Your reply kind of looks like what I see.... The ports being scanned _tend_ to be "common" ports to scan for vulnerabilites.... I need to spend more time looking at the dumps but I get the impresssion they are using a port list to speed up the scan, (makes them look good, (quick scan), finds the huge holes, thus makes them money
Well given that the scans are Nessus and Nmap standard scans I'm not surprised that they are common ports. This isn't a unique scanning tool. Heck, GRC has more of a unique signature in his scans than these guys do. Also, their FAQ identifies that that Basic scan does 1500 ports and takes about 10 minutes (load of crap -- took a good hour on my setup).

I suspect that if the tcpdump logs I posted were analyzed they'd probably match one or both of those tools in patterns. To me, it strikes me as a scam to take advantage of those that don't understand and to further "FUD" with those that truly don't understand. Although I have to admit as to wonder which is worse: taking advantage of those who don't understand or being one of those unwilling to investigate and not understand.