Results 1 to 8 of 8

Thread: Winlogon.exe attempts to connect Duobleclik (but blocked)

  1. #1
    ems Guest

    Default Winlogon.exe attempts to connect Duobleclik (but blocked)

    Hi,

    After visiting "TheEconomist" web site, I begun to get dozen of messages by ZASS about Winlogon.exe trying to perform outgoing connections to different IPs belonging to severall Doubleclick sites in UK. I identified the sites and put them in the blocked zone of the firewall and stopped the connections themselves; but the thing keeps trying the connections using Winlogon.exe.

    As far as I know, the purpose of Winlogon.exe is not that of being a channel of others for outgoing connections. My system seems to be clean, I even run a rootkit finder. No significant alert from the ZASS OSFirewall nor ProcessGuard (wich I keep running togheter without apparent conflict at all and are supposed to be blocking any suspicious interference with the kernel and main processes). In other words, no Dll injections, rootkits or similar nasty things in my system.

    I keep clean the registry with RegCure and no suspicious thing in it.

    What could be going on?

    ems

    Operating System:Windows XP Pro x64
    Software Version:7.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Winlogon.exe attempts to connect Duobleclik (but blocked)

    Actually winlogon.exe is the first process involved in not just getting the windows booted, but also seen as one of the first applications to initiate an outgoing connection.

    So are the explorer.exe, services.exe, rundll32.exe, userinit.exe and the svchost.exe.
    And quite a few others.

    All involved in the outgoing connections before even the browser/email client is considered.

    The ZA is just showing what it is seeing and recording it.

    Oldsod.
    Best regards.
    oldsod

  3. #3
    ems Guest

    Default Re: Winlogon.exe attempts to connect Duobleclik (but blocked)

    Hi Oldsod,

    The thing keeps trying to call home, but bloqued by ZASS. It is Doubleclick and all its infernal relatives (there are some of them, behind different disguises. But something hidden is triggering their connection attempts. As far as I know, there are no persisten cookies, spyware or rootkits in my system (maybe a hook, though PG should have stopped its istallation). I run the netstat -b 5 command and did not notice any suspicious thing, except, sometimes Firefox, but some attempts come about even without no (apparent) parent process (no active browser or other regular application running).

    ems

  4. #4
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Winlogon.exe attempts to connect Duobleclik (but blocked)

    Doubleclick is a tracker/counter (owned by google and firefox is a google product. hem hem).
    But doubleclick itself is not spyware or malware.

    It could be the ZA itself has become corrupted and this may explain the weird events concerning doubleclick.
    Try resetting the ZA database this way:
    [*]Boot your computer into the Safe Mode[*]Navigate to the c:\windows\internet logs folder[*]Delete the backup.rdb, iamdb.rdb, *.ldb and the tvDebug files in the folder[*]Clean the Recycle Bin[*]Reboot into the normal mode[*]ZA will be just like new with no previous settings or data

    After the reboot into the normal mode, do the Ok's and Yes'es to the alerts and then do this:

    Make sure your DNS and DHCP server IP's are in your Firewall's Trusted zone. Finding DNS and DCHP servers, etc

    1. Go to Run and type in command and hit 'ok', and in the command then type in ipconfig /all then press the enter key. In the returned data list will be a line DNS and DHCP Servers with the IP address(s) listed out to the side. Make sure there is a space between the ipconfig and the /all, and the font is the same (no capitals).
    2. In ZA on your machine on the Firewall, open the Zones tab, click Add and then select IP Address. Make sure the Zone is set to Trusted. Add the DNS IP(s) .
    3. Click OK and Apply. Then do the same for the DHCP server.
    4. The localhost (127.0.0.1) must be listed as Trusted.
    5. The Generic Host Process (svchost.exe) as seen in the Zone Alarm's Program's list must have server rights for the Trusted Zone.
    Plus it must have both Trusted and Internet Access.

    If it the ZA at fault, then this advice should correct the ZA.
    Let us see what happens next and if the doubleclick events still persist.

    Oldsod.
    Best regards.
    oldsod

  5. #5
    ems Guest

    Default Re: Winlogon.exe attempts to connect Duobleclik (but blocked)

    Oldsod,

    Homework done and it seems you was right one more time. No outgoing coonection to doubleclick up to now, after cleaning the corrupted ZADB. Let us see what happen within a few days.

    On the other hand, about Firefox, would it be safer if I use IE instead?

    ems

  6. #6
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Winlogon.exe attempts to connect Duobleclik (but blocked)

    Ok. Things are back to normal again for the ZA.

    Firefox vs IE.

    It is almost impossible to evade the counters and trackers of a search and the search results.
    Only possible method is to type in the correct address or url in the address bar and hit "Enter".
    And always retain your browser's history for those "go backs to previous sites" instead of creating a another new search.

    Any other way will always have some counter/tracker somewhere whether it is added in the actual url of the browser search, or in the search results or in the then going to the site from the search result.
    ( I have removed the opera reference in the searches of the Opera, to get some additional privacy. Along with removing unwanted searches and adding my own personal search engines in the Opera. )

    See these official statements:

    http://www.mozilla.com/en-US/legal/p...irefox-en.html

    http://www.microsoft.com/windows/ie/...privacy_7.mspx

    also what ms states about their sites (applies to most other web sites as well, plus often more)

    http://www.microsoft.com/info/privacy/fullnotice.mspx

    Google Privacy policy:

    http://www.google.com/privacypolicy.html

    Google privacy center:

    http://www.google.com/privacy.html

    Gives you some details and explainations.

    Oldsod.
    Best regards.
    oldsod

  7. #7
    ems Guest

    Default Re: Winlogon.exe attempts to connect Duobleclik (but blocked)

    Oldsod,

    Adding my own personal search engines in the browser is far beyond my skills. But the rest of your advise is going to be pretty useful.

    I will be back when necessary.

    Many thanks and have a nice weekend.

    ems.

  8. #8
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Winlogon.exe attempts to connect Duobleclik (but blocked)


    <blockquote><hr>ems wrote:
    Oldsod,

    Adding my own personal search engines in the browser is far beyond my skills. But the rest of your advise is going to be pretty useful.

    I will be back when necessary.

    Many thanks and have a nice weekend.

    ems.
    <hr></blockquote>


    Thank You.
    I had a great long weekend!
    I hope you had the same.
    Best regards.
    Oldsod.
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •