Hijacked? Connection Timeout?

I keep getting errors with Avast. They say the following:

Internet Connection timeout elapsed. Continue waiting?
(winlogon.exe → rx2.robinhoodsoftware.com:25)

it has also been winlogon.exe → otherstuffhere

I am running Internet Mail V 4.6-731. I also notice that is has scanned 482 emails in the last 32 minutes. I haven’t sent any emails, nor do I have any email software open right now.

I assume this isn’t good.

Will the suggestions here help?
http://forum.avast.com/index.php?topic=17424.0;topicseen

You should increase both avast and your email account timeouts.

As I look at it more, the connection timeout is just occuring because I think I have been hi-jacked. I am fairly sure of this because I cranked the Internet Mail up to high and asked it to display details.

It has now scanned 1000 emails in the last 1 hour 10 minutes. I am watching it scan emails to a slowly increasing alphabetical list of email addresses I have never heard of.

Unfortunately I don’t know to stop this from happening.

I am failrly sure that your system has been infected, since I doubt that you want winlogon.exe to be sending out 1000 emails.

I think you should forget about extending the timeout and look at using a malware removal tool.

There is a free one available from microsoft and ewido comes to mind as another free scanning tool others have recommended here.

Are you using a firewall?

Why don’t you scan your system at boot time with avast?
Why don’t you install and run ewido, an antispyware and antitrojan (http://www.ewido.net/en/)?
Do you use a firewall? Which one?

You can configure the Heuristic tab of settings into Internet Mail provider and try to stop sending that emails…

alanrf is correct, this file even if it were legitimate, shouldn’t be accessing the internet or using email ports.

“(winlogon.exe → rx2.robinhoodsoftware.com:25)”

The fact that it is trying to use the smtp port avast’s email scanner is intercepting it and it is likely that it isn’t using standard email protocols could cause this timeout as avast doesn’t recognise the protocol being used as an email protocol.

The other thing that confuses me if it is trying to send out mass emails why the Heuristic mass mailing check isn’t kicking in and raising a warning, well before the timeout warning, unless of course you have tweaked it or disabled this Heuristic checking as this is a default setting I think?

I have exactly the same problem as razmus.

Avast, ewido and trojanhunter are not detecting anything, basically because it is winlogon.exe using port 25 (both seems to be normal for the antivirus/antitrojan).

Funny thing is, winlogon.exe seems not to be tampered with (timestamp and file size are as they should be).

What to do???

:slight_smile: Razmus & neuro475 :

  I would encourage both of you ask for help on
  the forum of your antiSPYWARE provider .

  If you have Ad-Aware : www.landzdown.com
  If you have Spybot : http://forums.spybot.info

Got the same problem, it is some malware… However when I kill a kernel32.dll thread (using sysinternals Process Explorer) (the one containing references to socket dlls) of winlogon.exe the problem stops.

Basicly the program connects to a server; active.emptyskull.net (64.71.177.36) retrieves:

  • list of mail-servers
  • list of firstnames
  • list of lastnames
  • list of domains
  • list of words

then it combines this into a mass mailing system, simply to try and determine whether a mail-address is valid on the specific server

And how can this problem be solved permanently?

check that time on you computers is set correct

Why is that? It is set correctly.

This problem is also happening to me. Is there any way to permanetely stop it?

Yes, get clean. Scan with avast, Spybot, Ad-aware, Ewido, a-squared…
After that, you can increase your timeouts as posted before.

In order to run it has to have a run command in registry also, so it leaves tracks.

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2
For an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR HiJackThis Log file - On-line Analysis 2

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.

Thanks Tech I ran all those and it was still there. But then I ran them in sfe mode and it has now dissapeared.