Port scanning?

[Ilja Mäki]

I have Windows XP Home Edition. I turned on its firewall and noticed that
according to the log file it creates my computer (the source IP address in
the log file is the one of my computer) seems to open TCP and UDP ports to
some IP addresses every few minutes though I (or any other one in the local
area network) am not using the internet. After a short while the ports are
closed according to the log file. The port numbers often appear to be
sequential. Is this normal? Or is my computer infected by some virus that is
doing some sort of port scanning? How can I get to know which application or
process is opening those ports? How can I stop that? I am using AVG virus
scanner Free Edition. It found a dialer virus in my system yesterday (which
I moved to Virus Vault and then deleted) but not anything that seems to be
causing this.

Thank you for any help!

Regards,
Illi

 

[Kevin Boyle]

Try installing zone alarm (it will offer better protection anyway) but to
solve your problem it will ask you each time a program goes to access the
internet and tell you what that program is, should help you track down your
source.

 

[Ilja Mäki]

I am running both Zone Alarm and the XP firewall. Is that a good idea?

It seems that my IP address is a destination in the Zone Alarm log and a
source in the XP firewall log. The peer address is a source in Zone Alarm
and a destination in XP firewall, correspondingly. I did not realize that
relation between the logs because Zone Alarm seems to only write a line in
the log when a port is opened while XP firewall also logs the port closure
event. Why is it that way?

Zone Alarm tells me that the protocol used in those events is ICMP and Type
is Firewall. Is it normal that someone trys to ping my computer about once a
minute from different IP addresses? Should I be worried? So far Zone Alarm
has blocked those requests.

I cleared the Program Control list in Zone Alarm in order to initiate the
traffic control. After a couple of minutes a process named "Generic Host
Process for Win32 Services" tried to establish an outgoing connection to
some IP address at port 53. I denied that. As far as I know that process is
some basic process in Windows XP and I should allow it to establish network
connections in order to be able to use the network at all, am I right? But
why did it try to establish a connection when I did not do anything?

Anyway, now when I have disabled the network access of that process, the
only port opened and closed according to the XP firewall log file is UDP
port 137. I guess I should allow the network access for the generic host
process again in order to get tracking the port scanning effect I was
initially talking about.

Illi