Author Topic: Small problem with 2.3.3.33 Beta and UnPlug n' Pray [RESOLVED]  (Read 3725 times)

marc57

  • Guest
Hi everyone, here's a problem for ya that's kind of hard to explain, but I'll try.

First: running xp sp2 with all updates. CPF 2.3.3.33 Beta with default settings.

Whenever I do a cold boot or restart and then go to Start, favorites and then choose ANY of my saved sites, I.E. loads, but says page could not be found. If I then reload the page, everything works fine And from then on if I exit I.E. and go to Start, favorites  it works fine until the next boot or restart. Also when this happens COMODO shows this in the log:


Comodo Firewall Logs
    Date Created: 22:06:38 24-08-2006
Log Scope: Today      Date/Time :2006-08-24 22:06:00Severity :MediumReporter :Application MonitorDescription: Application Access Denied (System:75.108.63.255:nbname(137))Application: SystemParent: SystemProtocol: UDP OutRemote: 75.108.63.255:nbname(137)
End of The Report

Edit: this also happens if I click on the I.E. icon in the quick launch toolbar.

Any ideas??
« Last Edit: August 26, 2006, 01:28:24 PM by marc57 »

Offline kail

  • Randomly Appearing
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11361
  • The future is much like the present, only longer.
    • COMODO's free software!
Re: Small problem with 2.3.3.33 Beta
« Reply #1 on: August 24, 2006, 11:22:15 PM »
That is strange. Port 137 UDP (nbname) is the Netbios Name Service & it's used by Windows to find out information about networking stuff offered by a system (eg. System Name, File Shares, etc..).

Since, the CPF log indicates that it is an outbound attempt.. personally, that would concern me. To me it looks like CPF could be saving you here. It could be your system trying to announce itself (you would need file-sharing to be on for this to happen.. do you?) or it might be something less welcome.

Now, I'm not trying to alarm you.. However, certain worms are known to utilise this port & large volumes of outbound traffic could be an indication of a worm infection. But, I assume CPF would block all these. So, seeing any traffic volume might be difficult (for the moment I do not recommend turning off CPF to test this).

Some leading questions..

Are you running an active Anti-Virus program & are its definitions up-to-date?

Is the remote IP address mentioned in the log your ISPs?
My System Details: W10Px64 with CIS 10 Beta, Firefox & Becky!
Forum Policy.
____
The problem is not the problems, the problem is people's attitude towards those problems.

marc57

  • Guest
Re: Small problem with 2.3.3.33 Beta
« Reply #2 on: August 24, 2006, 11:28:45 PM »
That is strange. Port 137 UDP (nbname) is the Netbios Name Service & it's used by Windows to find out information about networking stuff offered by a system (eg. System Name, File Shares, etc..).

Since, the CPF log indicates that it is an outbound attempt.. personally, that would concern me. To me it looks like CPF could be saving you here. It could be your system trying to announce itself (you would need file-sharing to be on for this to happen.. do you?) or it might be something less welcome.

Now, I'm not trying to alarm you.. However, certain worms are known to utilise this port & large volumes of outbound traffic could be an indication of a worm infection. But, I assume CPF would block all these. So, seeing any traffic volume might be difficult (for the moment I do not recommend turning off CPF to test this).

Some leading questions..

Are you running an active Anti-Virus program & are its definitions up-to-date?

Is the remote IP address mentioned in the log your ISPs?

Yes, I'm using Avast with all updates

Yes, The remote ip address is mine.

I've run avast and Ewido and every thing looks clean

I have file sharing turned off.

Thanks for the help.

Offline kail

  • Randomly Appearing
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11361
  • The future is much like the present, only longer.
    • COMODO's free software!
Re: Small problem with 2.3.3.33 Beta
« Reply #3 on: August 24, 2006, 11:50:54 PM »
OK, that makes the possibility of a worm infection much less likely, if not zero.

So, the source & remote is you.. sorry, I'm stumped. I can't even guess what that could be. I would stick a traffic analyzer/packet sniffer on it to see what was actually in the outbound packet. But, that's just me.. way to nosey. This sort of thing.. isn't everybody's cup of tea.

Sorry I couldn't help further.

Anybody else?
My System Details: W10Px64 with CIS 10 Beta, Firefox & Becky!
Forum Policy.
____
The problem is not the problems, the problem is people's attitude towards those problems.

marc57

  • Guest
Re: Small problem with 2.3.3.33 Beta
« Reply #4 on: August 25, 2006, 02:02:45 AM »
Thanks anyway kail.
« Last Edit: August 25, 2006, 02:04:59 AM by marc57 »

marc57

  • Guest
Re: Small problem with 2.3.3.33 Beta
« Reply #5 on: August 25, 2006, 06:41:05 PM »
Any other ideas?? (:SAD)

Offline TheFireKnight

  • Comodo Family Member
  • ***
  • Posts: 89
    • Custom-Built Extreme Performance PCs - Coming soon
Re: Small problem with 2.3.3.33 Beta
« Reply #6 on: August 25, 2006, 07:16:43 PM »
Have you considered that it could be a program with rootkit abilities?

Try using Autorun (www.sysinternals.com) and disabling every startup program except the absolute necessary.

Try running with an almost bare system (CPF, Avast, drivers) and see if the same still happens.

That's usually enough of a hint for me to suspect a rootkit.

