Vista - Strange "Look at the Newb" Port Problem

Thanks for reading this post guys, As I stated in the subject, I'm new to Vista (Premium Edition, 64bit with sp1) and I'm stumped.

I'd been having some ISP slowdowns lately and in the process of troubleshooting, I discovered I have an open port - specifically, port 623 (ASF-RMCP - the "ASF Remote Management and Control Protocol" described elsewhere as "Aux Bus Shunt").

I've run through my processes and killed (unchecked) all of the exceptions listed with Windows Firewall but I can't close this port.

Now, according to one site, this port can be utilized by the RTB666 trojan, but I've scanned my system and it isn't present.

I'm using the Windows Firewall, Windows Defender setup, I have "Network File and Folder Sharing" disabled and don't have a router.

Is there a way that I can close that port manually? I've looked through the "Windows Firewall Settings" dialog and it only allows me to *add* an open port, not close a hole...that is, unless I'm missing something.

Any help?

A port is "listening" because a process has actively bound to that port and is waiting for client connections. For example, a web server process would (by default) bind to TCP port 80, an FTP server to port 21, and so on.

Deactivating a port, for lack of a better word, can be accomplished either by stopping or killing the process that's bound to it, or by filtering (cutting off) the port at the firewall level.

In any situation where you're not sure why a port is listening, the main concern is to identify the actual process. If it's obfuscated or hiding in any way, that reinforces the notion that malware may be involved, in which case it becomes doubly important to find it and to root it out, as opposed to merely blocking it via the firewall. The blocking may not be complete or successful.

Try to find that port listed in the output of NETSTAT -NAO from a CMD prompt. If you see it in the list, there will be a "process ID" (PID) which you can then match against the output of the TASKLIST command to see the process name. (NETSTAT -NAB does it in one step but I personally find it excruciatingly slow.)

Once you know which process is bound to the port, you're in a better position to decide whether you installed it and whether its actions are legit, or whether it's time to panic and reach for the virus scanner.

You sir, are sage & wise beyond your years!

I've followed your instructions and found that port 623 was being held open by "LMS.exe" <--- the "Local Manageability Service", Part of Intel's "remote PC assist technology" (mind the parenthesis, their terminology, not mine!) installed with my mobo's driver set.

From what I've gathered from the cryptic explanation in the eula, this is an auto update scheme of some sort. After disabling its auto startup, renaming and moving the file, the port's now closed and my PC's none the worse without it...so far.

Again, thanks you for your reply.

Darr

It would not be easy for me to be wise beyond my years, unfortunately

I'm glad to hear you found what you needed.