port 1032

Discussion in 'ESET Smart Security' started by hamid_virtual, Mar 1, 2009.

Thread Status:
Not open for further replies.
  1. hamid_virtual

    hamid_virtual Registered Member

    Joined:
    Feb 27, 2009
    Posts:
    23
    Hi

    i have installed Win xp_sp3 and Smart Security firewall (Nod32)

    when i am connecting to the internet , firewall wants to get permition for :

    Svchost.exe
    inbound
    port : 1032


    in another computers Svchost.exe just asked for outbound but in this computer wants to get inbound connection also

    why this computer wants to get inbound port ?i have installed same program on my Laptop , the laptop just got outbound permition and never ask for inbound

    my motherboard is Gigabyte , i have already found the Trojan virus in my Motherbord CD but i didn`t use the CD because of this virus , i have just downloaded the Driver


    that`s why i am afraiding , the Rom of this motherboard can have any Trojan or virus ? (( it`s new motherboard ,i bought yesterday ))

    my hard disk also is New and i installed only XP and Nod32 smart security firewall


    Please help me in this issue
     
    Last edited: Mar 1, 2009
  2. ASpace

    ASpace Guest

    The information you have provided is too little to be precise .
    One would need information about the installed programs , running processes and active network connections . Additionally , the network/subnet you are connected to.

    I am not sure if you can mention all this here in the forum so you'd better contact ESET Technical Support . Just open ESS , goto Help -> Contact customer care (recommended) and follow the instructions.
     
  3. hamid_virtual

    hamid_virtual Registered Member

    Joined:
    Feb 27, 2009
    Posts:
    23
    just svchost.exe has been connected to the netwoek !

    the port will be change after each reboot , 1032-1033-1034 .....

    and the port wants to connect ( inbound ) to the Svchost.exe
     
  4. ASpace

    ASpace Guest

    I think the situation needs further checking - something that cannot be done here in the forum with the amount of information you provide. That is why I think you should provide ESET Customer Care dept. more information and they'll help you.

    A port doesn't want to connect . A computer establishes a connection to another computer from a port to another port . You have remote computer that tries to connect to your computer's svchost.exe on incoming port 1032 (and others) . If you aren't sure about the connection , block it (at least temporary).
     
  5. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    All incoming packets from the www should be blocked by your firewall SW.

    Check your FW log to see the source ip, resolve the site and report back please.

    I doubt you have a trojan / parasite BUT to be safe runs some scans from top of the list AV's. See attached port report.
     

    Attached Files:

  6. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Can you tell me the IP from where the UDP traffic comes? The use of port 1032 can have various reasons:

    - ICQ Traffic
    - Comunication of the BackDoor-AWW (look for that: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    "mssys" = %WinDir%\mssys.exe')
    - BBN IAD, but normaly used by Windows 2000, don't know for XP3.

    So again, please check the remote IP/Address and give feetback.

    For now, just block this traffic.
     
  7. hamid_virtual

    hamid_virtual Registered Member

    Joined:
    Feb 27, 2009
    Posts:
    23
    Hi

    that`s my Router(ADSL Modem) ip address




     
  8. hamid_virtual

    hamid_virtual Registered Member

    Joined:
    Feb 27, 2009
    Posts:
    23
    i have 2 file in "'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"

    1 - Default -- > value not set
    2 - egui --> C:\prgram files\eset\eset smart security\egui.exe"/hide wait service

    i didn`t install any program
    i did Fdisk my HDD / installed windows / intall Smart Security

    i have some another computers in same network and same programs but i don`t have problem by them
     
  9. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Try disabling the Universal Plug and Play Device.
    By the way, is your Router password protected? :)
     
    Last edited: Mar 1, 2009
  10. hamid_virtual

    hamid_virtual Registered Member

    Joined:
    Feb 27, 2009
    Posts:
    23
    Yes , that`s secure connection
    if i don`t allow port , i can`t receive anything via internet because of SVChost.exe

    i have some another computers on this router , but i don`t have any problem about that
     
  11. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Ah, a network with other PC attached ;)

    Well if you don't have Oracle running, which uses this port for IPv4 traffic it looks like a 'Port-based network access control' to provide a means of authenticating and authorizing devices attached to a LAN.
    Your router probably sends back a "Access-Accept" info. If you disable this port you won't be able to connect to the Internet.

    Please keep in mind that i am guessing here. What OS have the other attached PC's?
    Perhaps Stem has also an opinion.
     
  12. hamid_virtual

    hamid_virtual Registered Member

    Joined:
    Feb 27, 2009
    Posts:
    23
    Other computers using same XP version
    if i Shutdown another computers :) still same problem

    there is something between my computer and Router ,
    i am worry about trojan / virus

    i have installed windows vista :)) i got same problem but another ports : 49153 - 49154 - 49155


    if i can not do a thing , i have to buy another motherboard :((
    started having this problem when i changed my Motherboard-Hard-CPU

    maybe my motherboard has a trojan on ROM ( i bouth it 2 days ago )


     
  13. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    I think it is a 'Port-based network access control' which is not dangerous.
     