Edward
_/|__|\_  This is Kitty. Copy and paste Kitty into your
(=*-*=)  signature to help him gain world domination!
("")_("")  And win the battle against all bunnies!

marc57

  • Guest
Re: Small problem with 2.3.3.33 Beta
« Reply #7 on: August 25, 2006, 07:35:31 PM »
Thanks Edward, I'll give it a try.

marc57

  • Guest
Re: Small problem with 2.3.3.33 Beta
« Reply #8 on: August 26, 2006, 01:25:16 PM »
Ok, after MUCH testing I found the problem.  (:CLP)

This is caused by a program from GRC.com called UnPlug n' Pray. http://www.grc.com/UnPnP/UnPnP.htm

If I use this program to disable UPnP, it causes the problem stated in my first post, If I reverse the process the problem goes away. I don't know why this happens, Does CPF use this service??
« Last Edit: August 26, 2006, 01:30:42 PM by marc57 »

Offline kail

  • Randomly Appearing
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11361
  • The future is much like the present, only longer.
    • COMODO's free software!
Re: Small problem with 2.3.3.33 Beta and UnPlug n' Pray [RESOLVED]
« Reply #9 on: August 26, 2006, 04:00:30 PM »
Whilst CPF may well monitor UPnPs actions if it attempted to accesses the Internet, I do not believe that it uses any aspect of UPnP itself.

It does surprise me that GRCs disabling of MS' UPnP could cause some sort of external IP loopback on UDP 137. Reading GRCs site says that it only stops & disables 2 services (UPNPDH & SSDPDS) & neither of these services seem to use UDP 137. But, given your findings it is clear that there must some sort of relationship there, even if it is an indirect/obscure one.

I'm still stumped on this one, if not more so now. LOL :D

Anyway, I'm glad you found what was causing it.
My System Details: W10Px64 with CIS 10 Beta, Firefox & Becky!
Forum Policy.
____
The problem is not the problems, the problem is people's attitude towards those problems.

Offline SteveC

  • Comodo Family Member
  • ***
  • Posts: 89
Re: Small problem with 2.3.3.33 Beta and UnPlug n' Pray [RESOLVED]
« Reply #10 on: August 26, 2006, 04:22:04 PM »
Ive used UnPlug n' Pray and disabled all other unnecessary services without any problems.

Maybe you need the service for a device that depends on it? I don't.
« Last Edit: August 26, 2006, 04:28:08 PM by SteveC »

marc57

  • Guest
Re: Small problem with 2.3.3.33 Beta and UnPlug n' Pray [RESOLVED]
« Reply #11 on: August 26, 2006, 07:13:42 PM »
Thanks everyone, I'm stumped too. The way I found out is I did a full format and install of windows. I installed CPF and every thing was fine. I then used UnPlug n' Pray and the problem started again.
  As soon as I reversed UnPlug n' Pray  everything was fine again. As far as I know there's nothing on my system that needs UPnP. I connect through a surfboard cable modem (charter.net).

Thanks for trying to help everyone.

Offline kail

  • Randomly Appearing
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11361
  • The future is much like the present, only longer.
    • COMODO's free software!
Re: Small problem with 2.3.3.33 Beta and UnPlug n' Pray [RESOLVED]
« Reply #12 on: August 26, 2006, 08:03:56 PM »
Thanks everyone, I'm stumped too. The way I found out is I did a full format and install of windows. I installed CPF and every thing was fine. I then used UnPlug n' Pray and the problem started again.
  As soon as I reversed UnPlug n' Pray  everything was fine again. As far as I know there's nothing on my system that needs UPnP. I connect through a surfboard cable modem (charter.net).

You used a freshly installed system on a previously formatted disk?!? Oh boy.. the stumping just gets worse on this one.

Thanks for the info marc57.
My System Details: W10Px64 with CIS 10 Beta, Firefox & Becky!
Forum Policy.
____
The problem is not the problems, the problem is people's attitude towards those problems.

marc57

  • Guest
Re: Small problem with 2.3.3.33 Beta and UnPlug n' Pray [RESOLVED]
« Reply #13 on: August 26, 2006, 09:57:55 PM »
You used a freshly installed system on a previously formatted disk?!? Oh boy.. the stumping just gets worse on this one.

Thanks for the info marc57.

Hey kail

Not only a format, I used the data lifeguard tools that came with my HD to write zeros to the hard drive first THEN let windows do a full NTFS format as it was installing just to be sure since TheFireKnight had mentioned rootkits.

Offline kail

  • Randomly Appearing
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11361
  • The future is much like the present, only longer.
    • COMODO's free software!
Re: Small problem with 2.3.3.33 Beta and UnPlug n' Pray [RESOLVED]
« Reply #14 on: August 26, 2006, 10:31:52 PM »
Hey kail

Not only a format, I used the data lifeguard tools that came with my HD to write zeros to the hard drive first THEN let windows do a full NTFS format as it was installing just to be sure since TheFireKnight had mentioned rootkits.

Hi marc57

Yes, I suspected the mention of rootkits is why you performed the format. Whilst, as it turned out, it probably wasn't necessary, I would have likely done the same thing in your position.

On the upside, if anybody encounters the same issue & searches the forum, then they will know what it is, what to do and what not to do. And this is thanks your efforts. So, thanks for all the additional work you did & the feedback.

(:CLP)
My System Details: W10Px64 with CIS 10 Beta, Firefox & Becky!
Forum Policy.
____
The problem is not the problems, the problem is people's attitude towards those problems.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek