winlogon.exe and unknown network traffic

J

johnxsun

Hello,

I have a PC with Windows XP Home Edition/SP2. There are three user
accounts created and they can log in concurrently, only one of them is
admin user. When the admin user is logged in, everything is normal.
But when the second user is logged in, the second winlogon.exe process
starts generating big amount of network traffic... I couldn't find out
why and stop it (I have checked the winlogon.exe file and found no
problem). Any idea?

Thanks,

John
 
G

Guest

[email protected] said:
Hello,

I have a PC with Windows XP Home Edition/SP2. There are three user
accounts created and they can log in concurrently, only one of them is
admin user. When the admin user is logged in, everything is normal.
But when the second user is logged in, the second winlogon.exe process
starts generating big amount of network traffic... I couldn't find out
why and stop it (I have checked the winlogon.exe file and found no
problem). Any idea?

Thanks,

John
Click to expand...

A profile corruption perhaps, try to create another account and see if it
will behave. If it did then a profile corruption causing this issue to arise.
If that the case, you will need to copy the data from that profile to the
new one and delete the old one after making sure all working fine (Data
moved).

How to COPY data from a corrupted user profile to a new profile:
http://support.microsoft.com/kb/811151
 
P

PA Bear

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware with
assistance from an expert. **Post your log to
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7,
http://aumha.net/viewforum.php?f=30, or other appropriate forums for expert
analysis, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
 
J

johnxsun

A profile corruption perhaps, try to create another account and see if it
will behave. If it did then a profile corruption causing this issue to arise.
If that the case, you will need to copy the data from that profile to the
new one and delete the old one after making sure all working fine (Data
moved).

How to COPY data from a corrupted user profile to a new profile:http://support.microsoft.com/kb/811151
Click to expand...

Thanks for the help.

I have tried to make a new account and it also does the same
(generating the traffic)...

What I then found new is that actually the first logged-in user always
fine, but the second and the third are not. When the second and third
user logged-in, the winlogon.exe for each of them start some TCP
traffic with some unknown web sites and last forever.

BTW, I have done extensive cleanup using varies anti-virus and anti-
spyware softwares...

I really need help on this one...is there some configuration I missed?

John
 
J

johnxsun

Thanks for the help.

I have tried to make a new account and it also does the same
(generating the traffic)...

What I then found new is that actually the first logged-in user always
fine, but the second and the third are not. When the second and third
user logged-in, the winlogon.exe for each of them start some TCP
traffic with some unknown web sites and last forever.

BTW, I have done extensive cleanup using varies anti-virus and anti-
spyware softwares...

I really need help on this one...is there some configuration I missed?

John
Click to expand...

Here is the traffic log from firewall. It repeats itself forever...

