Author Topic: Memory scan finds Win32:Ransom in Google Desktop, but boot-time scan is clean  (Read 2240 times)

0 Members and 1 Guest are viewing this topic.

seahen

  • Guest
Recently I noticed that the Avast system-tray icon was showing an alert, saying "The Avast antivirus program has been stopped or is in an inconsistent state." When I clicked the link to restart the program, nothing happened. I rebooted and Avast reported it was working fine, but when I went to turn off Silent/Gaming Mode (so that in future, I'd see these alerts sooner), the screen went black and the system hung.

This seemed suspicious, so I shut off the Wi-Fi modem with the hardware switch, rebooted with the computer disconnected from the Internet, and ran a full scan with memory and rootkit detection turned on. I got 2 memory hits for Win32:Ransom (see Paranoid.txt attached), but when I ran a boot-time scan, nothing came up.

I figured the memory-scan hits were probably false positives, so I rebooted and turned the Wi-Fi modem back on so that Avast could update definitions. It did so, but I immediately started getting Mal:URL alerts about Google Desktop, even though the URLs listed were all on google.com and looked fine.

Do these alerts mean the system isn't clean after all, despite what the boot-time scan says? I sent Google Desktop's exe file to VirusTotal (from a different computer running Linux) and it came up clean, but it occurs to me that the Win32:Ransom "signatures" in memory might have been poisoned DNS records that Desktop got from an infected part of Windows.

I'm using a secure home Wi-Fi network, and google.com properly resolves to 74.125.226.177 from the Linux machine, so I don't think it's likely to be a router attack like DNSChanger.f.
« Last Edit: August 04, 2011, 02:54:47 PM by seahen »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37614
  • Not a avast user
running a custom scan and selecting "scan memory" will usually give some strange result, ecpesially if you have other security programs installed..
you are not the first one so if you search the forum you will find many cases

I recomend using the default quick / full scan with default settings...
« Last Edit: August 04, 2011, 05:38:41 PM by Pondus »