0

I have a domain lockout issue and in troubleshooting, I found through netstat that my machine is pummeling the domain controllers on ports 445 and 139. It is creating thousands of user ports to do this: today it started at port 54000ish and within a couple of hours was up to 60000.

netstat -ob identifies the process as PID 4.

In my research so far, I keep hearing that a virus is the likely cause. I have trend micro and windows defender running--A full scan by windows defender identified nothing amiss.

Are there any other causes besides a virus that I could look into?

I was able to stop it by blocking the outbound ports in windows firewall, but obviously this is not ideal.

Anything I can do short of reinstalling the OS?

GoalBased
  • 121
  • 1
  • 5
  • What is 'a domain lockout issue'? What are 'user ports'? Do you know what ephemeral ports are? – BlueCompute Oct 29 '14 at 13:59
  • 1
    a netstat -o should give you the ProcessID of the process creating the outbound connection. (-b can also give you the name of the executable if it's not a system process). Then you can hopefully use the Task Manager to find out what that process is. – Lars Lind Nilsson Oct 29 '14 at 14:44
  • @LarsLindNilsson I forgot to mention that I orginally ran netstat -b. I have updated the question. The process is "unknown". – GoalBased Oct 29 '14 at 14:52
  • @GoalBased Then try with the -o to get the ProcessID. The "unknown" from -b can indicate that it's a system process. On my computer, I have some connections that are "unknown" but have process ID = 4. And in Task Manager I can see that process ID 4 is the System – Lars Lind Nilsson Oct 29 '14 at 15:07
  • @LarsLindNilsson They are indeed process ID 4. I will update the question again. – GoalBased Oct 29 '14 at 15:10

1 Answers1

0

The offending service turned out to be Windows Media Player Network Sharing (wmpnetwk.exe). I don't recall using media player on this machine, so I'm not sure how that service got activated.

netstat -bo was reporting "Can not obtain ownership information" for the process name and PID 4 (which in task manager shows "NT Kernel & System")

Here's how I identified the culprit:

I checked the box in Windows Task Manager to "Show process from all users." Then I went to the "Services" tab and started stopping services, starting with the highest pids first, and checking netstat -bo a few times after each one until I no longer saw the "Can not obtain ownership information" process connecting to the domain controllers on the microsoft-ds and nb-ssn ports.

GoalBased
  • 121
  • 1
  • 5