Disable NetBios?

Okay, all is fine (I hope) but when I ran WWDC (firewall leak testing), I got a message that NetBios would be disabled after next reboot. I’ve rebooted twice and still get the same message. Also, I still have open ports:
[b]UDP (9 ports open)
TCP (9 ports open)

Are any of these normal??? And how do I disable NetBios/any hazardous ports?[/b]

I have XP Pro SP2, Comodo Firewall, Firefox, IE, Avast Antivirus.

Sorry if any of this sounds stupid, I am new to personal firewalls.

Hi Kc7brown :slight_smile:

That’s a lot of open ports! Lets look at some of them.

137, 138 and 139 are for NetBios
500 is for SSDP Discovery services
1900 is for Universial Plug and Play

Looks like you use a p2p/torrent client?

Quite a few of these ports may be unnecessary, depending upon your configuration.

Perhaps you would you like to provide us with some more details about your hardware configuration and installed software?

Toggie

Toggie, via WWDC I have:

I have previously ran Shareaza & Limewire, but am not running those anymore.

Would you mind posting a screen shot of your Network Monitor and Application Monitor rules, please. If your not sure how: Screenshot-posting for beginners It will help a lot.

Also, do you have a router that supports UPnP?

Okay, give me a few to set this up and post for you. (:WIN)


http://img267.imageshack.us/img267/3238/20070429220901vz8.th.png

If this is not what you are looking for (a screen capture of my desktop with my cat on it) ;D let me know. I also downloaded another (Network Probe) to try it.

Toggie I’m not sure what you meant by “network monitor”, I have Network Probe running.

I apologize for my ignorance, but I didn’t know what a port was until Friday!

Hey kc7brown :slight_smile: That’s a great cat. You should see mine 88)

I should have explained myself better. what I need you to do is this:

Open CFP, if your on the Summary screen, select the security tab at the top of the screen. The security screen will show you several tabs along the left hand side:

Tasks
Application Monitor
Component Monitor
Network Monitor
Advanced

Open Application Monitor to full screen and take a screen shot, as described in the post earlier. then do the same for Network Monitor.

Toggie

Hey Toggie! After I sent that I figured out what you meant but you were already offline. Thought that would just ■■■■■ you up! ;D
I got the screen shots, and from Google searching found out how to close 137,138,139. My computer I bought from a friend who did have it hooked to a 4 computer network (his cyber cafe closed). I still have 1900, 1034, 1900, 1027, 4500, 1030, 500 (udp) and 12143, 12119, 12110, 12080, 12025, 5225 (tcp) open- I managed to close 5ports?


http://img164.imageshack.us/img164/9806/appmonitorzz3.th.png


http://img164.imageshack.us/img164/6127/networkshotxk3.th.png

Thanks for the screen shots. I see nothing major :slight_smile:

Next task is to download

TCPView for Windows v2.4

It will give us more information regarding the applications using the ports.

Toggie

Got TCPView up and running, mainly showing Avast, MsnMsgr, Firefox. Oh yeah, I keep having to delete OSA.exe from my task manager - today it started loading and running. I rarely use Word or anything like that. It’s deleted from TM right now, but if I reboot it will most likely start again.

After closing 137,138,139 I have seen a significant improvement in internet speed! :BNC

So what do I do next with TCP View?

If the ports you outlined above are in use, they should be seen in TCPView.

What we are looking for, are clues to which processes have the ports open.

It would be helpful if you would also open a command prompt and run the following command.

tasklist /SVC

This will show a list of running processes. You can do the same thing with Process Explorer

Process Explorer for Windows v10.21

Do you use a router?

Toggie

This is from this morning with Avast, Internet (Comodo forum, Myspace, Yahoo Mail) running.

I have BellSouth High Speed DSL Ultra, ethernet.

