I have a situation that my gut is telling me is a false positive, but it's strange enough that I'm hoping someone can comfirm it for me. I have 2 hard drives on my system, one with a rather well used version of Windows 2000 Professional, and an empty one. I have been trying to install a fresh version of Win2K Pro on the empty drive, however scans made by ClamWin from the cluttered drive find the pagefile.sys file on the new install infected with Java.Classloader.Dummy.C. I should note that they don't always occur right after install, but doing nothing but changing the boot from one drive to the other seems to cause the scan message. What is driving me crazy is if I install the OS on the new drive, install nothing but ClamWin, and scan the old dirve, I find nothing consistantly. Yet scanning the other way finds my annoying friend.

Does anyone have any thoughts? I'd appreciate it.

pagefile.sys is the swap area for windows, you may had in memory the infected (or false positive) file so you will have them inside the swap file,
normally you cannot access the swap file but I suppose you are not running the target OS (i.e. offline check).
you can safely remove the pagefile.sys windows will reacreate one from scratch

That's part of the problem. I can indeed delete it, but the fresh OS recreates it, and once recreated it is once again seen as infected. That implies that undetected code is infecting it, or that there is something in the pagefile.sys that is being seen as what it is not.

"Java.Classloader.Dummy.C" is a pretty crappy signature.

It essentially looks like this: Clamav is looking for text, then some bytes, then dummy.java, a null byte, an exclamation point, then bytes that are not ascii, the function of which I am not sure.

The question is, have you browsed any web sites before scanning? There are a lot of sites that still attempt to use defunct java exploits that target older broken microsoft JVMs.

This signature is not restricted to a particular offset, so if it is found anywhere in a file, it results in a detection.

Pagefile.sys is essentially a physical memory dumping grounds for windows that gets over-written as it is needed. If you visit a website that contains one of these now fairly useless exploit attempts, there's a decent chance that it could get swapped out to disk and clamav will find it.

If that's all that's needed to "find" the trojan, then I feel better. It hasn't been consistant, but I've had positive detection from a pagefile.sys on a clean Win2K Pro install, boot to log in once, and nothing else. Since the sum total of my research on what "Java.Classloader.Dummy.C" is and how to remove it is a plethora of "Buy our software and you'll be fine" websites, it's left me wondering what the heck I've actually got going on. And in the case of ClamWin, I'd hate to stop using such a wonderful tool just because I'm confused and big business seems to want to enhance that confusion.

On a clean install... hmm that is pretty hard to explain. It could be just a crappy signature. I wouldn't worry about that one very much.