"Avast has detected a secure connection"?

Hi all,

Today, when I came back home and logged myself into Windows, I got the following message:

“Avast has detected a secure connection from your mail program (process winlogon.exe) to the NNTP server 178.63.26.199 (178.63.26.199). This type of connection cannot be checked for viruses. Please Disable SSL/TSL in your mail client so that the mail scanner can scan your mail. The mail scanner will provide the SSL/TSL security itself.”

I never got such a message before and have no idea why winlogon.exe would contact a web server, let alone this one, which completely unfamiliar to me. I also don’t understand the usage of News Protocol NNTP. All in all, I wonder if this could be a virus. I did a boot time scan of all hard drives and Avast didn’t find anything.

Some background info: A couple of days ago I downloaded a file that I assumed might contain a virus. I scanned it with Avast and nothing was found. When I started it, the computer was hanging for a short moment and then the file vanished, just like that. I thought that Avast might have deleted it, but there is no evidence of that in the Avast logs. I don’t know if this might relate somehow to the winlogon-178.63.26.199-issue, but I thought it might be relevant.

Does anybody know what the winlogon-issue could mean and what I should do, if anything?

does your mail accounts use SSL / TLS
https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=842

IP who is http://www.ip-adress.com/ip_tracer/178.63.26.199

NNTP http://en.wikipedia.org/wiki/Network_News_Transfer_Protocol

winlogon.exe http://www.processlibrary.com/directory/files/winlogon/24783/#.UDz3l-zTDZI

Liveipmap seems to have this on its blacklist as 'This IP address has been detected as open or anonymous proxy. ’ No idea what that really implies though.

Hi Pontus, I don’t understand your answer. The first thing I did was whois but came up with nothing meaningful. And I didn’t ask what winlogon does - I already know that - but rather, why would it need to connect with a website. This behavior seems very strange to me.

Lets have a look see

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
qmgr.dll
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS /s
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

Update: MalwareBytes just found “Trojan.Agent.BRGen2” that wasn’t there before… Seems to me, this could be the infection? Is there any particular reason why Avast didn’t find it?

Is there any particular reason why Avast didn't find it?
no security program have 100% detection

could you post MBAM log and OTL

Is this worthwhile after MalwareBytes removed the virus? + not sure what MBAM means

MBAM is short for MalwareBytes Anti-Malware.
You’ll find the log from the GUI. :slight_smile:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.28.06

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
xxx :: yyy [administrator]

28.08.2012 20:34:36
mbam-log-2012-08-28 (20-34-36).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 217780
Time elapsed: 20 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{58F603F9-9F9B-5CDA-C413-413996E87F92} (Trojan.Agent.BRGen2) → Data: C:\Users\xxx\AppData\Roaming\Okuleq\ricur.exe → Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\xxx\AppData\Roaming\Okuleq\ricur.exe (Trojan.Agent.BRGen2) → Quarantined and deleted successfully.

(end)

essexboy will see from the OTL.txt log if all is removed or if there is more :wink:

does the infected computer have to connected to the internet for OTL to work?

nope…it just produse a diagnostic log OTL.txt and a extra.txt that is just some extra tech info

OTL.txt is the important one that essexboy need …if you search the virus and worms sectiin you will see it in use in almost evry topic there

anyway essexboy is logged out now, but will be back tomorrow and review it :wink:

Ok, I’m running the program now. How do I send it to you guys confidentially? I mean, I probably shouldn’t expose it all right here with so much information about my computer…

you can mail it to Essexboy… i will PM the address to you in a minute …see my messages at forum top

you may include a link to this topic in case he wonder where it came from

Done and sent - Thank you both.

Both H and I look good with no sign of malware

Thank you very much, Essexboy!