#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port
size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2007-11-11 21:58:59 CLOSE TCP 192.168.1.100 85.17.99.232 2514 80 - - -
- - - - - -
2007-11-11 21:58:59 OPEN TCP 192.168.1.100 85.17.99.233 2524 80 - - -
- - - - - -
2007-11-11 21:59:00 OPEN TCP 192.168.1.100 85.17.99.232 2525 80 - - -
- - - - - -
2007-11-11 21:59:00 CLOSE TCP 192.168.1.100 85.17.99.232 2523 80 - - -
- - - - - -
2007-11-11 21:59:01 CLOSE TCP 192.168.1.100 85.17.99.233 2524 80 - - -
- - - - - -
2007-11-11 21:59:01 CLOSE TCP 192.168.1.100 85.17.175.232 2521 80 - -
- - - - - - -
2007-11-11 21:59:01 CLOSE TCP 192.168.1.100 85.17.175.233 2509 80 - -
- - - - - - -
2007-11-11 21:59:02 OPEN TCP 192.168.1.100 85.17.175.233 2526 80 - - -
- - - - - -
2007-11-11 21:59:02 OPEN TCP 192.168.1.100 85.17.175.232 2527 80 - - -
- - - - - -
2007-11-11 21:59:02 OPEN TCP 192.168.1.100 85.17.99.233 2528 80 - - -
- - - - - -
2007-11-11 21:59:02 OPEN TCP 192.168.1.100 85.17.99.233 2529 80 - - -
- - - - - -
2007-11-11 21:59:03 CLOSE TCP 192.168.1.100 85.17.99.233 2528 80 - - -
- - - - - -
2007-11-11 21:59:03 OPEN TCP 192.168.1.100 85.17.175.232 2530 80 - - -
- - - - - -
2007-11-11 21:59:03 CLOSE TCP 192.168.1.100 85.17.175.232 2527 80 - -
- - - - - - -
2007-11-11 21:59:03 CLOSE UDP 192.168.1.100 70.48.150.42 1088 31981 -
- - - - - - - -
2007-11-11 21:59:03 DROP UDP 192.168.1.1 239.255.255.250 1900 1900 280
- - - - - - - RECEIVE
2007-11-11 21:59:03 DROP UDP 192.168.1.1 239.255.255.250 1900 1900 298
- - - - - - - RECEIVE
2007-11-11 21:59:03 DROP UDP 192.168.1.1 239.255.255.250 1900 1900 352
- - - - - - - RECEIVE
2007-11-11 21:59:03 DROP UDP 192.168.1.1 239.255.255.250 1900 1900 344
- - - - - - - RECEIVE
2007-11-11 21:59:03 DROP UDP 192.168.1.1 239.255.255.250 1900 1900 274
- - - - - - - RECEIVE
2007-11-11 21:59:03 DROP UDP 192.168.1.1 239.255.255.250 1900 1900 316
- - - - - - - RECEIVE
2007-11-11 21:59:03 DROP UDP 192.168.1.1 239.255.255.250 1900 1900 348
- - - - - - - RECEIVE
2007-11-11 21:59:04 DROP UDP 192.168.1.1 239.255.255.250 1900 1900 294
- - - - - - - RECEIVE
2007-11-11 21:59:04 DROP UDP 192.168.1.1 239.255.255.250 1900 1900 346
- - - - - - - RECEIVE
2007-11-11 21:59:04 DROP UDP 192.168.1.1 239.255.255.250 1900 1900 340
- - - - - - - RECEIVE
2007-11-11 21:59:04 DROP UDP 192.168.1.1 239.255.255.250 1900 1900 272
- - - - - - - RECEIVE
2007-11-11 21:59:04 DROP UDP 192.168.1.1 239.255.255.250 1900 1900 315
- - - - - - - RECEIVE
2007-11-11 21:59:04 DROP UDP 192.168.1.1 239.255.255.250 1900 1900 345
- - - - - - - RECEIVE
2007-11-11 21:59:04 CLOSE TCP 192.168.1.100 85.17.99.232 2525 80 - - -
- - - - - -
2007-11-11 21:59:04 OPEN TCP 192.168.1.100 85.17.99.232 2531 80 - - -
- - - - - -
2007-11-11 21:59:04 CLOSE TCP 192.168.1.100 85.17.175.232 2520 80 - -
- - - - - - -
 
J

John John

Here is the traffic log from firewall. It repeats itself forever...

#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port
size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2007-11-11 21:58:59 CLOSE TCP 192.168.1.100 85.17.99.232 2514 80 - - -
- - - - - -
2007-11-11 21:58:59 OPEN TCP 192.168.1.100 85.17.99.233 2524 80 - - -
Click to expand...


85.17.99.233 is a file sharing web site, just punch (copy) the IP
address to your web browser and hit enter and you will see what the web
site is. I'm not sure that you are actually connecting there but based
on your log it appears to be where the traffic is going. Printer
software (like HP) sometimes automatically install photo sharing
software and it could be that 85.17.99.233 is a selected file/photo
sharing site.

Being that someone at Microsoft decided that egress filtering/monitoring
was a stupid thing for a firewall to do you will have to try another
method to try to figure out what is going on:

Availability and description of the Port Reporter tool
http://support.microsoft.com/?id=837243

John
 
P

PA Bear

BTW, I have done extensive cleanup using varies anti-virus and anti-
spyware softwares...
Click to expand...

Post a link to your forum thread where you've posted your HijackThis log.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Winlogon.exe Will Max out CPU !! 1
Network Traffic Log 4
unable to logoff/shutdown via RDP 0
Once in a while, winlogon.exe will hog CPU and makes my Windows unresponsive. 5
Winlogon.exe Error Message 1
Secuirty - workstation locks itself 1
XP Pro - Account Unknown... but not really 2
Microsoft Passport Network sign-in: a popup problem 2

Top