Port 445 traffic

[taoh780]

This morning my ISP shut off my DSL circuit because one of the computers behind my network has been port scanning.

After using NAV to get rid of detectable viruses with the latest def and deleting everything that showed up with ad-aware, there was still unwanted network activity coming from the computer.

The traffic seems to be on port 445 of the destination computers. It is outgoing on ports in the 3000 range. I put the computer behind a netgear broadband router and blocked ports 400-65535 but there is still traffic on those ports.

Has anyone come across such a problem? I have no idea how else to figure out what it is so that I can fix the problem.

The computer is a Sony Laptop running Windows XP home, need any more details about the comp, let me know

 

[NikPreviousAcct]

If you blocked those ports, how is there still traffic through them?

 

[n0cmonkey]

Pretty sure 445 is getting hit pretty hard right now. If your machine is still scanning, you didn't get everything. Format and try again.

 

[KB]

Formating would be the safest method. You could use some tools to see what process is performing the scan. Sysinternals has a utility TCPView http://www.sysinternals.com/ntw2k/source/tcpview.shtml which shows which process has what port open. You could also install ZoneAlarm or Kerio Personal Firewall and it will prompt you to allow each process through the firewall. You can then identify which process is trying to scan.

 

[Ryoga]

Port 445 is used for SMB over TCP, or for NetBIOS. That suggests there's some virus activity going on, because of exploits with NetBIOS.

I suggest ensuring that your Windows PC's are all up-to-date, and running up-to-date antivirus scanners, including online scanners such as Trend Micro's Housecall and Panda's ActiveScan.

Blocking ports 400+ is not going to do anything more than just blocking 445 would.