CPF's busy blocking, but who is the offender?

CPF is a busy little ■■■■■■ on my machine, which is good, I think, but one thing that is frustrating me is that CPF doesn’t tell me what program(s) (legit or not) is/are doing all of the violating. More specifically, CPF is logging a medium severity alert every 30-45 seconds with the same description each time: Outbound Policy Violation (Access Denied, ICMP = Port Unreachable). Stuff like that always piques my interest, especially when half of the destination IP’s are not resolvable by WHOIS and the other half are so exotic:

218.164.12.118 - Taiwan
83.157.180.181 - France
60.16.84.62 - China
60.53.79.2 - Malaysia
222.164.239.27 - Singapore

Since CPF is blocking the access, I can’t use, for example, TCPView to see who’s attempting to communicate with these exotic destinations.

Multiple spyware scanning applications come up clean, including RootKitRevealer v1.71, so I am really stumped as to what is going on here. Any ideas on how to ferret out the violator(s)?

It is probably because CPF does not know the application that are associated with these messages. Based on the message (ICMP = Port Unreachable) & the wide range of IPs involved I suspect that these are being generated because of some sort of P2P program (eMule, Torrent, etc…) or it could be some other form of network (instant messaging, etc…).

Thanks for the response, kail. I don’t have any IM clients installed (I’m one of those people who hates Windows Messenger so much I edited the registry to block it from ever loading). I do have a P2P client installed, uTorrent, but it is not running (though it does work fine when I do run it - green check mark and everything). Other applications currently running that I have eliminated as being the cause are Firefox 2.0.0.1, Thunderbird 1.5.0.9, avast! 4.7.892 and Intel Audio Studio 2.0. In short, whatever is “dialing out” is not obvious!

tesseract,

Here’s some free utilities you might try:

Foundstone has a whole bunch, including SuperScan, FPort, etc. Bound to be something there that can help you.

PortQuery Will allow you to scan ports (range, specific, etc) to see what activity is going on.

SIW will show you what’s communicating (listening, active, even just “holding” a port), if you look under the Network section. You might be surprised by what you see…

You could also try Filemon or Process Monitor from SysInternals: http://www.gtopala.com/ to see what’s running. Hey, for that matter, What’s Running has a lot of Connections info in it as well. You can get it from MajorGeeks: Download What's Running - MajorGeeks

Hope these help you,

LM

Thanks for chiming in, Little Mac. I’ve tried a few of the programs you recommended but I still haven’t been able to correlate an application with a particular CPF log entry. I believe this is so because CPF is, indeed, blocking access to these exotic IPs so there is nothing for, say., What’s Running to report. Just for completeness, here’s a sample entry from the exported CPF log:

Date/Time :2007-01-04 20:23:15
Severity :Medium
Reporter :Network Monitor
Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)
Protocol:ICMP Outgoing
Source: 192.168.1.102
Destination: 201.15.157.25
Message: PORT UNREACHABLE
Reason: Network Control Rule ID = 8

Is it possible that I am being pinged and CPF is blocking the return response? I thought there was another network control rule specifically for that but at this point I’m basically scratching my head…

I doubt these are the result of pings, since CFP would, by default, have blocked the inbound ICMP Echo Request & the return should have been a ICMP Echo Return. If your IP address is static or you were at some point connected to the P2P network with the current IP, then these still could be from the P2P network (other P2P users who think you are still connected).

But, if you still suspect this is something else, the perhaps you should try HiJackThis to see if it can find anything.

If you want the hijackthis log looked at by myself or others then copy and paste it here.

Make sure when you run the program that it is unzipped into it’s own folder.

Thanks for the follow-ups, kail and Rotty. Here’s the HiJack This log:

`Logfile of HijackThis v1.99.1
Scan saved at 7:15:43 AM, on 1/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\Owner.GT5238E\Desktop\Utilities\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5238E
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5238E
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM..\Run: [CHotkey] zHotkey.exe
O4 - HKLM..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM..\Run: [IntelAudioStudio] “C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe” TRAY
O4 - HKLM..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [IAAnotif] “C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe”
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Comodo Firewall] “C:\Program Files\Comodo\Firewall\CPF.exe” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163385903172
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163385894625
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe`

The only thing that really jumps out to me is the O21 entry, but none of the usual spyware scanning programs like AdAware have anything to say about it…

I suspect Microsoft may be the offender. I had a similar problem at work where we are on a network and after much analysis using Hijack this and running various malware removal tools I came to the conclusion that the outbound policy violation was something to do with microsoft networking components.
Incidentally, if you have a file called WINotify.dll (not the spelling is different from Winotify.dll)on your pc I have found I get many less outbound policy violations if I disable it using the Startup section of spybot.

:SMLR