  14. hamid_virtual

    hamid_virtual Registered Member

    Joined:
    Feb 27, 2009
    Posts:
    23
    "Port-based network access control " ?

    Wireless card or LAn card ?
    i removed my Wireless and i connected to the internet by LAN , still same problem

    the system asked me to open another port : 1115 :D

    just to know how can i Check ( Scan ) my ROM about virus/Trojan ?

    i can`t trust the ROM when i found the virus in Motherboard Driver :)



     
  15. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello,

    As Tommy already put forward;-

    Have you disabled the SSDP Discovery service(UPnP) in the router and the PC.
    Inbound UDP to svchost on the lower ports(XP) is typical of that service.

    - Stem
     
  16. hamid_virtual

    hamid_virtual Registered Member

    Joined:
    Feb 27, 2009
    Posts:
    23

    Hi , i could check only "SSDP" i don`t know how to check UPnP

    SSDP in my Computer is : Enable - Manually

    Thanks
     
    Last edited: Mar 1, 2009
  17. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    In XP:-

    To disable UPnP

    Go the the start; select "run",

    01.jpg

    type in "services.msc" then OK,

    02.jpg

    In the windows services window, find SSDP service

    03.jpg


    Double left click that service which will bring up the options

    04.jpg

    First press "stop", then change the startup type to disabled.


    - Stem
     
  18. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    You made edit as I was posting.

    You will need to disable SSDP, and possibly make a reboot to remove the addition of extra network config that is created after SSDP is established.

    You probably installed and set up windows while connected to the router, which will then set up fully SSDP, then after adding a firewall the comms are blocked and connections can be lost.


    - Stem
     
  19. hamid_virtual

    hamid_virtual Registered Member

    Joined:
    Feb 27, 2009
    Posts:
    23
    Thank u
    but still same problem
    i think that`s some connection between my Device and Router

    i have removed my wireless and i did setup a Lan Driver

    the port has been Changed :

    Generic Hot process for win32 services
    Publisher : Microsoft
    remote computer : 207.46.232.187
    port : 123 ( ntp)


    and

    Generic Hot process for win32 services
    Publisher : Microsoft
    remote computer : 192.168.1.1 ( My router ip address )
    port : 1317 ( sometimes another port )



    shall i access to them when publisher is microsoft ?





     
  20. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    That is the "windows time" service. You can also disable that if required in the windows services.

    Not sure from the info what that is, I know the port is named; "vrts-ipcserver" and some applications that use that.

    Do you have a tunnel(vpn) option in the router that is enabled?


    - Stem
     
  21. hamid_virtual

    hamid_virtual Registered Member

    Joined:
    Feb 27, 2009
    Posts:
    23
    Someone came here ( From ISP ) and he fixed my router settings ,
    i think they didn`t make any vpn settings

    in my computer also i didn`t make any VPN connection


    --->>> i am using another laptop on this network ( wireless connection ) i have already connected the laptop by LAN to the router :) then i got the inbound alarm :D
    in laptop i didn`t have any inbound alarm but when i used LAN i got same eror


     
  22. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    You should first go into the router and check the settings. Disable any setting for such as remote admin (unless you use that?). Disable UPnP and check any settings for group management.
    If you still have unknown packets being dropped/logged, then you will need to run a sniffer (such as Wireshark), then post the log so I can see what stream if any those packet may belong to.


    - Stem
     
  23. hamid_virtual

    hamid_virtual Registered Member

    Joined:
    Feb 27, 2009
    Posts:
    23
    Thank you for Help !
    i don`t have Router`s password Now ,
    i`ll check it then i`ll inform you

    thank u


     
  24. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Yes,

    Before you start sniffing with Wireshark, close down your browsers, then start wireshark, let it run and capture any packets, check your firewall log for the blocked packets, when you see a few packets blocked by the firewall, stop the sniffer, check to see if the sniffer as captured any packets, if yes, then save the sniffer log and attach it to your post. Also post a screenshot of the firewall log that shows the blocked packets.

    - Stem
     
  25. hamid_virtual

    hamid_virtual Registered Member

    Joined:
    Feb 27, 2009
    Posts:
    23
    sorry i didn`t underestand very well

    1 - should i close my Nod32 Firewall and use wireshark firewall ? or i should use bouth of them ?

    2 - you told , send me a firewall logs /it means Nod32 log ?

    3 - there is some version of Wireshark , would you please let me know which once should i download ?

    Windows installer
    windows U3
    windows portableAPPs
    OS x inter
    OS x ppC
    Secure Code



     
Thread Status:
Not open for further replies.