Hi,
I’m using Windows XP and Ubuntu on my laptop.
When I scan Windows witth Nod32, Ad-aware and Spydoctor, my system comes up virus and malware clean.
However, when I boot via Linux and run a virus scan using Avast, it alerts me to the Win 32: Delf-XQ [TR] virus in pagefile.sys. I googled it and I think it’s a trojan downloader.
I think the scanner scans all the windows files too, even though I’m in Linux.
Avast asks if I want to remove the virus and I delete it each time, yet it comes back.
I had the same problem with a virus in the hiberfil.sys folder, but after I disabled hibernation, that warning disappeared.
I turned off pafefile, rebooted the computer and then turned on the pagefile. But I still get the trojan downloader alert
I’m not sure if this is a false positive. Please help!!!
If the detection is in pagefile.sys and nowhere else, it’s probably a false positive.
I’ve seen quite a few false positives in hiberfil.sys pagefile.sys. These files are the computer memory (or areas of it) written to disc. If there’s no detection by avast! of malware in memory while the computer is running, or of the malware file elsewhere on the disc, a false positive is to be suspected.
Obviously you can’t test the memory while Windows is running because you use Nod32 on Windows, but I would still expect to see the malware elsewhere on the partition (System32, for example) in the case of a real infection.
Thanks.
I think it’s a false positive, because Avast only seems to locate it in Linux. All the AV and AS software in Windows comes up clean. Also, Avast sometimes detects Delf-XQ and sometimes shows some other Win32 trojan downloader also in pagefile.sys
Anyway, even if this legitimate virus, it’s a Windows one, right? So if I’ve booted into Linux, this virus should not be able to do damage, correct?
Thanks for your time
It won’t harm Windows when you boot a pagefile.sys with new contents will be loaded.
But you can manage to clean the pagefile.sys while shutting down Windows as a privacy\cleaner tool.
Download SafeXP http://www.theorica.net/
Choose the proper option…
Thanks, Tech.
So after I download SafeXP, I should click Clear Pagefile at Shutdown in the Miscellaneous section? Will that slow down shutdown or have any other side effects?
Also, do you think this is a falsepositive considering what I’ve detailed in previous posts?
Thanks
HI all
I do too have false positive for pagefile.sys on my second HD running XP. reading though these forums you can set an exception by using wild card ?.
So it will look something like this ?:\pagefile.sys to cater for all drives and partitions one may have.
Am I correct?
Please advice
Hallo,
try to remove the swapfile (well, on ntfs partitions, no removing is possible, but rewriting to 0-size is), and boot into windows again.
then, shut windows down, go to linux, and scan the newly created swapfile again. In the case of no infection, consider it false-positive from the past. In the case when the infection shows up again it might be sign of some well-obfuscated malware clone that’s visible only this way (through its swapped-off pages), and then tell us more details.
NTFS filesystem is not open-source nor documented structure. Thus, its support in Linux was made as a “best guess”, and to be safe, they allowed no directory manipulations, ONLY file-rewrite with different contents (thus, you can do dd if=/dev/zero of=/mnt/whatever/pagefile.sys)