NetBios connecting

When I run TCP Inspector, it shows Netbios (135) connected. I've checked and verified that Netbios is still disabled (or looks like it should be) in TCP properties. I also downloaded the Noshare utility from GRC which is supposed to disable Netbios. Still, Netbios is connecting.

Does this indicate something bad on my system? I'm on a standalone computer - no network, dialup access, no IIS installed either.

How do I completely disable Netbios? Is there any way to tell who it's connecting to?

 

Hi Taba & Welcome,

You can download TDS3 from here: http://tds.diamondcs.com.au/
On that same page you will find a link to the latest Radius file, Install TDS3 then place the radius file in the TDS3 folder (you will be asked to verify this)
Reboot and in scan control enable all the scans. Select all logical drives and start the scan, this is an in depth scan and will take a while, so get yourself a nice drink.

Whilst at the DiamondCS website download the trial version of Port Explorer,
http://www.diamondcs.com.au/portexplorer/
this will enable to trace your port 135 actions. Note Port Exploerer does not get on with McAfee's firewall

Pleas report your findings - Pilli

 

Hi taba, for further information check out: http://www.ntsvcfg.de/ntsvcfg_eng.html for more information on netbios and the ports stuff and: http://www.greatis.com/regrun3appdatabase.htm for more information what's running on your machine,
http://www.grc.com/default.htm then go to "Your three Musketeers". There's lots of information on the Gibsons research page.

paulson

 

Thanks, Philli,

I installed and updated TDS-3 yesterday and ran *all* tests, including all drives. It did take a long time but didn't find anything on the drives. I found the NetBios connection listed in TCP inspector.

I'll update again and re-run all tests just to be sure, and also check the Port Explorer. Do I need to be online while doing the drive scan?

 

Thanks for the links, Paulson. Looks like great info - I'll check it out in a bit. I'm familiar with the GRC site - I use some of his utilities on every system I check or use. Very helpful. I'm surprised that his NetBios disabler didn't really disable NetBios.

Now on to another round of testing...

 

Hi again Taba, Being on line should make no difference, though I would stop any Anti Virus resident programs as they can get in the way

Pilli

 

The GRC stuff is quite good, no question. But it only disables DCOM, the messenger and upnp. This is a "one for all" solution. Every user could and should use these tools. If your machine is a standalone (you said so) and never connected to a network surrounding there's some more options to protect it. When doing this you can (or better, you will) loose the ability to share stuff or interact with other machines in a network 'cause all doors are really closed. (and can't be opened, except you're changing the settings). You can't do this in most office and home network surroundings.
paulson

 

OK, I ran the full scan again with all options. Here's the scandump. I also installed Port Explorer - I'm posting the results but it's probably going to be messy to read. Let me know if there's something else that would be helpful.

Thanks for any help in figuring out why NetBios won't close, and if there's anything else going on here.


Scan Control Dumped @ 17:55:28 27-07-04
NTFS Alternate Data Stream: ADS Hidden Stream Detected: 368 bytes
File: c:\documents and settings\all users\application data\microsoft\windows nt\msfax\inbox\401c3ec04c61fc1.tif:xj1phwzh5qcwungrn45kt3kice

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 368 bytes
File: c:\documents and settings\all users\application data\microsoft\windows nt\msfax\inbox\401c3ec12e71538.tif:xj1phwzh5qcwungrn45kt3kice

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 368 bytes
File: c:\documents and settings\all users\application data\microsoft\windows nt\msfax\inbox\401c3f72c8091db.tif:xj1phwzh5qcwungrn45kt3kice

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 324 bytes
File: c:\documents and settings\all users\application data\microsoft\windows nt\msfax\inbox\401c4024c113ac2.tif:xj1phwzh5qcwungrn45kt3kice

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 368 bytes
File: c:\documents and settings\all users\application data\microsoft\windows nt\msfax\inbox\401c420aaad73c0.tif:xj1phwzh5qcwungrn45kt3kice