:1612 UDP brown-9f80bcf3e:1029 :
[System Process]:0 TCP brown-9f80bcf3e.launchmodem.com:2955 207.138.126.158:http TIME_WAIT
[System Process]:0 TCP brown-9f80bcf3e.launchmodem.com:2960 207.138.126.158:http TIME_WAIT
[System Process]:0 TCP brown-9f80bcf3e.launchmodem.com:2961 207.138.126.158:http TIME_WAIT
[System Process]:0 TCP brown-9f80bcf3e:3057 localhost:12080 TIME_WAIT
[System Process]:0 TCP brown-9f80bcf3e.launchmodem.com:3039 no-dns-yet.inetc.co.uk:http TIME_WAIT
[System Process]:0 TCP brown-9f80bcf3e.launchmodem.com:3042 216.178.38.139:http TIME_WAIT
[System Process]:0 TCP brown-9f80bcf3e.launchmodem.com:3046 a72-246-25-139.deploy.akamaitechnologies.com:http TIME_WAIT
[System Process]:0 TCP brown-9f80bcf3e.launchmodem.com:3051 a72-246-25-139.deploy.akamaitechnologies.com:http TIME_WAIT
[System Process]:0 TCP brown-9f80bcf3e.launchmodem.com:3052 a72-246-25-139.deploy.akamaitechnologies.com:http TIME_WAIT
[System Process]:0 TCP brown-9f80bcf3e.launchmodem.com:3054 207.138.126.159:http TIME_WAIT
[System Process]:0 TCP brown-9f80bcf3e.launchmodem.com:3062 216.246.87.18:http TIME_WAIT
[System Process]:0 TCP brown-9f80bcf3e.launchmodem.com:3068 207.138.126.159:http TIME_WAIT
[System Process]:0 TCP brown-9f80bcf3e:3059 localhost:12080 TIME_WAIT
[System Process]:0 TCP brown-9f80bcf3e:3060 localhost:12080 TIME_WAIT
[System Process]:0 TCP brown-9f80bcf3e:3061 localhost:12080 TIME_WAIT
[System Process]:0 TCP brown-9f80bcf3e:3078 localhost:12080 TIME_WAIT
[System Process]:0 TCP brown-9f80bcf3e.launchmodem.com:3072 207.138.126.159:http TIME_WAIT
[System Process]:0 TCP brown-9f80bcf3e.launchmodem.com:3074 207.138.126.159:http TIME_WAIT
[System Process]:0 TCP brown-9f80bcf3e.launchmodem.com:3075 207.138.126.159:http TIME_WAIT
[System Process]:0 TCP brown-9f80bcf3e.launchmodem.com:3076 207.138.126.159:http TIME_WAIT
[System Process]:0 TCP brown-9f80bcf3e.launchmodem.com:3095 216.246.87.9:http TIME_WAIT
[System Process]:0 TCP brown-9f80bcf3e.launchmodem.com:3104 216.246.87.33:http TIME_WAIT
[System Process]:0 TCP brown-9f80bcf3e:12080 localhost:3020 TIME_WAIT
alg.exe:2320 TCP brown-9f80bcf3e:1026 brown-9f80bcf3e:0 LISTENING
ashMaiSv.exe:1720 TCP brown-9f80bcf3e:12025 brown-9f80bcf3e:0 LISTENING
ashMaiSv.exe:1720 TCP brown-9f80bcf3e:12110 brown-9f80bcf3e:0 LISTENING
ashMaiSv.exe:1720 TCP brown-9f80bcf3e:12119 brown-9f80bcf3e:0 LISTENING
ashMaiSv.exe:1720 TCP brown-9f80bcf3e:12143 brown-9f80bcf3e:0 LISTENING
ashWebSv.exe:1520 TCP brown-9f80bcf3e:12080 localhost:3145 ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e:12080 localhost:3128 ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e:12080 localhost:3121 ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e:12080 localhost:3115 ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e:12080 localhost:3140 ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e:12080 localhost:3108 ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e:12080 localhost:3096 ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e:12080 localhost:3136 ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e:12080 localhost:3124 ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e:12080 localhost:3088 ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e:12080 brown-9f80bcf3e:0 LISTENING
ashWebSv.exe:1520 TCP brown-9f80bcf3e.launchmodem.com:2970 l1.ycs.vip.a2s.yahoo.com:http LAST_ACK
ashWebSv.exe:1520 TCP brown-9f80bcf3e:12080 localhost:3112 ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e:12080 localhost:3102 ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e:12080 localhost:3118 ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e:12080 localhost:3090 ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e:12080 localhost:3083 ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e:12080 localhost:3138 ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e:12080 localhost:3086 ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e:12080 localhost:3134 ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e:12080 localhost:3092 ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e.launchmodem.com:3101 216.246.87.57:http ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e.launchmodem.com:3107 216.246.87.57:http ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e.launchmodem.com:3110 a72-246-25-139.deploy.akamaitechnologies.com:http ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e.launchmodem.com:3111 216.246.87.50:http ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e.launchmodem.com:3114 216.246.87.58:http ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e.launchmodem.com:3117 