pagefile.sys infected with linux virus

  • Thread starter Thread starter Steve
  • Start date Start date
S

Steve

I have a dual boot system: xp and suse 9.0. I keep both sides patched and
up to date. Also on the xp side I use Norton AV which is also up to date.
I just in the past few days installed ClamAV on linux and ran a full system
scan from the linux side (clamscan -ri /) and it detected the following:
//windows/C/pagefile.sys: Exploit.HTML.MHT-5 FOUND

pagefile.sys is the windows virtual ram. I thought if I deleted or renamed
pagefile.sys xp would create a new one when I reboot into xp. However I can
find no way to do this. Even when I'm in superuser mode I can't delete or
rename since //windows/C is NTFS. Kernel 2.4 doesn't completely support
NTFS. Nor can I when in xp since the file is in use, nor if I boot from an
MS-DOS disk again since C is NTFS. Of course when I'm in xp Norton AV does
not detect the linux virus, I wouldn't expect it to, and since it is in
//windows/C/pagefile.sys file it doesn't appear to affect linux so it may be
a non issue. But I'm not sure and I can't find any technical data
concerning Exploit.HTML.MHT-5 when I google it nor on the ClamAV site. Any
help would be appreciated.

PS I suppose I could use windows partition magic to convert the NTFS back to
FAT32 then delete or rename but I really don't want to if I don't have to.
 
Steve said:
I have a dual boot system: xp and suse 9.0. I keep both sides patched and
up to date. Also on the xp side I use Norton AV which is also up to date.
I just in the past few days installed ClamAV on linux and ran a full
system
scan from the linux side (clamscan -ri /) and it detected the following:
//windows/C/pagefile.sys: Exploit.HTML.MHT-5 FOUND

pagefile.sys is the windows virtual ram. I thought if I deleted or
renamed
pagefile.sys xp would create a new one when I reboot into xp. However I
can
find no way to do this. Even when I'm in superuser mode I can't delete or
rename since //windows/C is NTFS. Kernel 2.4 doesn't completely support
NTFS. Nor can I when in xp since the file is in use, nor if I boot from
an
MS-DOS disk again since C is NTFS. Of course when I'm in xp Norton AV
does
not detect the linux virus, I wouldn't expect it to, and since it is in
//windows/C/pagefile.sys file it doesn't appear to affect linux so it may
be
a non issue. But I'm not sure and I can't find any technical data
concerning Exploit.HTML.MHT-5 when I google it nor on the ClamAV site.
Any
help would be appreciated.

PS I suppose I could use windows partition magic to convert the NTFS back
to
FAT32 then delete or rename but I really don't want to if I don't have to.
Click to expand...

Can you set a pagefile, within XP, on another drive or partition.
Then remove the infected pagefile - set no pagefile for that
drive/partition.
Then after a reboot, set your pagefile back to it's original settings.

Should force a rebuild of the pagefile and clear the linus virus.

I know there's a tweak to clear the pagefile at shutdown - maybe that would
work too?

http://www.google.com/search?q=windows+xp+clear+pagefile+at+shutdown

Martin.
 
Steve said:
I have a dual boot system: xp and suse 9.0. I keep both sides patched and
up to date. Also on the xp side I use Norton AV which is also up to date.
I just in the past few days installed ClamAV on linux and ran a full system
scan from the linux side (clamscan -ri /) and it detected the following:
//windows/C/pagefile.sys: Exploit.HTML.MHT-5 FOUND

pagefile.sys is the windows virtual ram. I thought if I deleted or renamed
pagefile.sys xp would create a new one when I reboot into xp. However I can
find no way to do this. Even when I'm in superuser mode I can't delete or
rename since //windows/C is NTFS. Kernel 2.4 doesn't completely support
NTFS. Nor can I when in xp since the file is in use, nor if I boot from an
MS-DOS disk again since C is NTFS. Of course when I'm in xp Norton AV does
not detect the linux virus, I wouldn't expect it to, and since it is in
//windows/C/pagefile.sys file it doesn't appear to affect linux so it may be
a non issue. But I'm not sure and I can't find any technical data
concerning Exploit.HTML.MHT-5 when I google it nor on the ClamAV site. Any
help would be appreciated.

PS I suppose I could use windows partition magic to convert the NTFS back to
FAT32 then delete or rename but I really don't want to if I don't have to.
Click to expand...

This sounds rather strange: The paging file is a locked file
that can be used by Windows only, so how can your virus
scanner look into it and claim it has found a virus?

If you cannot apply Martin's suggestion then you could
boot the machine with a Bart PE boot CD, then delete
the paging file. You can download the tools for this CD
from www.bootdisk.com. You will need a WinXP Prof.
CD (but no licence number!) and a CD burner.
 
Steve said:
I have a dual boot system: xp and suse 9.0. I keep both sides patched and
up to date. Also on the xp side I use Norton AV which is also up to date.
I just in the past few days installed ClamAV on linux and ran a full system
scan from the linux side (clamscan -ri /) and it detected the following:
//windows/C/pagefile.sys: Exploit.HTML.MHT-5 FOUND

pagefile.sys is the windows virtual ram. I thought if I deleted or renamed
pagefile.sys xp would create a new one when I reboot into xp. However I can
find no way to do this. Even when I'm in superuser mode I can't delete or
rename since //windows/C is NTFS. Kernel 2.4 doesn't completely support
NTFS. Nor can I when in xp since the file is in use, nor if I boot from an
MS-DOS disk again since C is NTFS. Of course when I'm in xp Norton AV does
not detect the linux virus, I wouldn't expect it to, and since it is in
//windows/C/pagefile.sys file it doesn't appear to affect linux so it may be
a non issue. But I'm not sure and I can't find any technical data
concerning Exploit.HTML.MHT-5 when I google it nor on the ClamAV site. Any
help would be appreciated.

PS I suppose I could use windows partition magic to convert the NTFS back to
FAT32 then delete or rename but I really don't want to if I don't have to.
Click to expand...


- Boot into Recovery Console mode (install it and boot off the hard disk copy or use the first Repair from the Windows XP install CD).
- Run "copy boot.ini pagefile.sys" (copy any file over the pagefile).
- Run "del pagefile.sys".
- Reboot. Pagefile doesn't exist so it gets rebuilt.

http://support.microsoft.com/default.aspx?scid=kb;en-us;255205
 
Don't do anything. Nothing is reused from the pagefile. But if it is always there it means you are infected. And not in pagefile.sys.
 
Pegasus (MVP) said:
may back to.

This sounds rather strange: The paging file is a locked file
that can be used by Windows only, so how can your virus
scanner look into it and claim it has found a virus?
Click to expand...

This is only when windows XP is actively running. In this case, it is not.
Read the post again.
 
Steve said:
pagefile.sys is the windows virtual ram. I thought if I deleted or renamed
pagefile.sys xp would create a new one when I reboot into xp. However I can
find no way to do this. Even when I'm in superuser mode I can't delete or
rename since //windows/C is NTFS.
Click to expand...

The page file is started over clean when you boot the system. You ought
not need to clear it out. If after a regular reboot the AV still
complains, (and I would then complain about the AV) you can arrange to
clear the pagefile at shutdown (I would only do that as a temporary
measure) using gpedit.msc in XP Pro, or can boot with F8 to the menu -
take Safe Mode, Command Prompt only and there
ATTRIB -R -H -S C:\pagefile.sys
DEL C:\pagefile.sys
 
Back
Top