Capture ID of packet generating application

  • Thread starter Thread starter TerryH
  • Start date Start date
T

TerryH

Hello,
I recently found (using Zone Alarm) some program is
sending outgoing packets to port 139 on random IP address
in the 139.xxx.xxx.xxx range. These packets are generated
on ten minute intervals, although system scheduler shows
nothing and Norton Antivirus detects nothing.
What I would like is locate the program which is doing
this, and eliminate it. Is it possible set the event logs
in W2K Pro, latest patches and SP, to capture the
applications program ID for any program which tries to
generate a port 139 outgoing packet?
Mine is a two computer network, just shared connections
through a router to cable modem, so there are very few
packets being sent.
Thanks,
Terry.
 
You could try auditing of process tracking on your computer and then try to
match processes in the log to the times that ZA detects the attempt, but I
though ZA would tell what application name is unless it is reporting a
generic system process.Beware that auditing of process tracking can be
tedious.

In addition to antivirus, you need to run a spyware checker at regular
intervls these days such as SpyBot or AdAware. I would also suggest trying
TCPView from Sysinternals to see if you can track the port useage back to
the folder or executeable that originated it. Traffic to port 139 on a
network computer would not be unusual, but not to internet addresses. --
Steve

http://mvps.org/winhelp2002/unwanted.htm --- info about parasites.
http://www.sysinternals.com/ntw2k/source/tcpview.shtml
 
Back
Top