winlogon.exe attempting to access photobucket.com

  • Thread starter Thread starter Bill Faulk
  • Start date Start date
B

Bill Faulk

My software firewall program log (zonealarm pro) is full of entries of
winlogon.exe attempting to create outgoing connections to photobucket.com.
The destination IP address changes as does the port. The connections are
blocked. The affected system is running Windows XP Home. The versions of AVG
and Zonealarm are current and all windows patches are current.

I ran a full system scan for virus' with AVG Anti-Virus and Spyware with
Zonealarm Pro and found nothing. I've always been careful and never had any
of my systems infected with either a virus or spyware. I don't use
photobucket myself but I've read ebay pages, livejournals, etc. that use it
of course. I checked with msconfig.exe and there isn't any startup program
or service I don't recognize. I haven't been without Zonealarm or AVG at
all.

Sometimes the port is the DNS port 53, i.e. 38.116.160.66:53 or
38.99.224.5:53, and sometimes it is port 80, i.e. 64.92.212.66:80 or
38.116.160.66:80 or 4.71.40.66:80, etc.

I used Agent Ransack to search for any instances of photobucket.com in any
file and found nothing other than my logs. Of course, there's probably an ip
address somewhere.

Before Jan 30th the addresses were akamai. On Jan 30 I had winlogon.exe
attempting hundreds of times to connect to addresses on akamai.net that had
the same class B as my ip address (the first two numbers in the ip address
match my own and are part of my ISP's assigned network block). Nothing
happened again until starting on Feb 7th when all of the addresses were
photobucket.com. Now it happens a couple of times a day, all to photobucket.

Does anyone have any idea what could be causing winlogon.exe to try to open
an outgoing connection to access photobucket.com?

Thanks!
PS: Please reply to the group rather than email (which won't work)
 
From: "Bill Faulk" <[email protected]>

| My software firewall program log (zonealarm pro) is full of entries of
| winlogon.exe attempting to create outgoing connections to photobucket.com.
| The destination IP address changes as does the port. The connections are
| blocked. The affected system is running Windows XP Home. The versions of AVG
| and Zonealarm are current and all windows patches are current.
|
| I ran a full system scan for virus' with AVG Anti-Virus and Spyware with
| Zonealarm Pro and found nothing. I've always been careful and never had any
| of my systems infected with either a virus or spyware. I don't use
| photobucket myself but I've read ebay pages, livejournals, etc. that use it
| of course. I checked with msconfig.exe and there isn't any startup program
| or service I don't recognize. I haven't been without Zonealarm or AVG at
| all.
|
| Sometimes the port is the DNS port 53, i.e. 38.116.160.66:53 or
| 38.99.224.5:53, and sometimes it is port 80, i.e. 64.92.212.66:80 or
| 38.116.160.66:80 or 4.71.40.66:80, etc.
|
| I used Agent Ransack to search for any instances of photobucket.com in any
| file and found nothing other than my logs. Of course, there's probably an ip
| address somewhere.
|
| Before Jan 30th the addresses were akamai. On Jan 30 I had winlogon.exe
| attempting hundreds of times to connect to addresses on akamai.net that had
| the same class B as my ip address (the first two numbers in the ip address
| match my own and are part of my ISP's assigned network block). Nothing
| happened again until starting on Feb 7th when all of the addresses were
| photobucket.com. Now it happens a couple of times a day, all to photobucket.
|
| Does anyone have any idea what could be causing winlogon.exe to try to open
| an outgoing connection to access photobucket.com?
|
| Thanks!
| PS: Please reply to the group rather than email (which won't work)
|


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *
 
Dave, no virus was found running all of the tests included in
MULTI_AV.EXE running in safe mode.
Click to expand...
Go through the malware removal steps listed at the link below. Obviously
you can skip the virus scanning since you've already done it. If
Ad-aware, Spybot, and Ewido show nothing (and please do the preparatory
work first unless you already did it before running Multi-AV), then run
HijackThis and post your log to one of the forums, links for which you
will also find at the site below. Please do not post the log here. In
addition to the main HJT scan, click on the Misc. Tools and create the
Startup list. You can post the Startup list here if you like, or offer
it to the experts at whatever HJT forum you choose.

http://www.elephantboycomputers.com/page2.html#Removing_Malware

Malke
 
Malke said:
Go through the malware removal steps listed at the link below. Obviously
you can skip the virus scanning since you've already done it. If
Ad-aware, Spybot, and Ewido show nothing (and please do the preparatory
work first unless you already did it before running Multi-AV), then run
HijackThis and post your log to one of the forums, links for which you
will also find at the site below. Please do not post the log here. In
addition to the main HJT scan, click on the Misc. Tools and create the
Startup list. You can post the Startup list here if you like, or offer
it to the experts at whatever HJT forum you choose.

http://www.elephantboycomputers.com/page2.html#Removing_Malware

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
Click to expand...

The various spyware scans found nothing but some tracking cookies. I'll try
HijackThis tonight.

I'm wondering if somehow the name servers I'm using at my ISP are resolving
to the right addresses in some cases or if this is coming from their routing
tables somehow. I don't know of any reason for attempting DNS connections to
various photobucket.com addresses when I haven't actually done anything yet
but log on to windows. There aren't any problems popping up on my system.
I'll change the DNS to my "mobile" dns and see if the attempts stop. If that
doesn't work I'll put nmap on the network to see what it's actually trying
to do. Thanks for the advice, I'll keep looking.

Bill
 
The problem is that you've some dll injected into your winlogon process.
That can be done using dll-injecting or as winlogon notification packages.
If it's winlogon notification package then you can remove it from system.
google for Winlogon Notification Packages. you need to delete some registry
entry and reboot OS and that's all.
 
Vladimir,

Thanks for the information. I checked the winlogon entries and they are just
the standard that I have on all of my Windows XP systems.
AtiExtEvent (for ATI
drivers),crypt32chain,cryptnet,cscdll,ScCertProp,Schedule,sclgntfy,SensLogn,termsrv,
and wlballoon.

Bill Faulk
 
Then some dll might be injected into winlogon.exe using "unofficial" way -
(DLL injection). Take Far (http://farmanager.com/) - open winlogon.exe and
list all dlls that are loaded into process.
 
Back
Top