Computer is broadcasting on port 139 at startup - Virus?

1

Maybe this isn't the right forum to ask this question, but here it goes. Whenever I boot my vista machine, right after login there has been an extended delay until the actual desktop appears. I also noted recently that my other machines on the same network... their antivirus firewall is reporting that there is a broadcast of TCP traffic on port 139.

I've scanned my machine up and down for viruses, but haven't been able to find any. Could anybody think of something non-malicious that could be causing this? Is this a particularly well hidden rootkit?

Brett

Posted 2010-02-24T20:25:52.133

Reputation: 876

Answers

1

It might be worthwhile to install Wireshark on another machine on your network and see what the packets are. As @marcusw and @Phoshi have noted, it could be windows sharing, or it could be a virus, so it seems like investigating the two possibilities.

What is your antivirus situation? Have you given Rootkit Revealer a try?

As for boot times, it might be worth opening up event viewer and looking in the System log and seeing if there are any obvious gaps between messages. Since you're on Vista, I believe there is some decent tracing of startup issues available, as per this article. If you go into its image gallery, the author walks you through investigating some programs that are slowing down the boot process. Unfortunately I don't have access to a Vista or 7 computer at the moment to confirm.

dsolimano

Posted 2010-02-24T20:25:52.133

Reputation: 2 778

0

A quick google of the port mentioned turns up that it is used by the system for Windows File and Printer sharing. Try that first next time?

Oh, and I can't really help with the long boot times; Windows gives you no diagnostic information to go on and no system logs to look at, so you are about stuck unless your system crashes and happens to flash an error message (which you somehow manage to read before it goes away), which google may be able to identify for you.

marcusw

Posted 2010-02-24T20:25:52.133

Reputation: 1 678

1If I were writing a virus I'd use a port that wouldn't immediately arouse suspicion - don't be so quick to call it safe. – Phoshi – 2010-02-24T20:43:38.593

1That should not be possible because of Windows binding to that port on startup.

If you really want to be sure, you can check with wireshark and see if the packets are really the expected ones. – marcusw – 2010-02-24T21:10:15.760

Aye, but it's not exactly unheard of for a virus to patch itself into normally clean system files, unfortunately. – Phoshi – 2010-02-24T21:31:21.367

@marcusw: Of course I know what the port is. However, many viruses have been known to proliferate through windows file sharing, which is why it caused alarm, one could see it as the virus trying to spread itself to other computers. Also, just because windows file sharing is bound to port 139, that doesn't mean it can't transmit to other devices on that port (it doesn't use 139 as the source port). – Brett – 2010-02-25T16:24:48.233

Well, I am neither a virus writer, security expert, person who has read the related RFC pages, or otherwise qualified individual, so you can tweak my advice all you want :) Just trying to help out, though I will stick to my point about error messages. – marcusw – 2010-02-25T17:32:33.437

Asked: 2010-02-24T20:25:52.133

Viewed: 932 times

Active: 2010-02-24T21:15:08.777