TRO/ROOT KIT?

[DAV2]

Ess...., thanks again. Yes the fix worked, but the fix causes Win to close very slowly. Since Win recreates the pagefile.sys and erasing it at close only  covers up the Trojan, I undid the fix and it scanned clean with both data bases. I then connected to the net etc. and the Trojan returned. How do I need to configure Avast to stop the return of the Trojan? Thanks in advance.

[essexboy]

What file is Avast reporting ?  As this could be a false positive

[DAV2]

The Trojan name is "Win32:Small-HUF [Trj]". It is inside "pagefile.sys". I am running Avast IS and Comodo CCE finds both of Avast's hidden directories "\##asw........" and Quarantines them as root kits. Avast (RESCUE DISK) (Both data bases 6 mo. apart) finds the Trojan above and deletes it. I reload and Win regenerates a Pagefile. Avast finds the same Trojan in the pagefile and deletes it.

"D:\pagefile.sys   INFECTED: Win32:Small-HUF [Trj]
D:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe\{embedded}\setup.exe   ERROR: Unknown packer version.
D:\Users\975\Downloads\mbam-setup-1.51.2.1300.exe\{embedded}\setup.exe   ERROR: Unknown packer version.
;--------------------------
;Files: 345464
;Folders: 21767
;Files size: 40727044965
;Infected files: 1
;--------------------------
;******
;Scan footer
;Scan completed with return code: 0
;******
;******
;Command header
;Columns: File name TAB Command TAB Returned code TAB Custom parameter 1 TAB Custom parameter 2
;******
D:\pagefile.sys   DELETE   OK   1   0"

 I restart Win and tell Win to delete the page file and close and restart Win and verify the pagefile is regenerated. Then I rescan with the Avast rescue disk with both data bases 6 mo, apart and the Trojan is gone.(I can see Avast scan the pagefile)

"D:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe\{embedded}\setup.exe   ERROR: Unknown packer version.
D:\Users\975\Downloads\mbam-setup-1.51.2.1300.exe\{embedded}\setup.exe   ERROR: Unknown packer version.
;--------------------------
;Files: 347277
;Folders: 21884
;Files size: 34337455711
;Infected files: 0"
 
I connect to the net etc, and then rescan with the rescue disk and the Trojan is back on both data bases 6 mo apart scans. How do I stop the Trojan from returning? Thanks in advance.

[essexboy]

I do not think it is a trojan.. To me this smells like a false positive, if the installed Avast does not detect it, to be honest I would ignore the rescue disc detection . 

[DAV2]

Ess...., thanks, but the same data base of the "installed" Avast that works in the "reacuedisk" Avast does recognize it. Only when I move the Pagefile.sys so it is no longer in use by Win does the "installed" Avast detect it.

[essexboy]

I remember there was something similar a while back and it turned out to be an FP - I will see if I can find it

[DonZ63]

D:\Users\975\Downloads\mbam-setup-1.51.2.1300.exe\{embedded}\setup.exe   ERROR: Unknown packer version

This looks suspicious to me. Note the \975 sub-directory.

Also MBAM setup files should not be repeatedly loading in the page file as far as I am aware of.

Where did you download MBAM from? I bet is was not from the MBAM web site.

[DonZ63]

Microsoft has recently released a free boot cd called Systemsweeper: http://connect.microsoft.com/systemsweeper.

Note that it is a beta version.

A couple of associates of mine have used it with great success at finding hidden malware. I suspect this software is a bootable ver. of Malicous Software Removal Tool(MSRT) that is already installed on most WIN OSes. Make sure you download the right version that matches your OS; x86(32 bit) or x64(64 bit). The CD should also be created on a non-infected PC. Hopefully you have access to one that matches your existing OS i.e. x86 or x64.Correction - you can create the CD on any vers. of XP, Vista, or Win 7. See help in the link for further details. At least running this will give you a second opinion to what the Avast boot CD is finding.

[DAV2]

Don...., thanks for your thoughtful and helpful input. You may be correct, but the "unknown packer..." is probably ok. I think it was downloaded from "Mal...." directly and it is not a scan of just the Pagefile.sys, but the whole hard drive. I will probably have to do a complete reload of Win onto a computer and do the cd you suggested, just to be sure of no infection. Thanks

[DonZ63]

Another thing is the current ver. of MBAM is 1.6.0.1800. Check the ver. number of MBAM you have installed.

 

[DonZ63]

I also posted your pagefile issue on the MBAM forum last night. If anyone should know about MBAM writing to the page file during normal operations, it would be them.

Interestly, no responses there so far.

[true indian]

I also posted your pagefile issue on the MBAM forum last night. If anyone should know about MBAM writing to the page file during normal operations, it would be them.

Interestly, no responses there so far.

i scanned my D:/ and c:/ drive's pagefile.sys with avast i have MBAM....i dont see any problems currently here...

[mchain]

i scanned my D:/ and c:/ drive's pagefile.sys with avast i have MBAM....i dont see any problems currently here...

Assuming your system is clean, how does posting that help?  It is the OP with the problem, not you.

[DonZ63]

MBAM's response below. If OP is still following this thread, I would recommend you uninstall MBAM. Then run their MBAM Clean utility. Then delete your pagefile and reboot. If you still see MBAM entries being written to the pagefile, it has to be malware. In any event, download and install the latest ver. of MBAM from their web site.

The Pagefile is Windows' swapfile for managing running apps. MBAM does not write to the Pagefile. The Pagefile corruption is from elsewhere.