There’s non-zero (althought very small) possibility, that’s it’s avast’s own scan string which got swapped there. Or it may be also string from other antivirus.
2) Why does avast list pagefile.sys among its default "excludes" in the software's "Standard Shield"? ???
Because viruses can’t reside there, the file is usually large and is susceptible to such a false alarms.
3) By deleting the pagefile.sys file, have I lost something critical to my system's performance? ???
Yeah, you’ve lost performance But most probably windows re-created the file again.
Well, that’s somewhat reassuring–yet, after deleting the infected pagefile.sys last time around, it’s back with the same Win32:Crypto infection ??? ?
Is this file now permanently corrupted? Scans in Windows (XP Pro) don’t even flag the file, despite being removed from the exclude list… Is this an avast bug, a false-positive, or a pest avast just can’t deal with?
Like kubecj said, the file is the Windows swapfile and will recreated after each restart. It is possible that Windows swap out the Memory that the Avast scanner or Guard is/was using and so the signatures could be swapped out too. ANd than avast get fooled by its own signature. To avoid this, do not start or load AVAST while using Windows! But i do not think that you want that!
Just do no bootscan or delete the Swapfile on shutdown. There is an option in windows to do so, but it slows down the shutdown (more than a minute)
Avast also told me that WIN32:CRYPTO infected my c:\windows\vmmhiber.w9x file with 2 warnings that cite the same path and file. Google located descriptions of the virus that indicate it attaches to the kernel32 file with certain signatures and can be very destructive but none mention whether it affects Windows ME. My kernel32 file is free of the signatures, but a search for the vmmhiber.w9x file yields no results.
Why can’t I find the file that Avast cites as infected?
2.I did not instruct Avast to do anything with this virus since the virus information (Symantec url http://securityresponse.symantec.com/avcenter/venc/data/w32.crypto.html ) states that deleting it takes out the files that the virus has encrypted, and that one must reinstall uninfected backup files which I don’t think I have.
I have recently been getting error messages that the kernel32 has caused an error and will shut down (and the same type message for some other dll’s also, but when I shut down and reboot, the error messages do not reappear until I have shut down and rebooted 2 or 3 times. Then they show up again and I have to shut down and reboot again.
Symantec states the following:
"The virus targets the following anti-virus files:
AVP.CRC
IVP.NTZ
ANTI-VIR.DAT
CHKLIST.MS,
SMARTCHK.MS
SMARTCHK.CPS
AGUARD.DAT
AVGQT.DAT
LGUARD.VPS
W32.Crypto does not infect popular anti-virus software or some other common applications that have self-check routines. It will refrain from infecting programs with names beginning with:
TB
F-
AW
AV
NAV
PAV
RAV
NVC
FPR
DSS
IBM
INOC
ANTI
SCN
VSAF
VSWP
PANDA
DRWEB
FSAV
SPIDER
ADINF
SONIQUE
SQSTART"
Hm, i never used WinME, but for me the vmmhiber.w9x file could be the “swap” file for the hibernationmode(standbymode?) of ME. And that has the same effect the windowsswapfile has, because Windows write the content of the Memory into that file before going into Standby mode.
I think/hope Avast will fix that “bug” soon.
This virus needs to infect kernel32.dll to be active, it also infects DLLs which you could have problems with. Check kernel32.dll end of file if there’re suspicious data or use any antivirus program to be sure (but i think, in this case, avast uses only signature from polymorphic envelope, which is not present in kernel32.dll and in all its infected files).
After having WinXPPro “dispose” of the swap file’s contents, the Win32:Crypto “infection” disappeared. avast! scans at boot-up showed up clean, as did the Windows avast! scan.
To be safe, I uninstalled avast! and ran a copy of Panda Platinum 7 AntiVirus: the system was free of all pests except for a copy of Happy.exe buried in an “ancient” e-mail.
Now that I’m convinced that my system’s virus-free, I’d still like a note from the avast! guys to explain where and how the Win32:Crypto bug crept in? ???
Good. Anyway, I would say, we use the bad signature of Win32.Crypto virus - as I said, I guess the signature (which may be weak) is taken from the end of polymorphic loop (and different in every new variant).