Re: Help pls. XP won't stop messaging.

From: AJ (i_inventREMOVETHIS_at_ANDTHIShotmail.com)
Date: 05/16/03 

Date: Fri, 16 May 2003 18:27:50 +1000

Ok,

Here's the latest, and one thing really SURPRISED me, as you'll see.

I stopped and disabled Messenger, SSDP and UPnP. I installed a packet
capturer. I started capturing packets. The following is the first thing that
caught my attention:

DATA:
<?xml version="1.0"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV
:Body><m:GetStatusInfoResponse
xmlns:m="urn:schemas-upnp-org:service:WANIPConnection:1"><NewConnectionStatu
s>Connected</NewConnectionStatus><NewLastConnectionError>ERROR_NONE</NewLast
ConnectionError><NewUptime>162740</NewUptime></m:GetStatusInfoResponse></SOA
P-ENV:Body></SOAP-ENV:Envelope>

Just what IS this??!! I think I might know, but I don't want to pre-empt
other suggestions (or conspiracy theories? <g>). This seems to be the vast
majority of the traffic.

I noticed that each time a packet like the above came through, it was
immediately preceeded by a packet with the following:

DATA:
HTTP/1.0 200 OK
Connection: close
Server: UPnP/1.0 UPnP-Device-Host/1.0
Content-length: 415
Content-Type: text/xml; charset="utf-8"

I typed in the url "http://schemas.xmlsoap.org/soap/envelope/" and found an
xml script that seems to have something to do with UPnP. Further, it seems
that the little gateway router was regularly sending the following 12
packets (sorry so long but they're all different):

DATA:
NOTIFY * HTTP/1.1
Host:239.255.255.250:1900
Cache-Control:max-age=60
Location:http://192.168.0.1:80/upnp/service/descrip.xml
NT:uuid:upnp-InternetGatewayDevice-1_0-mydevicemacaddress
NTS:ssdp:alive
Server:NT/5.0 UPnP/1.0
USN:uuid:upnp-InternetGatewayDevice-1_0-mydevicemacaddress

DATA:
NOTIFY * HTTP/1.1
Host:239.255.255.250:1900
Cache-Control:max-age=60
Location:http://192.168.0.1:80/upnp/service/descrip.xml
NT:urn:schemas-upnp-org:device:InternetGatewayDevice:1
NTS:ssdp:alive
Server:NT/5.0 UPnP/1.0
USN:uuid:upnp-InternetGatewayDevice-1_0-mydevicemacaddress::urn:schemas-upnp
-org:device:InternetGatewayDevice:1

DATA:
NOTIFY * HTTP/1.1
Host:239.255.255.250:1900
Cache-Control:max-age=60
Location:http://192.168.0.1:80/upnp/service/descrip.xml
NT:upnp:rootdevice
NTS:ssdp:alive
Server:NT/5.0 UPnP/1.0
USN:uuid:upnp-InternetGatewayDevice-1_0-mydevicemacaddress::upnp:rootdevice

DATA:
NOTIFY * HTTP/1.1
Host:239.255.255.250:1900
Cache-Control:max-age=60
Location:http://192.168.0.1:80/upnp/service/descrip.xml
NT:uuid:upnp-WANDevice-1_0-mydevicemacaddress
NTS:ssdp:alive
Server:NT/5.0 UPnP/1.0
USN:uuid:upnp-WANDevice-1_0-mydevicemacaddress

DATA:
NOTIFY * HTTP/1.1
Host:239.255.255.250:1900
Cache-Control:max-age=60
Location:http://192.168.0.1:80/upnp/service/descrip.xml
NT:urn:schemas-upnp-org:device:WANDevice:1
NTS:ssdp:alive
Server:NT/5.0 UPnP/1.0
USN:uuid:upnp-WANDevice-1_0-mydevicemacaddress::urn:schemas-upnp-org:device:
WANDevice:1

DATA:
NOTIFY * HTTP/1.1
Host:239.255.255.250:1900
Cache-Control:max-age=60
Location:http://192.168.0.1:80/upnp/service/descrip.xml
NT:uuid:upnp-WANConnectionDevice-1_0-mydevicemacaddress
NTS:ssdp:alive
Server:NT/5.0 UPnP/1.0
USN:uuid:upnp-WANConnectionDevice-1_0-mydevicemacaddress

DATA:
NOTIFY * HTTP/1.1
Host:239.255.255.250:1900
Cache-Control:max-age=60
Location:http://192.168.0.1:80/upnp/service/descrip.xml
NT:uuid:upnp-WANConnectionDevice-1_0-mydevicemacaddress
NTS:ssdp:alive
Server:NT/5.0 UPnP/1.0
USN:uuid:upnp-WANConnectionDevice-1_0-mydevicemacaddress

DATA:
NOTIFY * HTTP/1.1
Host:239.255.255.250:1900
Cache-Control:max-age=60
Location:http://192.168.0.1:80/upnp/service/descrip.xml
NT:urn:schemas-upnp-org:device:WANConnectionDevice:1
NTS:ssdp:alive
Server:NT/5.0 UPnP/1.0
USN:uuid:upnp-WANConnectionDevice-1_0-mydevicemacaddress::urn:schemas-upnp-o
rg:device:WANConnectionDevice:1

DATA:
NOTIFY * HTTP/1.1
Host:239.255.255.250:1900
Cache-Control:max-age=60
Location:http://192.168.0.1:80/upnp/service/descrip.xml
NT:urn:schemas-upnp-org:service:Layer3Forwarding:1
NTS:ssdp:alive
Server:NT/5.0 UPnP/1.0
USN:uuid:upnp-InternetGatewayDevice-1_0-mydevicemacaddress::urn:schemas-upnp
-org:service:Layer3Forwarding:1

DATA:
NOTIFY * HTTP/1.1
Host:239.255.255.250:1900
Cache-Control:max-age=60
Location:http://192.168.0.1:80/upnp/service/descrip.xml
NT:urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1
NTS:ssdp:alive
Server:NT/5.0 UPnP/1.0
USN:uuid:upnp-WANDevice-1_0-mydevicemacaddress::urn:schemas-upnp-org:service
:WANCommonInterfaceConfig:1

DATA:
NOTIFY * HTTP/1.1
Host:239.255.255.250:1900
Cache-Control:max-age=60
Location:http://192.168.0.1:80/upnp/service/descrip.xml
NT:urn:schemas-upnp-org:service:WANIPConnection:1
NTS:ssdp:alive
Server:NT/5.0 UPnP/1.0
USN:uuid:upnp-WANConnectionDevice-1_0-mydevicemacaddress::urn:schemas-upnp-o
rg:service:WANIPConnection:1

I openned up the web interface to the router and blocked the "xmlsoap" site,
and turned off UPnP support (I didn't realize that a cheap router would have
UPnP support!). I then turned it off and back on. The traffic stopped (but
not completely). I've tried it without the block and just with the UPnP
turned off, but I still got the traffic, so I went with both. Note, even
though UPnP was turned off on both the XP PC and the router, I still
received traffic from the "xmlsoap" website. That's why I stuck with the
block on that site.

Now, the only traffic that shows up in the capturing software is the
occasional burp from the NT PC. (I've had the laptop off during today. Won't
that be fun when I turn it back on?)

But I still get the 1.5 second pulse from the LAN icon in systray. It's
continuous, doesn't miss a beat and doesn't show up in the packet capture.

I'm happy now - not completely, but happier than two days ago.

Any thoughts?