Win32:delf-HWF False Positive?

Edit: Win XP SP3, running Avast, SuperAntiSpyware, ZoneAlarm Firewall (all free)

For the second time in a week, Avast has found a trojan horse on my backup drive (E:), in a pagefile.sys file that supposedly resides in a subfolder (containing pictures from my camera). Neither time could I find the pagefile.sys file using file explorer, even with it set to show all system and other files. Both times, I have selected “move to chest” after detection. The first time, the name of the virus started with the “Win32:delf” but ended with a different set of 3 capital letters. Both times, after putting it in the chest, then re-running the scan, it did not show up again that day. So, I am wondering if there is another file on the C:\ drive that checks for the E:\ drive file every few days, and rewrites the virus if it isn’t there.

Thing is, I went ahead and downloaded Avira AntiVir Personal and that found nothing. I also ran AVG (which required that I uninstall Avast - will convert back once this stuff is taken care of) on the E:\ drive and it found nothing. Currently running it on the C:\ drive. Nothing yet after 400K+ files and 1h45mins.

I’ve also run Malwarebytes with no detections found and SuperAntiSpyware with nothing similar found.

So, if neither AVG nor Avira finds the virus, can I assume it is a FP? I have attached the screen shot from the second detection.

The pagefile.sys is meant to be excluded from scans, but I think this is in the resident scan only (Standard Shield, Customize, Advanced), so you could add it to the on-demand scanner exclusions, which is I presume when it was detected ?

In the avast Program Settings (right click the avast ‘a’ icon), Exclusions, see image. Note the ? at the front of the path this avoids having to but multiple entries if you have it on more than one drive.

The pagefile.sys is a bit of a strange file with multiple writes, etc. and it is possible that a string within it could match a signature. So this unless you purge it on shutdown would remain and possibly be detected again as you found.

Excellent info David! Makes sense. Thanks for clearing this up.

You’re welcome.