All providers disabled

[wuemura]

Hello!

I have the Home Avast(4.8.1335) with a valid key, all the providers are disabled, the avast icon on the tray has the red mark on it and all providers options on the menu is disabled (faded).

Hell start to break loose just after I've tried to access the site of BestBuy main site, avast stop the access telling me that a virus was found, after that virtualdub start to act strange, Virtualdub crashes with "Access Violation" without reason, you just need to run virtualdub and left it open for a few seconds, it crash soon after. I already did a full system scan but nothing is found, delete the virtualdub folder, download a new virtualdub but the error persist, I also did a full memory scan test with Memtest86+ and nothing is wrong with my 2Gb DDR2/800Mhz modules.

Code: [Select]

2/7/2009 17:26:41 SYSTEM 868 Sign of "JS:Bulered [Trj]" has been found in "2/7/2009 17:26:41 SYSTEM 868 Sign of "JS:Bulered [Trj]" has been found in "http://www.bestbuy.com/\{gzip}" file.  
2/7/2009 17:26:43 SYSTEM 868 Sign of "JS:Bulered [Trj]" has been found in "http://www.bestbuy.com/\{gzip}" file.  
2/7/2009 17:27:27 SYSTEM 868 Sign of "JS:Bulered [Trj]" has been found in "http://www.bestbuy.com/site/olspage.jsp;jsessionid=CC0263F2661D1AF0E844BD105F5FF3CF.bbolsp-app01-31?_dyncharset=ISO-8859-1&_dynSessConf=6623724748068991433&searchCatId=pcat17071&type=page&st=ps2&sc=Global&goButton.x=0&goButton.y=0&cp=1&nrp=15&sp=&qp=&list=\{gzip}" file.  /\{gzip}" file.  
2/7/2009 17:26:43 SYSTEM 868 Sign of "JS:Bulered [Trj]" has been found in "http://www.bestbuy.com/\{gzip}" file.  
2/7/2009 17:27:27 SYSTEM 868 Sign of "JS:Bulered [Trj]" has been found in "http://www.bestbuy.com/site/olspage.jsp;jsessionid=CC0263F2661D1AF0E844BD105F5FF3CF.bbolsp-app01-31?_dyncharset=ISO-8859-1&_dynSessConf=6623724748068991433&searchCatId=pcat17071&type=page&st=ps2&sc=Global&goButton.x=0&goButton.y=0&cp=1&nrp=15&sp=&qp=&list=\{gzip}" file.
I only use a limited account on my Windows XP SP3, administrator account is just used to maintenance like windows update.

I don´t know how to reactivate the avast providers.

Thanks

[DavidR]

Have you tried a reboot, that might work if it is a random event.

Have (or did) you another AV installed in this system, if so what was it and how did you get rid of it ?
This is a common cause of the red circle with bar over the avast 'a' icon.

Please 'modify' your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

It looks like the bestbuy site may have been hacked as that is usually what causes these alerts, though I couldn't see anything obvious on the page source of the home page. The web shield would have blocked this from getting on to your system (the abort connection drops any detected element being saved to your system) so it isn't unusual not to find anything on a subsequent scan.

I have just visited bestbuy home page using firefox and didn't get any alert. I had a quick rummage round and again no alerts.
I see a session ID in your quoted text so presumably you logged on or something ?
What exactly were you doing at the time of the alert ?

I clicked on the Shop Now button and here is a hidden iframe tag at the bottom of the page, see image, which doesn't appear on the page source code, so I don't know if that might be what avast is alerting on, but it isn't doing it for me. This however, may be down to my using NoScript with firefox. I also checked it with IE and again no alerts, so I don't really know what is going on with the site.


I don't believe the alerts and the problem with virtualdub are related.

[wuemura]

Hello!

I've rebooted many times and the providers still disabled, I also tried to restart the avast services but nothing changes, I do have Comodo Firewall installed and there is no other AV installed, my browser is also Firefox with noscript installed when I go to bestbuy site, I've typed the address and did not followed any link, did not buy nothing also.

Comodo is working with avast for almost a year now.

[Lisandro]

I suggest an installation from the scratch:

1. Uninstall avast from Control Panel first.
2. Boot.
3. Download the latest version of Avast Uninstall and use it for complete uninstallation. If, for any reason, you can't run it, try booting in Safe Mode and doing it from there.
4. Boot.
5. Download, save and install the latest avast! version. It will be good to accept the boot time scanning on next boot.
6. Boot.
7. Check and post the results.

[DavidR]

I've rebooted many times and the providers still disabled, I also tried to restart the avast services but nothing changes, I do have Comodo Firewall installed and there is no other AV installed, my browser is also Firefox with noscript installed when I go to bestbuy site, I've typed the address and did not followed any link, did not buy nothing also.

The question was not just if had another AV installed, but if you ever had one installed and ifso what ?

I just used the bestbuy.com in your original post and got no alerts and the same today when typing the URL with all allowed in NoScript. So I'm at a loss as to what is going on, unless there is some form of browser hijack going on, but that would show itself in all or most URLs and not just bestbuy.com.

After you reinstall avast download and run these applications.
If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

• 1.  MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
• 2. SUPERantispyware On-Demand only in free version.

Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

[wuemura]

Hi Tech!
The only solution is to reinstall avast?
You guys have no interest to know how come a malware was able to disable all avast providers and let me without any protection?
Você é brasileiro mesmo ou apenas gosta da bandeira? (Are you really a brazilian or just like the brazilian flag?)  

Hi DavidR!

Yes, avast was installed soon after the installation of windows, before any driver installation or internet connection. I don't dial to my DSL internet provider from my computer, to be more safe I let my modem/router do it to avoid getting any valid IP address and don't get exposed over the internet. At my router I've set a firewall with rules to allow only the necessary protocols/ports that I need like TCP 80, 21, UDP 53 and a few ICMP.

The BestBuy case I don't know, maybe they got infected and fixed soon after because the warning was flagged at the main page, is was not hidden in some button or specific page, I'm not telling that is their fault but my problems started after that access.

I'm using Ubuntu 9 right now, there is something that I can run outside windows like a bootable CD/USB flash drive or something?
Because if something was able to disable avast the way it did, what ever software that I try to run there will be infected also don't you think?

PS: I will try some of this:
http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

[DavidR]

With a limited user account any malware would have a more difficult time and have less potential to do damage. avast has a self-defence module and to disable that or avast processes would normally require greater permissions than those inherited (when/if infected) if running under a limited user account. So I'm not entirely sure this is avast being disabled by malware, hence the questions/suggestions so far.

The one thing I'm sure of is that your comment 'You guys have no interest to know how come a malware was able to disable all avast providers and let me without any protection?' is not only totally wrong but insulting. If we weren't interested we wouldn't even be responding.

If you don't try the other software suggested you will never know if it is malware that disables security applications, also if that were the case your firewall would be a target too.

DrWeb CureIt! - See http://www.freedrweb.com/cureit/ - Download ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe (Free) Fairly effective against file infectors, Virut (infects .exe, .scr, .mp3 & .wmv), more so when used in safe mode.

DrWeb also do a Live CD if you are unable to get into your system see, http://www.freedrweb.com/livecd/?lng=en, documentation ftp://ftp.drweb.com/pub/drweb/livecd/LiveCD-en.pdf

[Lisandro]

wuemura, I'm brazilian.
Some (few) infections could damage and destroy avast.
If you don't have a clean computer, you won't be able to use avast.
You can reinstall avast or try any of other solutions:
1. On-line scanners.
2. Recovery (scanning) CD.
Which is better for you?

[wuemura]

Hi Tech!

We are spread all over the world 

I'm about to use the Bitdefender Rescue CD (BitDefenderRescueCD_v2.0.0_06_07_2009.iso) you can direct download from Bitdefender site, to see what is going on with my Windows installation.

I'll return with more info after it finishes scanning.

Thanks.

[wuemura]

The one thing I'm sure of is that your comment 'You guys have no interest to know how come a malware was able to disable all avast providers and let me without any protection?' is not only totally wrong but insulting. If we weren't interested we wouldn't even be responding.

Hi DavidR

Hey calm down, my comment was not to ofend no one, and if it did, I apologise to you or any one ofended by it.

I`m just curious like anyone and I don`t want to get rid of the infected file, if any. I want to search, find and analyse the file to discover what have  disabled avast, because avast is 100% disabled, all protections are down and we don`t know the cause. That is why I`ve made that comment, if I uninstall the application I`ll get rid of the infected file or files, if any, and I wouldn`t know the cause and instead of providing valuable information.

If you search my name over the internet (Wellington Terumi Uemura) will see that I was first one to propagate the idea of limited account to get more protection against malware at the microsoft news servers way back (2004), long before the microsoft LUA (Least Privilege to User Accounts), in fact, microsoft stole my research and make their own after a meeting, but this is another history.

Thak you for the links.

[DavidR]

Calm, totally calm, the comment clearly implies we don't care.

We guys as you say are avast users like yourself who give of our time freely to try and help other avast users and not employees of Alwil software.