now its only two..

please help

thanks


Lucian Bara
hello
i think avp.exe is listnning on port 1110 not 110.
as for the others. alg is application layger gateway. can be disabled if you go to start>run>Services.msc and disable it. it's noly needed for internet connection sharing.
system, system - netbios. if you don't use file sharing in the network you can disable it with this tool: http://www.firewallleaktester.com/wwdc.htm
svchost is also "Normal" on a non tweaked pc.

only thing strange is iexplore.exe, normally it shouldn't be listning. Did you start it yourself?



p2u
QUOTE(Lucian Bara @ 27.11.2007 10:54) *
can be disabled if you go to start>run>Services.msc and disable it.

From my experience I know that many users confuse 'Stop the service' with actually disabling it.
Disable means - setting the Startup Type to 'Disabled'. It might not stop right away, and often it doesn't help to click the 'Stop the service' link. If you want to make sure, you should reboot the computer. Application Layer Gateway should only be disabled if the OS is XP SP2 or 'better'...

Paul
con2rol
when i found the iexplore.exe listening i terminated..... what does it mean that it was listening, did oppose any danger..

about the others.... is it safe to leave them running or there is a risk of a malicious act..

if i disabled them (alg and netbios) can i enable them again if they conflict with any prog.


when to know if sth is listening and its a trojan...


thanks for clearing
Lucian Bara
listening means it's listening if something from the outside wants something with it (to put it in a basic manner). it's normal for some programs to be in a listening state, but internet explorer should have no reason too. can you post a combofix log: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

for the others, safe is a relative term. it's not really safe because there's always a chance they can be exploited but someone. normally there should be no coflict when leaving them disabled.

QUOTE
when to know if sth is listening and its a trojan...

that's art, but you can start by google-ing different terms, like applications (with full paths) and ports
con2rol
i ran services.msc and found an item called (remote procedure call) and when i double clicked it the sub windows can not be change ie i can start/stop or diable and when i click on the tab "log on" i find that it has set to

log on as
this account : NT AUTHORITY\NetworkService
password:********
confirm password:*******


BUT I HAVE NEVER SET A PASSWORD FOR THIS COMPUTER



is this normal or this is a hacker in control of my system

when i terminated the svchost.exe:1464 mypcname:epmap mypcname:0 listening it said that the RPC has been terminated and that windows will shut down in ... and started count downing until it shut

thats why i wanted to see RPC in the services..

thanks
Lucian Bara
leave it as it is. it's a normal service and required for windows to function, that's why it can't be disabled. and when you killed that svchost you also killed the service... you can see the result.
con2rol
i checked the link u posted in the first reply and found that the port numbers that on the information page about the prog... are all ticked "block" in KIS 7 firewall including netbios..

but when i run the tcpview it shows that netbios is listening even though its port are blocked in kis firewall..

does this mean i dont have to disable it since no ingoing or outgoing traffic can bypass the rules in kis


thanks

i have another inquiry i am not sure if this is the appropriate forum to post it on,...here it is
when i run netstat or ping from the run command... the window appears for a couple of seconds and dissappers before i can read anything on it.... why is that? ... is this because of kasper running? if not then what could it be?



thanks alot ur help is imensely appreciated

Lucian Bara
you can't close ports using kis, you can only block traffic on the ports using kis. disabling netbios however, is the best alternative.

regarding netstat, it runs in a command window and does not wait for input, you need to run it from cmd. it seems you don't exactly know what is what, so my suggestion is to read more before trying to "kill" processes that are in a listening state and so on.
p2u
QUOTE(con2rol @ 27.11.2007 17:50) *
but when i run the tcpview it shows that netbios is listening even though its port are blocked in kis firewall..

does this mean i dont have to disable it since no ingoing or outgoing traffic can bypass the rules in kis

If you do not engage in file sharing I would advise you to disable NetBIOS anyway.
QUOTE
i have another inquiry i am not sure if this is the appropriate forum to post it on,...here it is
when i run netstat or ping from the run command... the window appears for a couple of seconds and dissappers before i can read anything on it.... why is that? ... is this because of kasper running? if not then what could it be?
thanks alot ur help is imensely appreciated

Do you use command.com (16 bit) or cmd.exe (32 bit)?
You should use cmd. Start - Run. Type cmd and hit Enter. In the black window you type ping forum.kaspersky.com for example and hit Enter. The command window should stay there until you close it.
If it still closes by itself, please enter cmd /k set>C:\info.txt into the [Start -] 'Run' box.
You will find a document with the name of info.txt in the root of disc C. Of course, you can change the disc name to D or E or wherever the system is installed. Please post the output.

