Tech Support Guy banner
Status
Not open for further replies.
1 - 7 of 7 Posts

·
Registered
Joined
·
35 Posts
Discussion Starter · #1 ·
Hi. I seem to have two open ports, at least thats what symantec security check keeps telling me. I've googled all over the place, followed the advice & still the check sees a port that should not be visible from the net.

What I've done is to turn off the PC's file and printer sharing, in the tcp/ip filtering box I've changed the settings from 'permit all' to 'permit only' & then left the boxes empty, ie no ports. In the windows registry I've changed the enabledDCOM value to N.

I've set Zonealarm as high as I could & blocked all incoming & specifically I've blocked the udp ports. When it asked which ports to block I entered 135 & also the same for outgoing ports..

How do I close or stealth my open ports, specifically 135. Pleeeaasse Help.

Thanks

Edit: Typo

2nd Edit: Wrong forum. Sorry. I'm running windows XP (home).
 

·
Registered
Joined
·
5,945 Posts
Apparently, there is a legitimate process which uses port 135, the RPC (Remote Procedure Call) Locator, but it shouldn't automatically be enabled.

To check if it is, see this quote from an MS KB article I found;

"How do I tell if the Locator service is enabled?
The status of the "Remote Procedure Call (RPC) Locator" service and how it is started (automatically or manually) can be viewed in the Control Panel. For Windows 2000 and Windows XP, use Control Panel | Administrative Tools | Services, and on Windows NT 4.0, use Control Panel | Services."

If it's enabled, disable it and then run the Symantec scan again and see if 135 is still open.

If it is, that could be bad news, so you might want to try an anti trojan program and/or move this to the Security Forum and consider running a HijackThis scan; http://www.thespykiller.co.uk/ .
 

·
Registered
Joined
·
35 Posts
Discussion Starter · #4 ·
Just been there. There's an RPC call, which is started and set to auto (which is greyed out). Start, Stop, Pause & Resume are also greyed out so I can't touch them.

RPC call manager says manual but doesn't appear to be active, nevertheless I've disabled it. So it now says disabled.
 

·
Registered
Joined
·
128 Posts
[just some more info on this]

The GRC advice is good.

There is also good advice on the site for closing ports 137, 138, and 139, sometimes left open in Windows by NetBIOS:
http://www.grc.com/su-bondage.htm

Here is GRC's description of port 135:
http://grc.com/port_135.htm

It's the DCOM port.

Microsoft's DCOM (Distributed, i.e. networked, COM) Service Control Manager (also known as the RPC Endpoint Mapper) uses this port in a manner similar to SUN's UNIX use of port 111. The SCM server running on the user's computer opens port 135 and listens for incoming requests from clients wishing to locate the ports where DCOM services can be found on that machine.
Also linked from there:
http://accs-net.com/smallfish/dcom.htm

Networks and Workgroups may use DCOM to access resources on secure corporate networks. Home users usually don't need to have DCOM active. It all depends on what applications users choose to use. Each user must investigate their own systems to determine if DCOM is being used for what they consider a legitimate purpose or necessary function.

Windows Media Encoder is just one of the apps that will activate DCOM. "Live Update" type applications that come pre-installed by many computer manufacturers (Compaq, HP, Dell, etc) usually require DCOM. @Home users may have it activated when installing their Internet access software. Users who have installed ISP-specific software (Earthlink's, for example), may also have this installed. (I can't say this too many times: Do not install ISP software. Use Dialup Networking and the browser you already have instead. If your ISP requires you use their software, get another ISP if possible.)

The existence of DCOM first becomes obvious to many users after installing a firewall like Zone Alarm since DCOM will attempt to access the Internet if it's enabled.
Here's Microsoft's article on DCOM and port 135, including how to enable and disable it:
http://support.microsoft.com/kb/q158508/

Steve Gibson at GRC has also created a simple utility called DCOMbobulator to turn off DCOM if you want to do it that way:
http://grc.com/dcom/

HOWEVER, Zone Alarm should be able to close or stealth a port regardless of whether your software is trying to use it. If you have specifically told it not to allow access to 135 and 135 is still open, that could be a sign of a problem.

Yes, definitely run a trojan scan and a virus scan, and run some antiadware applications. You might post a HijackThis log somewhere if that doesn't help. (Note that you should do this even if you turn off 135 with DCOMbobulator, because that will not remove a trojan from your computer.)

free trojan scanners
http://www.emsisoft.com/en/
http://www.ewido.net/en/

free trial:
http://www.trojanhunter.com/
http://tds.diamondcs.com.au/
http://www.moosoft.com/
http://www.agnitum.com/products/tauscan/

other:
http://www.nsclean.com/boclean.html

Antivirus and antispyware scanners are easy to find. Or you could try an online scanner.

Try this for a slow but thorough scan:
http://support.f-secure.com/enu/home/ols.shtml

Other good ones (somewhat faster):
http://www.pandasoftware.com/activescan/activescan.asp
http://housecall.trendmicro.com/
http://www.bitdefender.com/scan/licence.php

To download a self-contained scanner (no install required but won't fix problems):
http://www.mwti.net/antivirus/mwav.asp

free antivirus:
http://www.free-av.com/
http://free.grisoft.com/
http://www.avast.com/

Good commercial AV include PC-Cillin, NOD32, and lots of others. Antispyware to try include Ad-Aware, Spybot, Microsoft Antispyware, SpySubtract, Spy Sweeper, CounterSpy, Spyware Doctor, ZeroSpyware and Bazooka.

If you can't get ZA to close or stealth the port, you might also contact Zone Labs:
http://www.zonelabs.com/store/content/home.jsp
 

·
Registered
Joined
·
35 Posts
Discussion Starter · #7 ·
hl5 said:
Here's Microsoft's article on DCOM and port 135, including how to enable and disable it:
http://support.microsoft.com/kb/q158508/
Thanks. I've done what it says on that report, ie, changing the enableDCOM value to N

hl5 said:
HOWEVER, Zone Alarm should be able to close or stealth a port regardless of whether your software is trying to use it. If you have specifically told it not to allow access to 135 and 135 is still open, that could be a sign of a problem.
Well in the Zone alarm settings I've blocked both incoming & outgoing UDP & TCP ports, but when it asks which port number I've put 135 for both TCP & UDP, does that seem OK?

Ta for the links though. I'm gonna go through them & see what I can find out.
 
1 - 7 of 7 Posts
Status
Not open for further replies.
Top