Author Topic: Win 32: Delf-XQ [TR] virus?  (Read 15951 times)

0 Members and 1 Guest are viewing this topic.

jax1

  • Guest
Win 32: Delf-XQ [TR] virus?
« on: July 09, 2007, 06:59:36 AM »
Hi,
I'm using Windows XP and Ubuntu on my laptop.
When I scan Windows witth Nod32, Ad-aware and Spydoctor, my system comes up virus and malware clean.
However, when I boot via Linux and run a virus scan using Avast, it alerts me to the Win 32: Delf-XQ [TR] virus in pagefile.sys. I googled it and I think it's a trojan downloader.
I think the scanner scans all the windows files too, even though I'm in Linux.
Avast asks if I want to remove the virus and I delete it each time, yet it comes back.
I had the same problem with a virus in the hiberfil.sys folder, but after I disabled hibernation, that warning disappeared.
I turned off pafefile, rebooted the computer and then turned on the pagefile. But I still get the trojan downloader alert
I'm not sure if this is a false positive. Please help!!!

Thanks a ton.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Win 32: Delf-XQ [TR] virus?
« Reply #1 on: July 09, 2007, 07:45:57 AM »
If the detection is in pagefile.sys and nowhere else, it's probably a false positive.

I've seen quite a few false positives in hiberfil.sys pagefile.sys. These files are the computer memory (or areas of it) written to disc. If there's no detection by avast! of malware in memory while the computer is running, or of the malware file elsewhere on the disc, a false positive is to be suspected.

Obviously you can't test the memory while Windows is running because you use Nod32 on Windows, but I would still expect to see the malware elsewhere on the partition (System32, for example) in the case of a real infection.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

jax1

  • Guest
Re: Win 32: Delf-XQ [TR] virus?
« Reply #2 on: July 09, 2007, 05:06:02 PM »
Thanks.
I think it's a false positive, because Avast only seems to locate it in Linux. All the AV and AS software in Windows comes up clean. Also, Avast sometimes detects Delf-XQ and sometimes shows some other Win32 trojan downloader also in pagefile.sys 
Anyway, even if this legitimate virus, it's a Windows one, right? So if I've booted into Linux, this virus should not be able to do damage, correct?
Thanks for your time

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Win 32: Delf-XQ [TR] virus?
« Reply #3 on: July 09, 2007, 08:22:56 PM »
It's a Windows one, right? So if I've booted into Linux, this virus should not be able to do damage, correct?
It won't harm Windows when you boot a pagefile.sys with new contents will be loaded.
But you can manage to clean the pagefile.sys while shutting down Windows as a privacy\cleaner tool.
Download SafeXP http://www.theorica.net/
Choose the proper option...
The best things in life are free.

jax1

  • Guest
Re: Win 32: Delf-XQ [TR] virus?
« Reply #4 on: July 09, 2007, 09:50:57 PM »
Thanks, Tech.
So after I download SafeXP, I should click Clear Pagefile at Shutdown in the Miscellaneous section? Will that slow down shutdown or have any other side effects?
Also, do you think this is a falsepositive considering what I've detailed in previous posts?
Thanks 

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Win 32: Delf-XQ [TR] virus?
« Reply #5 on: July 10, 2007, 12:06:45 AM »
Will that slow down shutdown
Sure... Uncheck that after you did it once and boot.

or have any other side effects?
Not that I know...

Also, do you think this is a falsepositive considering what I've detailed in previous posts?
Yes.
The best things in life are free.

acdcfan

  • Guest
Re: Win 32: Delf-XQ [TR] virus?
« Reply #6 on: July 12, 2008, 02:36:32 AM »
HI all
I do too have false positive for pagefile.sys on my second HD running XP. reading though these forums you can set an exception by using wild card ?.
So it will look something like this ?:\pagefile.sys to cater for all drives and partitions one may have.
Am I correct?
Please advice

Thanks
acdcfan
« Last Edit: July 12, 2008, 02:42:48 AM by acdcfan »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Win 32: Delf-XQ [TR] virus?
« Reply #7 on: July 12, 2008, 03:17:05 PM »
So it will look something like this ?:\pagefile.sys to cater for all drives and partitions one may have. Am I correct?
Yes, you're correct.
By the way, this exclusion is there by default ::)
The best things in life are free.

acdcfan

  • Guest
Re: Win 32: Delf-XQ [TR] virus?
« Reply #8 on: July 13, 2008, 01:15:40 PM »
Yes, you're correct.
By the way, this exclusion is there by default ::)


thank you

Offline zilog

  • Avast team
  • Advanced Poster
  • *
  • Posts: 957
  • or #f0; daa; add a,#a0; adc a,#40
Re: Win 32: Delf-XQ [TR] virus?
« Reply #9 on: July 16, 2008, 02:28:44 PM »
HI all
I do too have false positive for pagefile.sys on my second HD running XP. reading though these forums you can set an exception by using wild card ?.
So it will look something like this ?:\pagefile.sys to cater for all drives and partitions one may have.
Am I correct?
Please advice

Thanks
acdcfan

Hallo,
try to remove the swapfile (well, on ntfs partitions, no removing is possible, but rewriting to 0-size is), and boot into windows again.
then, shut windows down, go to linux, and scan the newly created swapfile again. In the case of no infection, consider it false-positive from the past. In the case when the infection shows up again it might be sign of some well-obfuscated malware clone that's visible only this way (through its swapped-off pages), and then tell us more details.

regards,
pc
May's Law: Software efficiency halves every 18 months, compensating Moore's Law. (David May, INMOS)

acdcfan

  • Guest
Re: Win 32: Delf-XQ [TR] virus?
« Reply #10 on: July 17, 2008, 11:09:45 AM »
Hallo,
try to remove the swapfile (well, on ntfs partitions, no removing is possible, but rewriting to 0-size is), and boot into windows again.
then, shut windows down, go to linux, and scan the newly created swapfile again. In the case of no infection, consider it false-positive from the past. In the case when the infection shows up again it might be sign of some well-obfuscated malware clone that's visible only this way (through its swapped-off pages), and then tell us more details.

regards,
pc


How do I delete swapfile?and rewrite it to 0 size? I have never used linux before how do I use it

Thanks

Offline zilog

  • Avast team
  • Advanced Poster
  • *
  • Posts: 957
  • or #f0; daa; add a,#a0; adc a,#40
Re: Win 32: Delf-XQ [TR] virus?
« Reply #11 on: July 17, 2008, 11:21:30 AM »
Hallo,
try to remove the swapfile (well, on ntfs partitions, no removing is possible, but rewriting to 0-size is), and boot into windows again.
then, shut windows down, go to linux, and scan the newly created swapfile again. In the case of no infection, consider it false-positive from the past. In the case when the infection shows up again it might be sign of some well-obfuscated malware clone that's visible only this way (through its swapped-off pages), and then tell us more details.

regards,
pc


How do I delete swapfile?and rewrite it to 0 size? I have never used linux before how do I use it

Thanks


NTFS filesystem is not open-source nor documented structure. Thus, its support in Linux was made as a "best guess", and to be safe, they allowed no directory manipulations, ONLY file-rewrite with different contents (thus, you can do dd if=/dev/zero of=/mnt/whatever/pagefile.sys)

OR

with latest driver NTFS-3g, those limitations are gone: http://www.ntfs-3g.org/

regards,
pc
May's Law: Software efficiency halves every 18 months, compensating Moore's Law. (David May, INMOS)