Author Topic: "Avast has detected a secure connection"?  (Read 8640 times)

0 Members and 1 Guest are viewing this topic.

Offline Berliner78

  • Newbie
  • *
  • Posts: 11
"Avast has detected a secure connection"?
« on: August 28, 2012, 06:40:27 PM »
Hi all,

Today, when I came back home and logged myself into Windows, I got the following message:

"Avast has detected a secure connection from your mail program (process winlogon.exe) to the NNTP server 178.63.26.199 (178.63.26.199). This type of connection cannot be checked for viruses. Please Disable SSL/TSL in your mail client so that the mail scanner can scan your mail. The mail scanner will provide the SSL/TSL security itself."

I never got such a message before and have no idea why winlogon.exe would contact a web server, let alone this one, which completely unfamiliar to me. I also don't understand the usage of News Protocol NNTP. All in all, I wonder if this could be a virus. I did a boot time scan of all hard drives and Avast didn't find anything.

Some background info: A couple of days ago I downloaded a file that I assumed might contain a virus. I scanned it with Avast and nothing was found. When I started it, the computer was hanging for a short moment and then the file vanished, just like that. I thought that Avast might have deleted it, but there is no evidence of that in the Avast logs. I don't know if this might relate somehow to the winlogon-178.63.26.199-issue, but I thought it might be relevant.

Does anybody know what the winlogon-issue could mean and what I should do, if anything?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36993
« Last Edit: August 28, 2012, 07:07:18 PM by Pondus »

Offline mag

  • Advanced Poster
  • **
  • Posts: 740
Re: "Avast has detected a secure connection"?
« Reply #2 on: August 28, 2012, 06:55:14 PM »
Liveipmap  seems to have this on its blacklist as 'This IP address has been detected as open or anonymous proxy. ' No idea what that really implies though.
« Last Edit: August 28, 2012, 07:01:19 PM by mag »

Offline Berliner78

  • Newbie
  • *
  • Posts: 11
Re: "Avast has detected a secure connection"?
« Reply #3 on: August 28, 2012, 08:04:44 PM »
does your mail accounts use SSL / TLS
https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=842



IP who is  http://www.ip-adress.com/ip_tracer/178.63.26.199

NNTP  http://en.wikipedia.org/wiki/Network_News_Transfer_Protocol

winlogon.exe  http://www.processlibrary.com/directory/files/winlogon/24783/#.UDz3l-zTDZI

Hi Pontus, I don't understand your answer. The first thing I did was whois but came up with nothing meaningful. And I didn't ask what winlogon does - I already know that - but rather, why would it need to connect with a website. This behavior seems very strange to me.

Offline essexboy

  • Malware removal instructor
  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: "Avast has detected a secure connection"?
« Reply #4 on: August 28, 2012, 08:52:40 PM »
Lets have a look see

Download OTL  to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

  • Select All Users
  • Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
qmgr.dll
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS /s
CREATERESTOREPOINT

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Post both logs

Offline Berliner78

  • Newbie
  • *
  • Posts: 11
Re: "Avast has detected a secure connection"?
« Reply #5 on: August 28, 2012, 09:01:40 PM »
Update: MalwareBytes just found "Trojan.Agent.BRGen2" that wasn't there before... Seems to me, this could be the infection? Is there any particular reason why Avast didn't find it?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36993
Re: "Avast has detected a secure connection"?
« Reply #6 on: August 28, 2012, 10:00:47 PM »
Quote
Is there any particular reason why Avast didn't find it?
no security program have 100% detection

could you post MBAM log and OTL
« Last Edit: August 28, 2012, 10:09:43 PM by Pondus »

Offline Berliner78

  • Newbie
  • *
  • Posts: 11
Re: "Avast has detected a secure connection"?
« Reply #7 on: August 28, 2012, 11:46:07 PM »
Quote
Is there any particular reason why Avast didn't find it?
no security program have 100% detection

could you post MBAM log and OTL

Is this worthwhile after MalwareBytes removed the virus? + not sure what MBAM means

Offline schmidthouse

  • VIRUS FREE A Long Time
  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6789
  • When you think you know, Think Again
Re: "Avast has detected a secure connection"?
« Reply #8 on: August 28, 2012, 11:59:32 PM »
Quote
Is there any particular reason why Avast didn't find it?
no security program have 100% detection

could you post MBAM log and OTL

Is this worthwhile after MalwareBytes removed the virus? + not sure what MBAM means

MBAM is short for MalwareBytes Anti-Malware.
You'll find the log from the GUI. :)
***HP ENVY 15K LT W10 Pro 20H2 64Bit/750GB HD/16GB Ram/Avast Premium 21.3.2459b/Secureline VPN v.5.11b/ADU v.21.1b/ASB v.89.1b/ACP 21.1b/ SANDBOXIE-plus/MailWasherPRO
**HP Compaq 8510p LT W10 Pro 20H2 64Bit/1TB HD/8GB Ram/Avast Premium 21.3.2459b/ADU v.21.1b/ACP 21.1b/SANDBOXIE/MailWasherPRO/HotSpot Shield
     
*Dell Inspiron XPsp4 PRO 32Bit/Avast(since 2002)18.8.2356/WP/Comodo FW 3.14/Secureline/Comodo IceDragon v.40
LAYERED SECURITY SOFTWARE

Offline Berliner78

  • Newbie
  • *
  • Posts: 11
Re: "Avast has detected a secure connection"?
« Reply #9 on: August 29, 2012, 12:17:31 AM »
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.28.06

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
xxx :: yyy [administrator]

28.08.2012 20:34:36
mbam-log-2012-08-28 (20-34-36).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 217780
Time elapsed: 20 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|{58F603F9-9F9B-5CDA-C413-413996E87F92} (Trojan.Agent.BRGen2) -> Data: C:\Users\xxx\AppData\Roaming\Okuleq\ricur.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\xxx\AppData\Roaming\Okuleq\ricur.exe (Trojan.Agent.BRGen2) -> Quarantined and deleted successfully.

(end)

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36993
Re: "Avast has detected a secure connection"?
« Reply #10 on: August 29, 2012, 12:25:32 AM »
essexboy will see from the OTL.txt log if all is removed or if there is more  ;)

Offline Berliner78

  • Newbie
  • *
  • Posts: 11
Re: "Avast has detected a secure connection"?
« Reply #11 on: August 29, 2012, 12:57:12 AM »
does the infected computer have to connected to the internet for OTL to work?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36993
Re: "Avast has detected a secure connection"?
« Reply #12 on: August 29, 2012, 01:01:31 AM »
nope....it just produse a diagnostic log OTL.txt and a extra.txt that is just some extra tech info

OTL.txt is the important one that essexboy need ......if you search the virus and worms sectiin you will see it in use in almost evry topic there

anyway essexboy is logged out now, but will be back tomorrow and review it   ;)

Offline Berliner78

  • Newbie
  • *
  • Posts: 11
Re: "Avast has detected a secure connection"?
« Reply #13 on: August 29, 2012, 01:38:28 AM »
Ok, I'm running the program now. How do I send it to you guys confidentially? I mean, I probably shouldn't expose it all right here with so much information about my computer...

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36993
Re: "Avast has detected a secure connection"?
« Reply #14 on: August 29, 2012, 01:42:28 AM »
you can mail it to Essexboy..... i will PM the address to you in a minute ....see my messages at forum top

you may include a link to this topic in case he wonder where it came from