216.246.87.32:http ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e.launchmodem.com:3120 216.246.87.33:http ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e.launchmodem.com:3123 216.246.87.32:http ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e.launchmodem.com:3125 216.246.87.58:http ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e.launchmodem.com:3127 216.246.87.18:http ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e.launchmodem.com:3129 216.246.87.59:http ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e.launchmodem.com:3133 216.246.87.57:http ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e.launchmodem.com:3135 216.246.87.26:http ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e.launchmodem.com:3137 216.246.87.26:http ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e.launchmodem.com:3139 216.246.87.11:http ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e.launchmodem.com:3141 216.246.87.9:http ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e.launchmodem.com:3142 216.246.87.9:http ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e.launchmodem.com:3143 216.246.87.17:http ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e.launchmodem.com:3144 216.246.87.11:http ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e.launchmodem.com:3146 216.246.87.48:http ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e.launchmodem.com:3147 216.246.87.27:http ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e.launchmodem.com:3148 216.246.87.11:http ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e.launchmodem.com:3149 216.246.87.33:http ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e.launchmodem.com:3150 a72-246-25-139.deploy.akamaitechnologies.com:http ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e:12080 localhost:3085 ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e:12080 localhost:3126 ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e:12080 localhost:3079 ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e:12080 localhost:3131 ESTABLISHED
ashWebSv.exe:1520 TCP brown-9f80bcf3e:12080 localhost:3105 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:2391 localhost:2392 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:2392 localhost:2391 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:2393 localhost:2394 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:2394 localhost:2393 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:3079 localhost:12080 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:3083 localhost:12080 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:3085 localhost:12080 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:3086 localhost:12080 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:3088 localhost:12080 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:3090 localhost:12080 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:3092 localhost:12080 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:3096 localhost:12080 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:3102 localhost:12080 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:3105 localhost:12080 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:3108 localhost:12080 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:3112 localhost:12080 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:3115 localhost:12080 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:3118 localhost:12080 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:3121 localhost:12080 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:3124 localhost:12080 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:3126 localhost:12080 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:3128 localhost:12080 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:3131 localhost:12080 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:3134 localhost:12080 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:3136 localhost:12080 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:3138 localhost:12080 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:3140 localhost:12080 ESTABLISHED
firefox.exe:3660 TCP brown-9f80bcf3e:3145 localhost:12080 ESTABLISHED
lsass.exe:548 UDP brown-9f80bcf3e:isakmp :
lsass.exe:548 UDP brown-9f80bcf3e:4500 :
msnmsgr.exe:2744 UDP brown-9f80bcf3e:1586 :
msnmsgr.exe:2744 UDP brown-9f80bcf3e.launchmodem.com:discard :
svchost.exe:808 UDP brown-9f80bcf3e:1027 :
svchost.exe:848 UDP brown-9f80bcf3e:1900 :
svchost.exe:848 UDP brown-9f80bcf3e.launchmodem.com:1900 :
Tcpview.exe:3276 UDP brown-9f80bcf3e:3151 :