Paul
con2rol
thanks i ran it from cmd and it worked

how about the system:4 microsoft-ds that was listening


can i diable netbios from services.msc or i have to install a prog for that


again ur helping is IMENSELY appreciated... smile.gif

p2u
QUOTE(con2rol @ 27.11.2007 18:26) *
how about the system:4 microsoft-ds that was listening
can i diable netbios from services.msc or i have to install a prog for that
again ur helping is IMENSELY appreciated... smile.gif

Un-check 'File Sharing' and 'Microsoft Client' in the Internet Connection settings ('Properties' button). NetBIOS can also be disabled manually in the Internet Connections settings. Highlight TCP/IP, choose Properties and open the 'WINS' Tab. You should disable NetBIOS and un-check LMHosts Lookup. Afterwards, use this tool. All parameters should be green.
http://www.firewallleaktester.com/tools/wwdc.exe


Paul
con2rol
QUOTE(p2u @ 27.11.2007 19:32) *
Un-check 'File Sharing' and 'Microsoft Client' in the Internet Connection settings ('Properties' button). NetBIOS can also be disabled manually in the Internet Connections settings. Highlight TCP/IP, choose Properties and open the 'WINS' Tab. You should disable NetBIOS and un-check LMHosts Lookup. Afterwards, use this tool. All parameters should be green.
http://www.firewallleaktester.com/tools/wwdc.exe
Paul



i did what u said and the ran tcpview a gain and found the following listening

1-svchost.exe:1476 name:epmap name:0

2-system:4 name:microsoft-ds name:0

3-avp.exe:744 name:1110 name:0

4-alg.exe:224 name:1025 name:0


from what i understand

1- leave it listening this is normal

2- i still dont know what is this for and if it should be listeninh

3- thats kasper leave it listening

4- this is for internet connectio sharing.... i do share the internet connection but i dont share files or anything with these computer so should i leave it listening... if so what are the dangers of leaving it listening



smile.gif
con2rol
i ran the tool you posted in the link... i had 2 ports not closed

the rpc locator 445 and the dcom rpc 135 port

how to close them there is an option in the prog to diable them but i would like to do it manually


how to stop microsof-ds from listening

thanks
p2u
QUOTE(con2rol @ 27.11.2007 18:57) *
i did what u said and the ran tcpview a gain and found the following listening

1-svchost.exe:1476 name:epmap name:0

You certainly did not disable Application Layer Gateway service. If you share the Internet connection, leave everything at is. Just disable alg.exe
Listening = waiting for and accepting Incoming traffic (traffic you did not ask for).

Paul
con2rol
i got confused... this is how i get it.. please correct me if i am wrong

alg.exe is the application layer gateway, the one that i should keep... represented by

alg.exe:224 name:1025 name:0 listening

----------------------------------------------------------

the following which uses the port 135
svchost.exe:1476 name:epmap

is better off not leaving it listening.... but i dont know how


thanks

p2u
QUOTE(con2rol @ 28.11.2007 00:58) *
i got confused... this is how i get it.. please correct me if i am wrong

alg.exe is the application layer gateway, the one that i should keep... represented by

alg.exe:224 name:1025 name:0 listening

----------------------------------------------------------

the following which uses the port 135
svchost.exe:1476 name:epmap

is better off not leaving it listening.... but i dont know how
thanks

In post 2 and 3, Lucian and I told you you should DISABLE alg.exe.
You can't close the port it opens without shutting down the service. If it is on 1025 now, and you close 1025 with Kaspersky, the service will be there on the next port. SHUT DOWN the service. Control Panel (class view) - Administrative Tools - Services. Look for Application Layer Gateway. Double-click on the name and choose 'Startup Type' = Disabled. Apply. OK. RESTART your computer.

Paul
con2rol
QUOTE(p2u @ 28.11.2007 09:28) *
In post 2 and 3, Lucian and I told you you should DISABLE alg.exe.
You can't close the port it opens without shutting down the service. If it is on 1025 now, and you close 1025 with Kaspersky, the service will be there on the next port. SHUT DOWN the service. Control Panel (class view) - Administrative Tools - Services. Look for Application Layer Gateway. Double-click on the name and choose 'Startup Type' = Disabled. Apply. OK. RESTART your computer.

Paul


but i share the internet connection with other pcs..... do i still close alg.

and the svchost :epmap is not on port 1025 its on 135 ..... how to disable it and close the port

thanks.. please bare with me i am computer newbie unsure.gif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.