Win 32: Delf-XQ [TR] virus?

[jax1]

Hi,
I'm using Windows XP and Ubuntu on my laptop.
When I scan Windows witth Nod32, Ad-aware and Spydoctor, my system comes up virus and malware clean.
However, when I boot via Linux and run a virus scan using Avast, it alerts me to the Win 32: Delf-XQ [TR] virus in pagefile.sys. I googled it and I think it's a trojan downloader.
I think the scanner scans all the windows files too, even though I'm in Linux.
Avast asks if I want to remove the virus and I delete it each time, yet it comes back.
I had the same problem with a virus in the hiberfil.sys folder, but after I disabled hibernation, that warning disappeared.
I turned off pafefile, rebooted the computer and then turned on the pagefile. But I still get the trojan downloader alert
I'm not sure if this is a false positive. Please help!!!

Thanks a ton.

[FreewheelinFrank]

If the detection is in pagefile.sys and nowhere else, it's probably a false positive.

I've seen quite a few false positives in hiberfil.sys pagefile.sys. These files are the computer memory (or areas of it) written to disc. If there's no detection by avast! of malware in memory while the computer is running, or of the malware file elsewhere on the disc, a false positive is to be suspected.

Obviously you can't test the memory while Windows is running because you use Nod32 on Windows, but I would still expect to see the malware elsewhere on the partition (System32, for example) in the case of a real infection.

[jax1]

Thanks.
I think it's a false positive, because Avast only seems to locate it in Linux. All the AV and AS software in Windows comes up clean. Also, Avast sometimes detects Delf-XQ and sometimes shows some other Win32 trojan downloader also in pagefile.sys 
Anyway, even if this legitimate virus, it's a Windows one, right? So if I've booted into Linux, this virus should not be able to do damage, correct?
Thanks for your time

[Lisandro]

It's a Windows one, right? So if I've booted into Linux, this virus should not be able to do damage, correct?

It won't harm Windows when you boot a pagefile.sys with new contents will be loaded.
But you can manage to clean the pagefile.sys while shutting down Windows as a privacy\cleaner tool.
Download SafeXP http://www.theorica.net/
Choose the proper option...

[jax1]

Thanks, Tech.
So after I download SafeXP, I should click Clear Pagefile at Shutdown in the Miscellaneous section? Will that slow down shutdown or have any other side effects?
Also, do you think this is a falsepositive considering what I've detailed in previous posts?
Thanks 

[Lisandro]

Will that slow down shutdown

Sure... Uncheck that after you did it once and boot.

or have any other side effects?

Not that I know...

Also, do you think this is a falsepositive considering what I've detailed in previous posts?

Yes.

[acdcfan]

HI all
I do too have false positive for pagefile.sys on my second HD running XP. reading though these forums you can set an exception by using wild card ?.
So it will look something like this ?:\pagefile.sys to cater for all drives and partitions one may have.
Am I correct?
Please advice

Thanks
acdcfan

[Lisandro]

So it will look something like this ?:\pagefile.sys to cater for all drives and partitions one may have. Am I correct?

Yes, you're correct.
By the way, this exclusion is there by default

[acdcfan]

Yes, you're correct.
By the way, this exclusion is there by default

thank you

[zilog]

HI all
I do too have false positive for pagefile.sys on my second HD running XP. reading though these forums you can set an exception by using wild card ?.
So it will look something like this ?:\pagefile.sys to cater for all drives and partitions one may have.
Am I correct?
Please advice

Thanks
acdcfan

Hallo,
try to remove the swapfile (well, on ntfs partitions, no removing is possible, but rewriting to 0-size is), and boot into windows again.
then, shut windows down, go to linux, and scan the newly created swapfile again. In the case of no infection, consider it false-positive from the past. In the case when the infection shows up again it might be sign of some well-obfuscated malware clone that's visible only this way (through its swapped-off pages), and then tell us more details.

regards,
pc

[acdcfan]

Hallo,
try to remove the swapfile (well, on ntfs partitions, no removing is possible, but rewriting to 0-size is), and boot into windows again.
then, shut windows down, go to linux, and scan the newly created swapfile again. In the case of no infection, consider it false-positive from the past. In the case when the infection shows up again it might be sign of some well-obfuscated malware clone that's visible only this way (through its swapped-off pages), and then tell us more details.

regards,
pc

How do I delete swapfile?and rewrite it to 0 size? I have never used linux before how do I use it

Thanks

[zilog]

Hallo,
try to remove the swapfile (well, on ntfs partitions, no removing is possible, but rewriting to 0-size is), and boot into windows again.
then, shut windows down, go to linux, and scan the newly created swapfile again. In the case of no infection, consider it false-positive from the past. In the case when the infection shows up again it might be sign of some well-obfuscated malware clone that's visible only this way (through its swapped-off pages), and then tell us more details.

regards,
pc

How do I delete swapfile?and rewrite it to 0 size? I have never used linux before how do I use it

Thanks

NTFS filesystem is not open-source nor documented structure. Thus, its support in Linux was made as a "best guess", and to be safe, they allowed no directory manipulations, ONLY file-rewrite with different contents (thus, you can do dd if=/dev/zero of=/mnt/whatever/pagefile.sys)

OR

with latest driver NTFS-3g, those limitations are gone: http://www.ntfs-3g.org/

regards,
pc