Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Berliner78 on August 28, 2012, 06:40:27 PM

Title: "Avast has detected a secure connection"?
Post by: Berliner78 on August 28, 2012, 06:40:27 PM
Hi all,

Today, when I came back home and logged myself into Windows, I got the following message:

"Avast has detected a secure connection from your mail program (process winlogon.exe) to the NNTP server 178.63.26.199 (178.63.26.199). This type of connection cannot be checked for viruses. Please Disable SSL/TSL in your mail client so that the mail scanner can scan your mail. The mail scanner will provide the SSL/TSL security itself."

I never got such a message before and have no idea why winlogon.exe would contact a web server, let alone this one, which completely unfamiliar to me. I also don't understand the usage of News Protocol NNTP. All in all, I wonder if this could be a virus. I did a boot time scan of all hard drives and Avast didn't find anything.

Some background info: A couple of days ago I downloaded a file that I assumed might contain a virus. I scanned it with Avast and nothing was found. When I started it, the computer was hanging for a short moment and then the file vanished, just like that. I thought that Avast might have deleted it, but there is no evidence of that in the Avast logs. I don't know if this might relate somehow to the winlogon-178.63.26.199-issue, but I thought it might be relevant.

Does anybody know what the winlogon-issue could mean and what I should do, if anything?
Title: Re: "Avast has detected a secure connection"?
Post by: Pondus on August 28, 2012, 06:52:23 PM
does your mail accounts use SSL / TLS
https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=842



IP who is  http://www.ip-adress.com/ip_tracer/178.63.26.199

NNTP  http://en.wikipedia.org/wiki/Network_News_Transfer_Protocol

winlogon.exe  http://www.processlibrary.com/directory/files/winlogon/24783/#.UDz3l-zTDZI
Title: Re: "Avast has detected a secure connection"?
Post by: MAG on August 28, 2012, 06:55:14 PM
Liveipmap  seems to have this on its blacklist as 'This IP address has been detected as open or anonymous proxy. ' No idea what that really implies though.
Title: Re: "Avast has detected a secure connection"?
Post by: Berliner78 on August 28, 2012, 08:04:44 PM
Quote from: Pondus on August 28, 2012, 06:52:23 PM
does your mail accounts use SSL / TLS
https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=842



IP who is  http://www.ip-adress.com/ip_tracer/178.63.26.199

NNTP  http://en.wikipedia.org/wiki/Network_News_Transfer_Protocol

winlogon.exe  http://www.processlibrary.com/directory/files/winlogon/24783/#.UDz3l-zTDZI

Hi Pontus, I don't understand your answer. The first thing I did was whois but came up with nothing meaningful. And I didn't ask what winlogon does - I already know that - but rather, why would it need to connect with a website. This behavior seems very strange to me.
Title: Re: "Avast has detected a secure connection"?
Post by: essexboy on August 28, 2012, 08:52:40 PM
Lets have a look see

Download OTL (http://oldtimer.geekstogo.com/OTL.exe)  to your Desktop
(https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif)
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
qmgr.dll
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS /s
CREATERESTOREPOINT
Title: Re: "Avast has detected a secure connection"?
Post by: Berliner78 on August 28, 2012, 09:01:40 PM
Update: MalwareBytes just found "Trojan.Agent.BRGen2" that wasn't there before... Seems to me, this could be the infection? Is there any particular reason why Avast didn't find it?
Title: Re: "Avast has detected a secure connection"?
Post by: Pondus on August 28, 2012, 10:00:47 PM
Quote
Is there any particular reason why Avast didn't find it?
no security program have 100% detection

could you post MBAM log and OTL
Title: Re: "Avast has detected a secure connection"?
Post by: Berliner78 on August 28, 2012, 11:46:07 PM
Quote from: Pondus on August 28, 2012, 10:00:47 PM
Quote
Is there any particular reason why Avast didn't find it?
no security program have 100% detection

could you post MBAM log and OTL

Is this worthwhile after MalwareBytes removed the virus? + not sure what MBAM means
Title: Re: "Avast has detected a secure connection"?
Post by: schmidthouse on August 28, 2012, 11:59:32 PM
Quote from: Berliner78 on August 28, 2012, 11:46:07 PM
Quote from: Pondus on August 28, 2012, 10:00:47 PM
Quote
Is there any particular reason why Avast didn't find it?
no security program have 100% detection

could you post MBAM log and OTL

Is this worthwhile after MalwareBytes removed the virus? + not sure what MBAM means

MBAM is short for MalwareBytes Anti-Malware.
You'll find the log from the GUI. :)
Title: Re: "Avast has detected a secure connection"?
Post by: Berliner78 on August 29, 2012, 12:17:31 AM
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.28.06

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
xxx :: yyy [administrator]

28.08.2012 20:34:36
mbam-log-2012-08-28 (20-34-36).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 217780
Time elapsed: 20 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{58F603F9-9F9B-5CDA-C413-413996E87F92} (Trojan.Agent.BRGen2) -> Data: C:\Users\xxx\AppData\Roaming\Okuleq\ricur.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\xxx\AppData\Roaming\Okuleq\ricur.exe (Trojan.Agent.BRGen2) -> Quarantined and deleted successfully.

(end)
Title: Re: "Avast has detected a secure connection"?
Post by: Pondus on August 29, 2012, 12:25:32 AM
essexboy will see from the OTL.txt log if all is removed or if there is more  ;)
Title: Re: "Avast has detected a secure connection"?
Post by: Berliner78 on August 29, 2012, 12:57:12 AM
does the infected computer have to connected to the internet for OTL to work?
Title: Re: "Avast has detected a secure connection"?
Post by: Pondus on August 29, 2012, 01:01:31 AM
nope....it just produse a diagnostic log OTL.txt and a extra.txt that is just some extra tech info

OTL.txt is the important one that essexboy need ......if you search the virus and worms sectiin you will see it in use in almost evry topic there

anyway essexboy is logged out now, but will be back tomorrow and review it   ;)
Title: Re: "Avast has detected a secure connection"?
Post by: Berliner78 on August 29, 2012, 01:38:28 AM
Ok, I'm running the program now. How do I send it to you guys confidentially? I mean, I probably shouldn't expose it all right here with so much information about my computer...
Title: Re: "Avast has detected a secure connection"?
Post by: Pondus on August 29, 2012, 01:42:28 AM
you can mail it to Essexboy..... i will PM the address to you in a minute ....see my messages at forum top

you may include a link to this topic in case he wonder where it came from
Title: Re: "Avast has detected a secure connection"?
Post by: Berliner78 on August 29, 2012, 02:07:44 AM
Done and sent - Thank you both.
Title: Re: "Avast has detected a secure connection"?
Post by: essexboy on August 29, 2012, 03:35:53 PM
Both H and I look good with no sign of malware
Title: Re: "Avast has detected a secure connection"?
Post by: Berliner78 on August 29, 2012, 07:55:29 PM
Thank you very much, Essexboy!