Author Topic: 'pagefile.sys' on Windows 7 64bit partition detected as a virus  (Read 11487 times)

0 Members and 1 Guest are viewing this topic.

Offline CoW]8(0)

  • Newbie
  • *
  • Posts: 6
'pagefile.sys' on Windows 7 64bit partition detected as a virus
« on: January 16, 2010, 03:15:43 PM »
While doing a scan in my Windows XP 32bit system using avast 4.8 home, the program keeps detecting 'pagefile.sys' on my Windows 7 64bit partition as a virus.  The detecting keeps happening even after I allow avast to delete the 'pagefile.sys' file that Windows 7 64bit automatically recreates.

Is this a false positive by the scanner or am I truly infected?  How can I find out?

If it is in fact an infection, shouldn't some part the virus also be located somewhere else to continue reinfecting the 'pagefile.sys' in Windows 7?

Also, the virus is detected by avast as 'Win32:Adloader-AC [Trj]'.

The exact text is as follows:
'Sign of "Win32:Adloader-AC [Trj]" has been found in "G:\pagefile.sys" file.'
« Last Edit: January 16, 2010, 03:30:21 PM by CoW]8(0) »

Offline CoW]8(0)

  • Newbie
  • *
  • Posts: 6
Re: 'pagefile.sys' on Windows 7 64bit partition detected as a virus
« Reply #1 on: January 16, 2010, 04:50:41 PM »
Additionally, I've found that when I scan using Avast 4.8 on my Windows 7 64bit system, it detects the 'pagefile.sys' of my Windows XP 32bit partition as a virus.

Avast logs as follows:
'Sign of "Win32:Agent-ZXJ [Trj]" has been found in "D:\pagefile.sys" file.'

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37014
Re: 'pagefile.sys' on Windows 7 64bit partition detected as a virus
« Reply #2 on: January 16, 2010, 04:55:56 PM »
Check your computer for Malware with

MBAM http://filehippo.com/download_malwarebytes_anti_malware/
update and run quick scan, click the button "remove selected" to quarantine anything found, and restart

SAS http://filehippo.com/download_superantispyware/

Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

come back and tell us if it worked

If anything is found other than cookies you may post the scan logs here 

Offline CoW]8(0)

  • Newbie
  • *
  • Posts: 6
Re: 'pagefile.sys' on Windows 7 64bit partition detected as a virus
« Reply #3 on: January 17, 2010, 02:36:51 AM »
Aside from False Positives and Cookies, SUPERAntiSpywareFree detected 'TDSSMTPE.DAT' which I believe is a remnant of an old infection.

MalwareBytes didn't detect anything.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37014
Re: 'pagefile.sys' on Windows 7 64bit partition detected as a virus
« Reply #4 on: January 17, 2010, 02:43:40 AM »
Well if you want your computer checked by a Malware expert, then i suggest you follow this guide and post the logs so essexboy can have a look http://forum.avast.com/index.php?topic=53253.0

Offline CoW]8(0)

  • Newbie
  • *
  • Posts: 6
Re: 'pagefile.sys' on Windows 7 64bit partition detected as a virus
« Reply #5 on: January 17, 2010, 02:52:31 AM »
Well right now I'm more concerned of whether Avast detecting the pagefile.sys files in each partition is a false positive or not.  It seems like it is, but I've never gotten a false positive from Avast before and this is a strange file to detect a false positive on.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37014
Re: 'pagefile.sys' on Windows 7 64bit partition detected as a virus
« Reply #6 on: January 17, 2010, 03:04:26 AM »
you can always get a second opinion from a online scanner or HitmanPro (5 scanners in the cloud)

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84921
  • No support PMs thanks
Re: 'pagefile.sys' on Windows 7 64bit partition detected as a virus
« Reply #7 on: January 17, 2010, 03:15:29 AM »
Well right now I'm more concerned of whether Avast detecting the pagefile.sys files in each partition is a false positive or not.  It seems like it is, but I've never gotten a false positive from Avast before and this is a strange file to detect a false positive on.

The pagefile.sys is a bit of a weird bird in that stuff gets moved back and forward to it on a regular basis and you can get some weird strings, which just might match a virus signature. The pagefile.sys is excluded from the Standard Shield on-access scanner.

So I would suggest that you also excluded it from the on-demand scanner, avast Program Settings, Exclusions and add ?:\pagefile.sys the ? wildcard represents a single character and if you have more than one hard disk and split the pagefile over the two then that saves having to make two exclusions.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline CoW]8(0)

  • Newbie
  • *
  • Posts: 6
Re: 'pagefile.sys' on Windows 7 64bit partition detected as a virus
« Reply #8 on: January 17, 2010, 05:12:43 AM »
Thanks for the recommendation DavidR.  The scanner doesn't seem to pickup the pagefile.sys of the system its currently running as a virus.  It just detects the pagefile.sys of the other partition as a virus. 

For example,

Avast on Win XP 32bit detects the pagefile.sys of Win 7 64bit.
and
Avast on Win 7 64bit detects the pagefile.sys of Win XP 32bit.


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84921
  • No support PMs thanks
Re: 'pagefile.sys' on Windows 7 64bit partition detected as a virus
« Reply #9 on: January 17, 2010, 04:05:29 PM »
That is as I say not so strange when the data on the file is constantly written and over written on a regular basis so at some point you may get a data string match a signature. When whatever OS is running that Standard Shield wouldn't be scanning the pagefile.sys as it is excluded by default. So effectively you need to do the same on the on-demand exclusions as I said.

There is nothing to stop you deleting the pagefile.sys on the other OS partition which isn't running, as far as I'm aware it should be recreated, but you should check that out to ensure that is correct. You can set your OS to clear the pagefile.sys on shutdown, but some say that takes a little more time on shutdown.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline CoW]8(0)

  • Newbie
  • *
  • Posts: 6
Re: 'pagefile.sys' on Windows 7 64bit partition detected as a virus
« Reply #10 on: January 17, 2010, 04:42:07 PM »
I allowed Avast to delete the pagefile.sys on Win7 64bit partition (it's a fairly new install so if anything went wrong it wouldn't be much trouble to do a complete reinstall).  Upon starting up, Win7 recreated the pagefile.sys (hopefully still contiguous).  But Avast in Win XP 32bit still detects the new pagefile.sys as a virus.


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84921
  • No support PMs thanks
Re: 'pagefile.sys' on Windows 7 64bit partition detected as a virus
« Reply #11 on: January 17, 2010, 05:08:21 PM »
Then either add it to the exclusions as I suggested.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security