Computer is sending broadcasts out on 137 and 138....
Results 1 to 8 of 8

Thread: Computer is sending broadcasts out on 137 and 138....

  1. #1

    Computer is sending broadcasts out on 137 and 138....

    This one has me rather confused/curious...

    I wiped my sister's computer and reinstalled XP Home. Before going online, I installed Sygate, AntiVir, Spyware Blaster, Safe XP, etc. The computer from which I took the Sygate install, along with all the rest of them, is clean. I adjusted the appropriate settings, disabled useless services, all the standard things one should do.

    Once I got online, I updated Win, but not with SP2. I have my doubts about it still.

    Sygate is recording broadcasts (to 255.255.255.255) from ports 137 and 138. Svchost is the culprit. I've added a rule to Sygate to block them, since I imagine my ISP doesn't want a bunch of NetBIOS crap being broadcast all over the place.

    I'm curious as to what is causing this. I've done a virus scan, nothing came up. I would think it's incredibly unlikely I picked up anything, since I didn't go online til I installed the proper security software and changed to safer settings.

    More importantly, of course, is how the hell do I turn this crap off?

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    You've actually answered the question as to what is it: a NetBIOS over TCP/IP broadcast. This, IIRC, is part of the Network Neighbourhood and the Master Browser concept that MS introduced with Win95 (legacy stuff). You should be able to turn it off with these steps.

    For info on Master Browser, etc. check out this link
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    It's "normal" behaviour for Windows.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    Thanks for the replies and links.

    It seems that I am unable to turn off NetBIOS on my sister's machine. I went into the properties menu for TCP/IP and disabled it (I also uninstalled the other network crap that MS uses as a default, like client for MS networks, so that only TCP/IP is available).

    The broadcasts are still occurring. When I go back into the properties for TCP/IP on her machine, the option to allow netBios is selected once again, even though I had disabled it a few seconds prior. Before anyone asks, I hit Ok, Apply, etc. for each successive screen 'til they were all dealt with.

    On my machine, I notice the same behavior, where the option to use NetBIOS is continuously reset, no matter how many times I tell MS not to use it. My machine does not issue out broadcasts, however. I have never noticed broadcasts on my machine, only on my sister's machine.

    Is there something in the registry that I need to edit? I know I have messed around with the reg on my comp, but that was a long time ago, and I've forgotten what I did. Maybe I changed a setting that needs to be changed on her computer as well, in order to stop the broadcasts.

    Thank you for any advice or info. This is a cool site, I've been reading lots on here

  5. #5
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Perhaps update with SP2? I have SP2 and it holds the settings well.... Do you have all the other hotfixes as well (not including SP2)
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Stopping the Server service should stop it sending netbios broadcasts. But this also means the machine isn't remotely accessable (using shares and/or admin tools) anymore.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    Please note: Any and all advice presented in this post is presented as is. I am in no way responsible if you should render your system disabled. I merely present this information as an effort to share knowledge I have accumulated from my own mishaps.

    To know what services are launching svchost.exe, take a look at your services list in the administrative tools (start -> settings -> control Panel -> Administrative Tools -> Services). There will be a few things there that load that executable


    1. Open Regedit (start -> run -> type in regedit -> Press Okay)
    2. Back up the registry (file -> Export Registry File -> Set the range to all -> Choose your save in directory -> give the file a name -> click okay)
    3. Take a look at the following Reg Key : HKEY_LOCALMACHINE/Software/Microsoft/Windows/CurrentVersion/Run
    4. Examine the values associated with Run. These are the items loading on boot. If you don't know what it is, then Google it. Once you know what it is, then either leave it or delete it. Either way, take note of the location of the exe cause you will be looking at the properties later on.
    5. Take a look at the following Reg Key : HKEY_LOCALMACHINE/Software/Microsoft/Windows/CurrentVersion/RunOnce
    6. repeat step 4.
    7. Take a look at the following Reg Key :
    HKEY_LOCALMACHINE/Software/Microsoft/Windows/CurrentVersion/RunOnce
    8. Repeat step 4.
    9. Take a look at the following Reg Key :
    HKEY_CURRENTUSER/Software/Microsoft/Windows/CurrentVersion/Run
    10. Repeat step 4.
    11. Take a look at the following Reg Key :
    HKEY_CURRENTUSER/Software/Microsoft/Windows/CurrentVersion/RunOnce
    12. Repeat Step 4.
    13. Close your registry editor and start finding those executables you just took note of.
    14. Once you locate the executables and examine the last modified times of them. If they are windows executables and the times don't correspond with you default install times, then you will probably want to re-extract them from your windows CD Learn how to extract files, or the i386 files if you have them. If the files are not Windows files, but distributed by some other company, perhaps an uninstall and verification of the removal of their exe is in order. Take a look at their install files and see if they provide you with a files/ time list.

    Hope this helps,

    The more you know, the less you understand!

  8. #8
    Member
    Join Date
    Nov 2003
    Posts
    64
    Please correct me if im wrong, but other than disabling netbios from the network connection. Your also have to go to the device manager, then click on the view tab and click on hidden. Then to "no plug and play devices" then go down to "netbios over TCP/IP". disable it and then restart
    And then netbios is disabled completely, right ???

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •