While doing a scan in my Windows XP 32bit system using avast 4.8 home, the program keeps detecting ‘pagefile.sys’ on my Windows 7 64bit partition as a virus. The detecting keeps happening even after I allow avast to delete the ‘pagefile.sys’ file that Windows 7 64bit automatically recreates.
Is this a false positive by the scanner or am I truly infected? How can I find out?
If it is in fact an infection, shouldn’t some part the virus also be located somewhere else to continue reinfecting the ‘pagefile.sys’ in Windows 7?
Also, the virus is detected by avast as ‘Win32:Adloader-AC [Trj]’.
The exact text is as follows:
‘Sign of “Win32:Adloader-AC [Trj]” has been found in “G:\pagefile.sys” file.’
Additionally, I’ve found that when I scan using Avast 4.8 on my Windows 7 64bit system, it detects the ‘pagefile.sys’ of my Windows XP 32bit partition as a virus.
Avast logs as follows:
‘Sign of “Win32:Agent-ZXJ [Trj]” has been found in “D:\pagefile.sys” file.’
Well if you want your computer checked by a Malware expert, then i suggest you follow this guide and post the logs so essexboy can have a look http://forum.avast.com/index.php?topic=53253.0
Well right now I’m more concerned of whether Avast detecting the pagefile.sys files in each partition is a false positive or not. It seems like it is, but I’ve never gotten a false positive from Avast before and this is a strange file to detect a false positive on.
The pagefile.sys is a bit of a weird bird in that stuff gets moved back and forward to it on a regular basis and you can get some weird strings, which just might match a virus signature. The pagefile.sys is excluded from the Standard Shield on-access scanner.
So I would suggest that you also excluded it from the on-demand scanner, avast Program Settings, Exclusions and add ?:\pagefile.sys the ? wildcard represents a single character and if you have more than one hard disk and split the pagefile over the two then that saves having to make two exclusions.
Thanks for the recommendation DavidR. The scanner doesn’t seem to pickup the pagefile.sys of the system its currently running as a virus. It just detects the pagefile.sys of the other partition as a virus.
For example,
Avast on Win XP 32bit detects the pagefile.sys of Win 7 64bit.
and
Avast on Win 7 64bit detects the pagefile.sys of Win XP 32bit.
That is as I say not so strange when the data on the file is constantly written and over written on a regular basis so at some point you may get a data string match a signature. When whatever OS is running that Standard Shield wouldn’t be scanning the pagefile.sys as it is excluded by default. So effectively you need to do the same on the on-demand exclusions as I said.
There is nothing to stop you deleting the pagefile.sys on the other OS partition which isn’t running, as far as I’m aware it should be recreated, but you should check that out to ensure that is correct. You can set your OS to clear the pagefile.sys on shutdown, but some say that takes a little more time on shutdown.
I allowed Avast to delete the pagefile.sys on Win7 64bit partition (it’s a fairly new install so if anything went wrong it wouldn’t be much trouble to do a complete reinstall). Upon starting up, Win7 recreated the pagefile.sys (hopefully still contiguous). But Avast in Win XP 32bit still detects the new pagefile.sys as a virus.