Small problem with 2.3.3.33 Beta and UnPlug n' Pray [RESOLVED]

Hi everyone, here’s a problem for ya that’s kind of hard to explain, but I’ll try.

First: running xp sp2 with all updates. CPF 2.3.3.33 Beta with default settings.

Whenever I do a cold boot or restart and then go to Start, favorites and then choose ANY of my saved sites, I.E. loads, but says page could not be found. If I then reload the page, everything works fine And from then on if I exit I.E. and go to Start, favorites it works fine until the next boot or restart. Also when this happens COMODO shows this in the log:

Comodo Firewall Logs
Date Created: 22:06:38 24-08-2006
Log Scope: Today Date/Time :2006-08-24 22:06:00Severity :MediumReporter :Application MonitorDescription: Application Access Denied (System:75.108.63.255:nbname(137))Application: SystemParent: SystemProtocol: UDP OutRemote: 75.108.63.255:nbname(137)
End of The Report

Edit: this also happens if I click on the I.E. icon in the quick launch toolbar.

Any ideas??

That is strange. Port 137 UDP (nbname) is the Netbios Name Service & it’s used by Windows to find out information about networking stuff offered by a system (eg. System Name, File Shares, etc…).

Since, the CPF log indicates that it is an outbound attempt… personally, that would concern me. To me it looks like CPF could be saving you here. It could be your system trying to announce itself (you would need file-sharing to be on for this to happen… do you?) or it might be something less welcome.

Now, I’m not trying to alarm you… However, certain worms are known to utilise this port & large volumes of outbound traffic could be an indication of a worm infection. But, I assume CPF would block all these. So, seeing any traffic volume might be difficult (for the moment I do not recommend turning off CPF to test this).

Some leading questions…

Are you running an active Anti-Virus program & are its definitions up-to-date?

Is the remote IP address mentioned in the log your ISPs?

Yes, I’m using Avast with all updates

Yes, The remote ip address is mine.

I’ve run avast and Ewido and every thing looks clean

I have file sharing turned off.

Thanks for the help.

OK, that makes the possibility of a worm infection much less likely, if not zero.

So, the source & remote is you… sorry, I’m stumped. I can’t even guess what that could be. I would stick a traffic analyzer/packet sniffer on it to see what was actually in the outbound packet. But, that’s just me… way to nosey. This sort of thing… isn’t everybody’s cup of tea.

Sorry I couldn’t help further.

Anybody else?

Thanks anyway kail.

Any other ideas?? (:SAD)

Have you considered that it could be a program with rootkit abilities?

Try using Autorun (www.sysinternals.com) and disabling every startup program except the absolute necessary.

Try running with an almost bare system (CPF, Avast, drivers) and see if the same still happens.

That’s usually enough of a hint for me to suspect a rootkit.

Edward

Thanks Edward, I’ll give it a try.

Ok, after MUCH testing I found the problem. (:CLP)

This is caused by a program from GRC.com called UnPlug n’ Pray. GRC | UnPlug n' Pray - Disable the Dangerous UPnP Internet Server  

If I use this program to disable UPnP, it causes the problem stated in my first post, If I reverse the process the problem goes away. I don’t know why this happens, Does CPF use this service??

Whilst CPF may well monitor UPnPs actions if it attempted to accesses the Internet, I do not believe that it uses any aspect of UPnP itself.

It does surprise me that GRCs disabling of MS’ UPnP could cause some sort of external IP loopback on UDP 137. Reading GRCs site says that it only stops & disables 2 services (UPNPDH & SSDPDS) & neither of these services seem to use UDP 137. But, given your findings it is clear that there must some sort of relationship there, even if it is an indirect/obscure one.

I’m still stumped on this one, if not more so now. LOL :smiley:

Anyway, I’m glad you found what was causing it.

Ive used UnPlug n’ Pray and disabled all other unnecessary services without any problems.

Maybe you need the service for a device that depends on it? I don’t.

Thanks everyone, I’m stumped too. The way I found out is I did a full format and install of windows. I installed CPF and every thing was fine. I then used UnPlug n’ Pray and the problem started again.
As soon as I reversed UnPlug n’ Pray everything was fine again. As far as I know there’s nothing on my system that needs UPnP. I connect through a surfboard cable modem (charter.net).

Thanks for trying to help everyone.

You used a freshly installed system on a previously formatted disk?!? Oh boy… the stumping just gets worse on this one.

Thanks for the info marc57.

Hey kail

Not only a format, I used the data lifeguard tools that came with my HD to write zeros to the hard drive first THEN let windows do a full NTFS format as it was installing just to be sure since TheFireKnight had mentioned rootkits.

Hi marc57

Yes, I suspected the mention of rootkits is why you performed the format. Whilst, as it turned out, it probably wasn’t necessary, I would have likely done the same thing in your position.

On the upside, if anybody encounters the same issue & searches the forum, then they will know what it is, what to do and what not to do. And this is thanks your efforts. So, thanks for all the additional work you did & the feedback.

(:CLP)

Thanks kail,

The work was worth it if helps someone else. Besides CPF is a great firewall. It’s the only one that I feel secure with since Sygate was bought by Symantec. You can tell that the programmers put a lot of effort into making it, so it’s no problem for me to put a little work into it.

(B)