Hello. I have a big problem with win32:Hybris-44. My laptop has a dual boot operating system (windows XP in D:\ & Vista in C:). I installed & updated Avast in both operating system. At the first time I logged on my windows XP & scanned all hard drive with Avast, Avast found “win32:Hybris-44 [Drp]” in C:\pagefile.sys file (Drive of windows Vista) & then removed it, then I logged on my windows Vista & scanned all hard drive with avast, Avast found “win32:Hybris-44 [Drp]” in D:\pagefile.sys file (Drive of windows XP) & then removed it. That means when I run windows XP this worm is in drive C & when I run windows Vista this worm is in drive D. And all the times Avast send a massage that “File was successfully deleted”.
After this problem I installed Malwarebytes’ Anti Malwar & scanned all hard drive of XP & Vista, but it didn’t find any malware. But when Avast scanned windows XP & Visat again, found this malware.
Now I don’t know how should I do. Please help me. I’m not very good in English, so please reply as understandable as possible. Thanks!
Can you schedule a boot-time scanning?
It could help to detect which is causing that infection.
Hi, Dear Tech. Thanks for your answer. I can’t remember that how should schedule a boot-time scanning. If is it possible for you please guide me How to set the Avast for a schedule boot-time? Thanks.
Are you with version 4.8 or 5?
I believe both OS is infected. pagefile.sys is the paging file for the OS. You cannot scan your own pagefile.sys. You can only scan the one that is not in-use. Since this is found in both paging files, it means that the spyware/virus exists in that paging file’s operating system when it is running in RAM (system memory) when that OS is running.
Do a full scan of all files on your hard drives.
Version 4.8
pagefile.sys is inert and it’s replaced on next boot.
It’s common the false positives on it.
Start avast! > Right click the skin > Schedule a boot-time scanning.
Select for scanning archives.
Boot.
If infected files are found, it’s safer to send them to Chest instead of deleting them.
This way you can further analysis them.
Dear ONESIMUS, Thanks for your answer. Yes, I agree with you. I scanned all hard drive with Avast, but still the worm is exist.
Thanks a lot Tech. I will do how you describe.
I’m pretty sure it’s a false positive. Even with the pagefile disabled, it was still coming back the moment it was re-enabled (see my post here http://forum.avast.com/index.php?topic=56510.msg476830#msg476830 )
Any chance you are working in a domain environment? We are in SBS 2003, just wondering if there was a correlation with the false positive (if it is indeed).
-Cheers 