Is This Malware?

[DonZ]

Someone posted this on the Avast forum and it tweaked my interest.

Avast boot CD recovery CD plus Comodo is finding the following in the posters page file. He clears the page file by recreating it and the supposed malware returns. I know of no known reason why MBAM setup files should be constantly recreated in the page file?

"D:\pagefile.sys INFECTED: Win32:Small-HUF [Trj]

D:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe\{embedded}\setup.exe ERROR: Unknown packer version.

D:\Users\975\Downloads\mbam-setup-1.51.2.1300.exe\{embedded}\setup.exe ERROR: Unknown packer version.

;--------------------------

;Files: 345464

;Folders: 21767

;Files size: 40727044965

;Infected files: 1

;--------------------------

[Maurice Naggar]

@DonZ

On what basis is it that you assert that MBAM setup is in the Pagefile ??

As to the last 2 lines: Those are false positives (almost certainly) unless the OP has snagged a warez version from somewhere.

Also, one notes it is an alleged version 1300, which is now outdated.

[DonZ]

Here is a link to what the person posted on the Avast forum. Also I have copied the entire details of what was posted. BTW -I say this is malware. I know of no reason why MBAM setup files should be continually written to the pagefile. Please redirect all replies to the above link. Thanks.

The Trojan name is "Win32:Small-HUF [Trj]". It is inside "pagefile.sys". I am running Avast IS and Comodo CCE finds both of Avast's hidden directories "\##asw........" and Quarantines them as root kits. Avast (RESCUE DISK) (Both data bases 6 mo. apart) finds the Trojan above and deletes it. I reload and Win regenerates a Pagefile. Avast finds the same Trojan in the pagefile and deletes it.

http://forum.avast.com/index.php?topic=91654.15

"D:\pagefile.sys INFECTED: Win32:Small-HUF [Trj]

D:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe\{embedded}\setup.exe ERROR: Unknown packer version.

D:\Users\975\Downloads\mbam-setup-1.51.2.1300.exe\{embedded}\setup.exe ERROR: Unknown packer version.

;--------------------------

;Files: 345464

;Folders: 21767

;Files size: 40727044965

;Infected files: 1

;--------------------------

;******

;Scan footer

;Scan completed with return code: 0

;******

;******

;Command header

;Columns: File name TAB Command TAB Returned code TAB Custom parameter 1 TAB Custom parameter 2

;******

D:\pagefile.sys DELETE OK 1 0"

I restart Win and tell Win to delete the page file and close and restart Win and verify the pagefile is regenerated. Then I rescan with the Avast rescue disk with both data bases 6 mo, apart and the Trojan is gone.(I can see Avast scan the pagefile)

"D:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe\{embedded}\setup.exe ERROR: Unknown packer version.

D:\Users\975\Downloads\mbam-setup-1.51.2.1300.exe\{embedded}\setup.exe ERROR: Unknown packer version.

;--------------------------

;Files: 347277

;Folders: 21884

;Files size: 34337455711

;Infected files: 0"

I connect to the net etc, and then rescan with the rescue disk and the Trojan is back on both data bases 6 mo apart scans. How do I stop the Trojan from returning? Thanks in advance.

[Maurice Naggar]

The Pagefile is Windows' swapfile for managing running apps. MBAM does not write to the Pagefile.

The Pagefile corruption is from elsewhere.