Today, when I came back home and logged myself into Windows, I got the following message:
“Avast has detected a secure connection from your mail program (process winlogon.exe) to the NNTP server 178.63.26.199 (178.63.26.199). This type of connection cannot be checked for viruses. Please Disable SSL/TSL in your mail client so that the mail scanner can scan your mail. The mail scanner will provide the SSL/TSL security itself.”
I never got such a message before and have no idea why winlogon.exe would contact a web server, let alone this one, which completely unfamiliar to me. I also don’t understand the usage of News Protocol NNTP. All in all, I wonder if this could be a virus. I did a boot time scan of all hard drives and Avast didn’t find anything.
Some background info: A couple of days ago I downloaded a file that I assumed might contain a virus. I scanned it with Avast and nothing was found. When I started it, the computer was hanging for a short moment and then the file vanished, just like that. I thought that Avast might have deleted it, but there is no evidence of that in the Avast logs. I don’t know if this might relate somehow to the winlogon-178.63.26.199-issue, but I thought it might be relevant.
Does anybody know what the winlogon-issue could mean and what I should do, if anything?
Liveipmap seems to have this on its blacklist as 'This IP address has been detected as open or anonymous proxy. ’ No idea what that really implies though.
Hi Pontus, I don’t understand your answer. The first thing I did was whois but came up with nothing meaningful. And I didn’t ask what winlogon does - I already know that - but rather, why would it need to connect with a website. This behavior seems very strange to me.
[*]Select All Users
[*]Under the Custom Scan box paste this in netsvcs
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
qmgr.dll
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS /s
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs
Update: MalwareBytes just found “Trojan.Agent.BRGen2” that wasn’t there before… Seems to me, this could be the infection? Is there any particular reason why Avast didn’t find it?
Ok, I’m running the program now. How do I send it to you guys confidentially? I mean, I probably shouldn’t expose it all right here with so much information about my computer…