Process Explorer


http://img293.imageshack.us/img293/2708/processexplzb1.th.png

Thanks for the info. Lets see where we are.

I noticed you removed the port list from your first post, so I’ll deal with those I remember.

Port 135 - TCP - RPC (Remote Procedure Call)
Port 137 - TCP/UDP - NETBIOS Name Service
Port 138 - UDP - NETBIOS Datagram Service
Port 139 - TCP - NETBIOS Session Service
Port 445 - TCP - NetBT (CIFS)
Port 500 - UDP - IPSec (used for VPN communications)
Port 1900 - UDP - SSDP/UPnP

All of these services may be disabled, however, before you do this you must consider your requirements.

Do you use a VPN (Virtual Private Network) If you do then you will require IPSec/ISAKMP (Internet Security Association and Key Management Protocol).

If your Router supports UPnP (Universal Plug and Play) for automatically opening/closing ports you will need SSDP (Simple Service Discovery Protocol) and UPnP.

Communications between Microsoft based client/server computers on a LAN typically involves NetBIOS (137, 138, 139, 445) and Remote Procedure Calls (135). If you don’t require this kind of communication, these ports may be restricted or disabled.

It seems you have already disabled some of the ports discussed above, the others I can take you through, should you wish to preceed.

Toggie

Okay open: UDP 1900, 9, 1900, 1722, 1029, 4500, 1027, 500
TCP 12143, 12119, 12110, 12080, 12025, 1026

Removed them on my way to work, as I knew it would be quite awhile before I could log on and don’t want too much info floating around (don’t know if anyone could even use it). And I’ve started unplugging my modem unless I am actually using the computer. I remember a few weeks ago the modem lights blinking like crazy for like 10 minutes when I had not touched the computer for hours.

I am a home only computer, no network/virtual/wireless of any kind. If UPNP is when you plug new hardware in and Windows finds the drivers, I’d like to keep that. I don’t do any online gaming, just bill paying, googling, myspace, and occasional IMs with known friends ONLY. I already learned the hard way about chat rooms! (:AGY)

:1612 UDP 127.0.0.1:1029 :
alg.exe:2320 TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING
ashMaiSv.exe:1720 TCP 127.0.0.1:12025 0.0.0.0:0 LISTENING
ashMaiSv.exe:1720 TCP 127.0.0.1:12110 0.0.0.0:0 LISTENING
ashMaiSv.exe:1720 TCP 127.0.0.1:12119 0.0.0.0:0 LISTENING
ashMaiSv.exe:1720 TCP 127.0.0.1:12143 0.0.0.0:0 LISTENING
ashWebSv.exe:1520 TCP 127.0.0.1:12080 0.0.0.0:0 LISTENING
firefox.exe:412 TCP 127.0.0.1:1799 127.0.0.1:1801 ESTABLISHED
firefox.exe:412 TCP 127.0.0.1:1801 127.0.0.1:1799 ESTABLISHED
firefox.exe:412 TCP 127.0.0.1:1802 127.0.0.1:1803 ESTABLISHED
firefox.exe:412 TCP 127.0.0.1:1803 127.0.0.1:1802 ESTABLISHED
lsass.exe:548 UDP 0.0.0.0:500 :
lsass.exe:548 UDP 0.0.0.0:4500 :
msnmsgr.exe:1896 TCP 192.168.1.97:1727 207.46.106.81:1863 ESTABLISHED
msnmsgr.exe:1896 UDP 127.0.0.1:1722 :
msnmsgr.exe:1896 UDP 192.168.1.97:9 :
svchost.exe:808 UDP 0.0.0.0:1027 :
svchost.exe:848 UDP 127.0.0.1:1900 :
svchost.exe:848 UDP 192.168.1.97:1900 :

Hope this helps you, I don’t even know if I need to close any more, I guess only if they are ports susceptible to compromise by trojans/viruses. I have had ALOT less problems after just closing the NetBios. And I think I have learned more about ports and processes in the past 7 days than I ever dreamed existed!

Thanks SOOOOO much if I haven’t told you so already. (:CLP)

Ok, let’s try and work our way through this. The following instructions outline what CAN be done, they are by no means mandatory.

I remember a few weeks ago the modem lights blinking like crazy for like 10 minutes when I had not touched the computer for hours.

If you were disconnected from the Internet when this occurred, I would be quite worried. It COULD indicate the presence of a Dialer trojan. These can be very nasty, causing extremely high telephone bills.

As I say, if you were disconnected, you must check for the presence of a Dialer using a few good Anti-Spyware/Anti-Virus programs. I’ll provide suggestions if needed.

I am a home only computer, no network/virtual/wireless of any kind. If UPNP is when you plug new hardware in and Windows finds the drivers, I'd like to keep that.

Disabling the UPnP service won’t affect your PC’s ability to detect new hardware. It may, however, be needed to work in conjunction with your router. You need to check the documentation for that device, to see if it’s needed.

and occasional IMs with known friends ONLY.

You seem to have several messenger applications installed, although I notice that Yahoo and MSNMessenger are ‘blocked’ in you Application Monitor rules. If you don’t use/want them, it may be better to uninstall them.

:1612 UDP 127.0.0.1:1029 *:*

It’s difficult to speculate about the nature of this entry. It may warrant further investigation to determine the owner of the process.

Open a ‘Command Prompt’ and type netstat -aon - press [return]

The right most column is called PID, which stands for Process ID. Find the entry for ‘:1612 UDP 127.0.0.1:1029 :’ and make a note of the PID.

In the same ‘Command Prompt’ type tasklist /SVC - press [return]

Find The PID that corresponds to the above and see if it has a process name. We can go from there.

Ok, lets think about which some services to disable. By doing this we can eliminate some open ports. To do this we need to open the Windows Services Console.

Start/Run - Type services.msc - press [return]

This will open a new window and provides access to the various services used by Windows. There are quite a few, but we are only interested in a few.

alg.exe:2320 TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING

Alg.exe is the Application Layer Gateway service. This is used in conjunction with ICS/ICF (Internet Connection Sharing/Internet Connection Firewall) If you don’t have a home network you have no need for ICS and hence, no need for this service to be running.

Bring the Services Console to the front and read down the list until you find Application Layer Gateway Service, it should be close to the top. Right click on the service and select ‘Properties’ Under ‘Service status’ Click ‘Stop’. When the service has stopped, select ‘Disabled’ form the drop-down box in ‘Startup type’. Finally click ‘OK’

ashMaiSv.exe:1720 TCP 127.0.0.1:12025 0.0.0.0:0 LISTENING ashMaiSv.exe:1720 TCP 127.0.0.1:12110 0.0.0.0:0 LISTENING ashMaiSv.exe:1720 TCP 127.0.0.1:12119 0.0.0.0:0 LISTENING ashMaiSv.exe:1720 TCP 127.0.0.1:12143 0.0.0.0:0 LISTENING ashWebSv.exe:1520 TCP 127.0.0.1:12080 0.0.0.0:0 LISTENING

ashWebSv.exe is part Avast AV (Avast Web Shield). These are normal.

firefox.exe:412 TCP 127.0.0.1:1799 127.0.0.1:1801 ESTABLISHED firefox.exe:412 TCP 127.0.0.1:1801 127.0.0.1:1799 ESTABLISHED firefox.exe:412 TCP 127.0.0.1:1802 127.0.0.1:1803 ESTABLISHED firefox.exe:412 TCP 127.0.0.1:1803 127.0.0.1:1802 ESTABLISHED

Obviously firefox :slight_smile:

lsass.exe:548 UDP 0.0.0.0:500 *:* lsass.exe:548 UDP 0.0.0.0:4500 *:*

Lsass.exe (Local Security Authority Service) is an important part of security operations in Windows, however, the ports opened above are only necessary if you use a VPN (Virtual Private Network) If you don’t, you may disable the IPSEC (Internet Protocol Security) service.

