W98SE, Port Explorer v1.800 I have had a problem with netstat reporting: Prot. Local Remote State TCP 0.0.0.0:1025 0.0.0.0:0 Listening I had suspected that my firewall was causing this because when I am offline and close the program, the port number gets closed too. Then if I reopen it the local port number changes to the next highest and is listening. I have contacted Zone Alarm in the past over this and they stated the firewall does not listen on any ports and that I must be infected with a trojan/virus or something . I have tried a full NAV in the safe mode and Pest Patrol, but nothing has been found. I fully uninstall ZAP, cleaned the registry of it and reinstalled it only to have the same thing happen. Trying to resolve this I have tried Port Explorer, TDS-3 and Wormguard3, seriously thinking to buy the $99 suite if it solved this mystery I have been working on for over a month now. The results are posted below. If under this trail period you can help me get this suite to tell me why port 1025 is listening, then I will still consider buying it even though the TDS-3 posed such a loss of time for me due to the bad 07-12-04 update. Seeing TrojanDropper.ÿÿÿÿÿÿÿÿÿ all over the place after ZAP tech support told me I was infected really had me up for hours seeing several files on the 40GB hard drive eaten up with it . I came to the board to see if there was a way to salvage any of the files only to find out it was done by a bad update. With the new update nothing was found. Of course WormGuard is just a protection item, but it has a crash problem I will have to search it's board over. I haven't been able to connect at my highest speed in quite a while and twice today with it on I have gotten on at my faster speed thus I hope this is due to it and not just a fluke . Port Explorer states in red that my Zone Alarm Pro "VSMON.EXE" is causing it to be listening and from reading the board this is normal for it to appear in red. 13/07/2004 07:57:49am OPEN Other 0.0.0.0:0 0.0.0.0:0 Success 0 C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-521123 13/07/2004 07:57:50am OPEN TCP 0.0.0.0:0 0.0.0.0:0 Success 0 C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-521123 13/07/2004 07:57:50am LISTEN TCP 0.0.0.0:1370 0.0.0.0:0 Success C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE:-521123 vsmon says it has a total of 2 sockets which I guess is what the Statistics TCP calls the Passive Open Connections of 2. The TCP Stats also said Active Open Connections where 25 which I need to know what this means. I hadn't at that point opened any programs on the net, thus if this doesn't reflect the number of times DNS where sent on port 53 by ZAP to log incomming attempts I need to know this. I used Socket Spy to see what vsmon was up to and it was mainly doing udp's to port 53 (DNS server). Then it was I guess adding privacy settings to pages I saved since I really don't know how to read this stuff. Zonealarm says their program doesn't leave a port listening, but does say it will add privacy settings to pages you save and I am sure does the DNS to add locations to its report. Is there a way to print out the Socket Spy log or save it to view it later or have someone else to view it to see if anything is off My firewall has been taking a lot more hits than it ever has in the past and some from the same IP address's it seems. As far as I can tell and from all I have read I guess ZAP's vsmon.exe has been altered to allow a trojan to cause this port to listening since ZAP says it shouldn't be. So how do I go about finding out if a trojan is causing this Or prove vsmon.exe is really doing this and tech support didn't tell me the truth. PE looks like a great program but it will definately take more than a month to get the hang of it . But if this problem can be solved in that time, I definately hope it get the suite or at least get it.