Wireshark-users: Re: [Wireshark-users] Unexplained Netbios Traffic
From: "Jon Ziminsky" <ziminskyj@xxxxxxxxx>
Date: Thu, 2 Oct 2008 10:35:56 -0600

Thanks for the reg key... But i want to try and find out what is causing the problem instead of simply covering it up.

I have a little more information on what is going on, but i am still in the dark as to what is causing it.

The traffic is being generated by services.exe and is actually going out over random ports, yet Wireshark as well as TCPDump are seeing it as port 137... Here is what PortReporter is showing:

08/10/2,9:10:11,UDP,2155,0.0.0.0,*,*,252,services.exe,<NT AUTHORITY\SYSTEM>
08/10/2,9:10:18,UDP,2159,0.0.0.0,*,*,252,services.exe,<NT AUTHORITY\SYSTEM>
08/10/2,9:10:50,UDP,2168,0.0.0.0,*,*,252,services.exe,<NT AUTHORITY\SYSTEM>
08/10/2,9:11:20,UDP,2173,0.0.0.0,*,*,252,services.exe,<NT AUTHORITY\SYSTEM>
08/10/2,9:11:47,UDP,2178,0.0.0.0,*,*,252,services.exe,<NT AUTHORITY\SYSTEM>
08/10/2,9:11:52,UDP,2180,0.0.0.0,*,*,252,services.exe,<NT AUTHORITY\SYSTEM>
08/10/2,9:12:11,UDP,2188,0.0.0.0,*,*,252,services.exe,<NT AUTHORITY\SYSTEM>
08/10/2,9:12:17,UDP,2190,0.0.0.0,*,*,252,services.exe,<NT AUTHORITY\SYSTEM>
08/10/2,9:12:37,UDP,2191,0.0.0.0,*,*,252,services.exe,<NT AUTHORITY\SYSTEM>
08/10/2,9:12:42,UDP,2192,0.0.0.0,*,*,252,services.exe,<NT AUTHORITY\SYSTEM>

The 0.0.0.0 address is not obfuscated, that is what is showing in the log...

TCPView shows the port open and close very rapidly.

ProcExplorer doesn't reveal anything deeper than the PID 252 belonging to services.exe.

I tried running rootkitrevealer, and get an error when installing it. I ran Spybot(1.6) with the newest sigs, and it came back clean.

I am at a complete loss at this point. I think i will need to wipe and reload to make myself feel better.