Port Explorer results (the 207.69.... is my ISP)
| NAME | CREATION | PID | PROTOCOL | LOCAL ADDR | LOCAL PORT | REMOTE ADDR | REMOTE PORT | PORT STATUS | SENT | RECVD |
------------------------------------------------------------------------------------------------------------------
| SYSTEM | --- | 4 | TCP | 0.0.0.0 | 1027 | 0.0.0.0 | 0 | LISTENING | --- | --- |
| ccapp.exe | 18:06 27/07/2004 | 388 | TCP | 127.0.0.1 | 1028 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
| lsass.exe | 18:05 27/07/2004 | 664 | UDP | 0.0.0.0 | 500 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
| svchost.exe | 18:05 27/07/2004 | 824 | TCP | 0.0.0.0 | 135 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
| svchost.exe | 18:05 27/07/2004 | 880 | TCP | 0.0.0.0 | 1025 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
| svchost.exe | 18:09 27/07/2004 | 880 | UDP | XX.XXX.X.XX | 123 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
| svchost.exe | 18:09 27/07/2004 | 880 | UDP | 127.0.0.1 | 123 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
| svchost.exe | 18:09 27/07/2004 | 944 | UDP | 0.0.0.0 | 1029 | 207.69.188.186 | 53 | LISTENING | 15/572 | 11/2174 |
| svchost.exe | 18:09 27/07/2004 | 944 | UDP | 0.0.0.0 | 1031 | 207.69.188.186 | 53 | LISTENING | 5/219 | 4/674 |
| svchost.exe | 18:09 27/07/2004 | 944 | UDP | 0.0.0.0 | 1032 | 207.69.188.185 | 53 | LISTENING | 1/45 | 1/221 |
| vsmon.exe | 18:05 27/07/2004 | 1508 | TCP | 0.0.0.0 | 1026 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
| iexplore.exe | 18:11 27/07/2004 | 2080 | UDP | 127.0.0.1 | 1036 | 127.0.0.1 | 1036 | LISTENING | 361/361 | 361/361 |

 

Sorry, Paulson, but I'm not quite sure what you are recommending here. Are you saying not to use these 3 GRC utilities to disable DCOM, messenger, and upnp? If there are better options for a completely standalone pc, I'm interested. This pc will never be used in a networked environment at home or office.

 

You can try this wormdoor cleaner:

 

Thanks, Gerardwil! That did the trick and 135 is now really closed. Also closed 445 as well.


So is there anything else I should be checking given the logs above? Anyone?

 

Hi taba, Those hidden streams look like they may be associated with your FAX processor as these are images of a kind, 368 bytes is probably OK.
GKweb's little utility "WWDC" is a great little tool
Also try these XP-Antispy: http://www.xp-antispy.org/index.php...itory&Itemid=26
And finally Safe XP: http://www.majorgeeks.com/download4070.html

HTH Pilli

 

Hi, I didn't want to make things more complicated. What I tried to say was: Use the GRC utilities, they are very good tools. After they did their work, you machine is more secure than before and you are able to use all of them networking functions windows gave to you. But if you're working on a standalone you can improve security and lower the risks by going further. F.e. you can release network services from your dial up adaptors and so on...

The prog in gerardwil's post looks good, will check it out. Did TDS shows all ports closed and not in use (Network --> Local Host Scanner) after running the wormdoor cleaner on your machine? Or was it an online scan that showed the ports closed?

paulson

 

Hi paulson, GK's WWDC does similar things to Steve's tools but in an all in one utility with a user friendly interface and loads of help on his website.

 

Yep, agree with Pilli there, it's all-in-one utility is great.

I've been beefing up security on my daughter's PC [new browser, email] etc. and I had done port scans and always Stealthed/Closed, depending on the site so no worries there.

I read this thread and thought I'd try TCP Inspector in TDS and lo and behold it said the UnP&P Port 5000 was open. Huh? So I did a Trojan Port check also, and said 5000 open.... whoa..

I immediately did scans at 3 sites, GRC, PC FLank, Blackcode and all reported fine. I had already DISABLED UnP&P in Services, I had already set FW rules up, but was still concerned with TCP Inspector's findings.... so dl'd gkweb's WWDC app, applied all the settings, and I am now convinced it's locked tighter than a fish's, you know what.

TAS

 

Thanks for clarifying, Paulson. I've been using GRC tools and tips for years (to disable upnp, dcom, tcp 135, unnecessary tcpip bindings, etc) and so was surprised when I discovered they didn't work completely on this pc. Online scans (GRC, PCFlank, Hackerwhacker) showed 135 and 445 closed, yet TDS showed both open. Hence the need to use the wormdoor cleaner which did really close them down based on new TDS-3 scans.

Now I'm trying to figure out why a few ports are showing in use in Local Host Scanner. I emailed support rather than posting here because I'm getting a bit paranoid about posting info about potential security issues.


Philli - thx for the feedback on the hidden data streams and for the links.