winlogon.exe and unknown network traffic

winlogon.exe and unknown network traffic: Posted by johnxsun@gmail.com on November 11th, 2007; Hello,

I have a PC with Windows XP Home Edition/SP2. There are three user
accounts created and they can log in concurrently, only one of them is
admin user. When the admin user is logged in, everything is normal.
But when the second user is logged in, the second winlogon.exe process
starts generating big amount of network traffic... I couldn't find out
why and stop it (I have checked the winlogon.exe file and found no
problem). Any idea?

Thanks,

John; Posted by nass on November 11th, 2007; "johnxsun@gmail.com" wrote:

A profile corruption perhaps, try to create another account and see if it
will behave. If it did then a profile corruption causing this issue to arise.
If that the case, you will need to copy the data from that profile to the
new one and delete the old one after making sure all working fine (Data
moved).

How to COPY data from a corrupted user profile to a new profile:
http://support.microsoft.com/kb/811151; Posted by PA Bear on November 11th, 2007; Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_R...:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/...moving_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware with
assistance from an expert. **Post your log to
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7,
http://aumha.net/viewforum.php?f=30, or other appropriate forums for expert
analysis, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE, OE, Security, Shell/User)
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.org/

johnxsun@gmail.com wrote:; Posted by johnxsun@gmail.com on November 12th, 2007; On Nov 12, 5:45 am, nass <n...@discussions.microsoft.com> wrote:
Thanks for the help.

I have tried to make a new account and it also does the same
(generating the traffic)...

What I then found new is that actually the first logged-in user always
fine, but the second and the third are not. When the second and third
user logged-in, the winlogon.exe for each of them start some TCP
traffic with some unknown web sites and last forever.

BTW, I have done extensive cleanup using varies anti-virus and anti-
spyware softwares...

I really need help on this one...is there some configuration I missed?

John; Posted by johnxsun@gmail.com on November 12th, 2007; On Nov 12, 2:51 pm, johnx...@gmail.com wrote:
Here is the traffic log from firewall. It repeats itself forever...

#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port
size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2007-11-11 21:58:59 CLOSE TCP 192.168.1.100 85.17.99.232 2514 80 - - -
- - - - - -
2007-11-11 21:58:59 OPEN TCP 192.168.1.100 85.17.99.233 2524 80 - - -
- - - - - -
2007-11-11 21:59:00 OPEN TCP 192.168.1.100 85.17.99.232 2525 80 - - -
- - - - - -
2007-11-11 21:59:00 CLOSE TCP 192.168.1.100 85.17.99.232 2523 80 - - -
- - - - - -
2007-11-11 21:59:01 CLOSE TCP 192.168.1.100 85.17.99.233 2524 80 - - -
- - - - - -
2007-11-11 21:59:01 CLOSE TCP 192.168.1.100 85.17.175.232 2521 80 - -
- - - - - - -
2007-11-11 21:59:01 CLOSE TCP 192.168.1.100 85.17.175.233 2509 80 - -
- - - - - - -
2007-11-11 21:59:02 OPEN TCP 192.168.1.100 85.17.175.233 2526 80 - - -
- - - - - -
2007-11-11 21:59:02 OPEN TCP 192.168.1.100 85.17.175.232 2527 80 - - -
- - - - - -
2007-11-11 21:59:02 OPEN TCP 192.168.1.100 85.17.99.233 2528 80 - - -
- - - - - -
2007-11-11 21:59:02 OPEN TCP 192.168.1.100 85.17.99.233 2529 80 - - -
- - - - - -
2007-11-11 21:59:03 CLOSE TCP 192.168.1.100 85.17.99.233 2528 80 - - -
- - - - - -
2007-11-11 21:59:03 OPEN TCP 192.168.1.100 85.17.175.232 2530 80 - - -
- - - - - -
2007-11-11 21:59:03 CLOSE TCP 192.168.1.100 85.17.175.232 2527 80 - -
- - - - - - -
2007-11-11 21:59:03 CLOSE UDP 192.168.1.100 70.48.150.42 1088 31981 -
- - - - - - - -
2007-11-11 21:59:03 DROP UDP 192.168.1.1 239.255.255.250 1900 1900 280
- - - - - - - RECEIVE
2007-11-11 21:59:03 DROP UDP 192.168.1.1 239.255.255.250 1900 1900 298
- - - - - - - RECEIVE
2007-11-11 21:59:03 DROP UDP 192.168.1.1 239.255.255.250 1900 1900 352
- - - - - - - RECEIVE
2007-11-11 21:59:03 DROP UDP 192.168.1.1 239.255.255.250 1900 1900 344
- - - - - - - RECEIVE
2007-11-11 21:59:03 DROP UDP 192.168.1.1 239.255.255.250 1900 1900 274
- - - - - - - RECEIVE
2007-11-11 21:59:03 DROP UDP 192.168.1.1 239.255.255.250 1900 1900 316
- - - - - - - RECEIVE
2007-11-11 21:59:03 DROP UDP 192.168.1.1 239.255.255.250 1900 1900 348
- - - - - - - RECEIVE
2007-11-11 21:59:04 DROP UDP 192.168.1.1 239.255.255.250 1900 1900 294
- - - - - - - RECEIVE
2007-11-11 21:59:04 DROP UDP 192.168.1.1 239.255.255.250 1900 1900 346
- - - - - - - RECEIVE
2007-11-11 21:59:04 DROP UDP 192.168.1.1 239.255.255.250 1900 1900 340
- - - - - - - RECEIVE
2007-11-11 21:59:04 DROP UDP 192.168.1.1 239.255.255.250 1900 1900 272
- - - - - - - RECEIVE
2007-11-11 21:59:04 DROP UDP 192.168.1.1 239.255.255.250 1900 1900 315
- - - - - - - RECEIVE
2007-11-11 21:59:04 DROP UDP 192.168.1.1 239.255.255.250 1900 1900 345
- - - - - - - RECEIVE
2007-11-11 21:59:04 CLOSE TCP 192.168.1.100 85.17.99.232 2525 80 - - -
- - - - - -
2007-11-11 21:59:04 OPEN TCP 192.168.1.100 85.17.99.232 2531 80 - - -
- - - - - -
2007-11-11 21:59:04 CLOSE TCP 192.168.1.100 85.17.175.232 2520 80 - -
- - - - - - -; Posted by John John on November 12th, 2007; johnxsun@gmail.com wrote:

85.17.99.233 is a file sharing web site, just punch (copy) the IP
address to your web browser and hit enter and you will see what the web
site is. I'm not sure that you are actually connecting there but based
on your log it appears to be where the traffic is going. Printer
software (like HP) sometimes automatically install photo sharing
software and it could be that 85.17.99.233 is a selected file/photo
sharing site.

Being that someone at Microsoft decided that egress filtering/monitoring
was a stupid thing for a firewall to do you will have to try another
method to try to figure out what is going on:

Availability and description of the Port Reporter tool
http://support.microsoft.com/?id=837243

John; Posted by PA Bear on November 12th, 2007; johnxsun@gmail.com wrote:
<snip>
Post a link to your forum thread where you've posted your HijackThis log.
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE, OE, Security, Shell/User)
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.org/

Similar Posts

Specify network traffic for two LAN card (Help and Support) by Alan - NoClone Author
Unknown in network places (Help and Support) by joeblow@nowhere.com
Network Traffic Info (Microsoft Windows) by simmam
Req: Network Traffic Logging Tool ? (Software & Applications) by Mike
What software for network managers to detect virus traffic on network? (Virus & Worms) by DLN