In the Services Console, scroll down until you find IPSEC Services and repeat the procedure outlined above.

msnmsgr.exe:1896 TCP 192.168.1.97:1727 207.46.106.81:1863 ESTABLISHED msnmsgr.exe:1896 UDP 127.0.0.1:1722 *:* msnmsgr.exe:1896 UDP 192.168.1.97:9 *:*

Msmmsgr.exe is the main executable for MSN Messenger. I’m curious about why it seems to be connected, when it’s been ‘Blocked’ in your Application Monitor rules. As I said earlier, if you don’t use it, uninstall it. It is possible to remove messenger completely from XP. Let me know if you want to do that.

svchost.exe:808 UDP 0.0.0.0:1027 *:* svchost.exe:848 UDP 127.0.0.1:1900 *:* svchost.exe:848 UDP 192.168.1.97:1900 *:*

Svchost.exe is responsible for a great many things under XP, you can find out more by using tasklist /SVC in a Command Prompt’ In this case, however, we can, if you wish close port 1900.

In the Services Console scroll down until you find SSDP Discovery Service and repeat the steps outlined above. Then do the same for Universal Plug and Play Device Host.

Remember to check your router documentation first.

Those steps should close a few more ports.

Finally, I noticed in your Network Monitor rules that you have two entries for NIST below a Block rule. It would be better to move the Block rule to the bottom.

Hope this helps you, I don't even know if I need to close any more, I guess only if they are ports susceptible to compromise by Trojans/viruses. I have had ALOT less problems after just closing the NetBios. And I think I have learned more about ports and processes in the past 7 days than I ever dreamed existed!

It’s always better to turn off services, and thus, close ports that we don’t need or use.

Thanks SOOOOO much if I haven't told you so already. Clapping

Your welcome. I hope the aforementioned instructions help.

Toggie

Thanks again! I’ll start with the answers: when the modem lights were flashing, I used to just leave my browser up/running and go to bed! Now I disconnect by actually pulling the power cord to the modem. NO lights AT ALL!

Westell 6100 is NOT UPNP compliant, I just checked online. I will uninstall Y! Messenger, that is where my problems started (chat rooms).

Below are enclosing three screenshots, as the process wasn’t showing on the RPC? It’s like it’s there on TCPView, but not on Command Prompt:


http://img260.imageshack.us/img260/984/rpcunavailableqc8.th.png


http://img260.imageshack.us/img260/5326/nonexistcommandrp9.th.png


http://img260.imageshack.us/img260/5531/nonexistct8.th.png

I could not find/did not understand the NIST part of it. Didn’t see it/not sure where to look - I have DOS and code running around in my head!!! (:NRD)
I closed the ports under services, and will make sure everything runs correctly. (R) (S)

Hi kc7brown

Below are enclosing three screenshots, as the process wasn't showing on the RPC? It's like it's there on TCPView, but not on Command Prompt:

The PID for this ‘unknown’ process in the screen shots is 2236, (check the screen shots attached). but we still don’t know what the owner process is.

Would you mind trying again. netstat -ano find the PID the either tasklist /SVC or use Process Explorer to try and trace the owner.

I could not find/did not understand the NIST part of it. Didn't see it/not sure where to look - I have DOS and code running around in my head!!!

Apologies, I didn’t explain myself very well. In you Network Monitor rules you have two listed at the bottom. Both are for allowing Windows to synchronise it’s clock with an Internet source.

In Network Monitor, rules are processed from the top down, so if a Block rule appears above an Allow rule, it may cause problems. In your rules there is a Block above these two. Just move the block rule to the bottom. There are move up and move down controls at the top of the NM screen.

Toggie

[attachment deleted by admin]

I took care of the “nist” block issue and moved the block to the bottom.

[b]On the unidentified 2236 process: on netstat it still shows as: UDP

127.0.0.1:1046 .

On the other (there is now 2) unidentified 2236 process: on netstat there is another: TCP

192.168.1.97:1049 192.168.1.254:80 ESTABLISHED
[/b]

When I run tasklist ERROR: The RPC server is unavailable.