Why is my PC scanning ports?

Author	All Replies
Crookfingerjake @comcast.net	Why is my PC scanning ports? Recently while using the wireless network on my campus, I got an e-mail from our network security admin. He told me that my laptop was scanning ports on the network and if it continued he would disable my access. I've never installed a port scanner on my laptop and the most recent updates for Spybot S&D, Ad-Aware, and Bit Defender found nothing other than advertiser cookies on my system. I'm running Windows Vista Home Premium from a completely stripped down Dell Inspiron E1705. I'm curious if there are any inherent windows processes that will do this, or any popular programs like winamp, itunes, etc that might do this. Any help appreciated. My current HiijackThis log: Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 11:04:57 AM, on 4/8/2008 Platform: Windows Vista (WinNT 6.00.1904) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\I8kfanGUI\I8kfanGUI.exe C:\Windows\system32\wbem\unsecapp.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Program Files\HijackThis\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://home.myborgata.net/dana-na/auth/url_default/welcome.cgi R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 2562 bytes
	to forum · permalink · 2008-04-08 11:17:55 ·
yock The Internet Is For Porn Premium,MVM join:2000-11-21 Fairfield, OH	The HJT log doesn't show anything troubling. I'd like to know what this admin thinks you were scanning, how he knows it was you, and how he was able to associate those scans with you and your e-mail address.
	to forum · permalink · · 2008-04-08 13:17:47 ·
docrice join:2008-03-31 Fremont, CA	reply to Crookfingerjake Vista itself may send out some traffic (such as the occasional Teredo lookup to Microsoft's servers if you have IPv6 enabled in your stack), etc.. That said, even if you have those anti-(misc) apps on your machine, those rely on signatures. Lots of stuff out there that doesn't get picked up by these apps. Sniff the traffic on your interface and see what happens. Alternately, if your campus has an open network, it might be possible that while your machine is idling, someone spoofed your MAC address and is performing port scans "on your behalf," so to speak. You could also use something more simple like TCPView to see which apps are opening and closing connections locally on your machine.
	to forum · permalink · · 2008-04-08 13:23:52 ·
nwrickert Premium,MVM join:2004-09-04 Geneva, IL	reply to Crookfingerjake Vista seems to attempt to build a description of the network to which you are connected. If the campus IDS is set to a hair trigger, perhaps it detects that.
	to forum · permalink · · 2008-04-08 13:56:22 ·
Crookfingerjake @comcast.net	reply to Crookfingerjake Thanks for the responses, I'm going to look into TCPView. What programs do you all suggest to best monitor my PC's network activity?
	to forum · permalink · 2008-04-08 23:44:41 ·
docrice join:2008-03-31 Fremont, CA	Wireshark. Quite frankly one of the best free tools out there. »www.wireshark.org/download.html
	to forum · permalink · · 2008-04-09 00:08:46 ·
tdumaine join:2004-03-14 Federal Way, WA	reply to Crookfingerjake My bet is in my network places its automatically looking for network shares and the admin is picking up on that. Why they would have those ports open and not blocked at the router, i dunno
	to forum · permalink · · 2008-05-04 21:58:09 ·


Tuesday, 20-May 14:29:03	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact 8th year online! © 1999-2008 dslreports.com. page compression OFF