Register
FaceBook Twitter

Virus detected JS/Sality.AO Location: C:\pagefile.sys

Problems with virus, rootkits, rogueware...? The community and the Panda experts will get your queries solved!
Registered user
Posts: 6
Joined: Thu, 22 Nov 2018, 16:25

Virus detected JS/Sality.AO Location: C:\pagefile.sys

Postby Jaa17 » Thu, 22 Nov 2018, 16:31

Every time a run a Panda Antivirus Full Scan I get the following virus:

Virus detected JS/Sality.AO Location: C:\pagefile.sys

However, before I run the scan I cannot see anything called this in the root directory c: drive.

Why does this file keep on returning and why can't I see it?

I have gone through all the registry stuff in regedit as described here:

https://www.pandasecurity.com/homeusers/security-info/205500/information/Sality.AO

None of these things appears in the regedit:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 \Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
%sysdir%\winlogon.exe = %sysdir%\winlogon.exe:*:enabled:@shell32.dll,-1
where %sysdir% is the Windows system directory.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPol icy\StandardProfile\AuthorizedApplications\List
%sysdir%\winlogon.exe = %sysdir%\winlogon.exe:*:enabled:@shell32.dll,-1
It creates these entries in order to add itself to the list of applications authorized by the firewall.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum
0 = SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer
UpdateHost = 00, 50, 3D, EB, 75, 51
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer
UpdateHost = 00, 50, 3D, EB, 75, 51
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{7504870 0-EF1F-11D0-9888-006097DEACF9}\Count HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\Qrfxgbc\5p18r829-rs40-465o-n1qq-3sp9rprs8p87 - svkzncv_.rkr = 08, 00, 00, 00, 06, 00, 00, 00, 40, 09, FD, 1B, 24, 90, C9, 01
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kmixer\Enum
0 = SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}

Official moderator
Posts: 1021
Joined: Tue, 24 Oct 2017, 12:04

Re: Virus detected JS/Sality.AO Location: C:\pagefile.sys

Postby Darth Panda » Thu, 22 Nov 2018, 17:11

Technical support – Panda Security
www.pandasecurity.com

Registered user
Posts: 6
Joined: Thu, 22 Nov 2018, 16:25

Re: Virus detected JS/Sality.AO Location: C:\pagefile.sys

Postby Jaa17 » Thu, 22 Nov 2018, 17:28

I have Panda Antivirus.

I have scanned my computer. The Dome one removed it. The older Green one (I had to reinstall the Panda Antivirus) just leaves it there.

I cannot see it in the Dos prompt or normal File Explorer. I can only see it in a custom scan of Panda Antivirus where it lists it in the C: directory.

Official moderator
Posts: 1021
Joined: Tue, 24 Oct 2017, 12:04

Re: Virus detected JS/Sality.AO Location: C:\pagefile.sys

Postby Darth Panda » Thu, 22 Nov 2018, 18:12

Ok. bur please scan your computer with the instructions I gave you before.
Technical support – Panda Security
www.pandasecurity.com

Registered user
Posts: 6
Joined: Thu, 22 Nov 2018, 16:25

Re: Virus detected JS/Sality.AO Location: C:\pagefile.sys

Postby Jaa17 » Fri, 23 Nov 2018, 15:13

Thank Darth Panda for the reply.

I have used the cloud scan as you suggested.

The standard scan (no advanced options) did not even pick up about the pagefile.sys file.

I then checked with my Green-Panda program I paid for, and it is still saying pagefile.sys is there and it is a virus.

I then tried the the Cloud-Panda what you suggested, but with the Advanced Options (something about boot checking). This immediately had an error:

Setup: Error during Analysis.

I then check my Green-Panda program I paid for, and it is still saying pagefile.sys is there and it is a virus.

I then did the standard method of deleting the pagefile.sys:

Control Panel|System and Security|System|Advanced System Settings|Advanced|Performance|Settings|Advanced|Virtual Memory|Change

Uncheck Automatically Manage Paging File Size for All Drives

Click 'No Page Filing'

Click Set

Then click multiple OKs

Then reboot.

This deleted the file and the Green-Panda I paid for no longer complained.

So I returned (by checking again) the option of 'Automaticlly Manage Paging File Size for All Drives'.

After reboot the pagefile.sys reappeared and the Green-paid-for-Panda said it was a virus again.

What can I do? (Also, why does the Advanced option of the Cloud-Panda not work?)

Official moderator
Posts: 1021
Joined: Tue, 24 Oct 2017, 12:04

Re: Virus detected JS/Sality.AO Location: C:\pagefile.sys

Postby Darth Panda » Fri, 23 Nov 2018, 16:54

Do you have more machines on this LAN?
Technical support – Panda Security
www.pandasecurity.com

Registered user
Posts: 6
Joined: Thu, 22 Nov 2018, 16:25

Re: Virus detected JS/Sality.AO Location: C:\pagefile.sys

Postby Jaa17 » Fri, 23 Nov 2018, 17:35

Yes, my brother's, but I do not want to do anything with that machine that could make it vulnerable.

Official moderator
Posts: 1021
Joined: Tue, 24 Oct 2017, 12:04

Re: Virus detected JS/Sality.AO Location: C:\pagefile.sys

Postby Darth Panda » Fri, 23 Nov 2018, 19:01

The issue is: probably, most sure, yoru brother´s machine is the infected one. switch off both machines.
Then turn on only yours
Scan it.

Inform on the results
Technical support – Panda Security
www.pandasecurity.com

Registered user
Posts: 6
Joined: Thu, 22 Nov 2018, 16:25

Re: Virus detected JS/Sality.AO Location: C:\pagefile.sys

Postby Jaa17 » Fri, 23 Nov 2018, 19:29

My brother's machine only shares the same WiFi. The machines are not connected in any way other than that.

He has been away, so his machine has been turned off whenever I have done these scans on my machine.

So I am certain it is my machine that has the problem.

Registered user
Posts: 6
Joined: Thu, 22 Nov 2018, 16:25

Re: Virus detected JS/Sality.AO Location: C:\pagefile.sys

Postby Jaa17 » Sun, 25 Nov 2018, 01:35

Thank for the help.

It was seeming a permanent virus so I have done a Windows-Refresh (but keeping my personal files) and that has got rid of the virus. Pagefile.sys now scans without a virus and all is well.

It took about 3 hours to do the refresh of the windows operating system, and then about a whole Saturday to re-install all my programs. Overall, I think it was the most time optimal solution.

Before the refresh, something must have kept on replacing the pagefile.sys with a virused version, so it seemed pretty permanent.

Thanks again for the help though.

Return to Virus - Issues

Who is online

Users browsing this forum: No registered users and 1 guest