Hello. I'm very new to Windows OS and so am very tentative when it comers to doing anything off my own bat.

I have scanned the Windows XP partition (set up with Boot Camp) from the OS X side, on my Mac. I used ClamXav for that scan. It reported: "/Volumes/WINDOWS XP/PAGEFILE.SYS: Trojan.KillCMOS FOUND".

When I booted into the Windows OS and ran a scan with ClamWin, it started off by reporting: "WARNING:Can't open file \\?\C:\PAGEFILE.SYS, Permission denied"

That puzzled me. It seemed that in one OS the suspected Trojan could be detected/identified, but in the other OS it was seemingly out of reach and was to all intents undetectable.

Investigating as best I could, and with not a lot of confidence, I found this:

Spyware KillCMOS Information
Name: Trojan.KillCMOS
Category: Nuker
Date: 2004-07-11
Dangerous: Yes

To manually get rid of it, follow these instructions (at your own risk).
Trojan.KillCMOS Removal Instructions
Kill the following processes
913bebc24a450f0bf690d947e2891841.exe, trojan.killcmos.d.exe, trojan.killcmos.h.exe
Remove the following files
913bebc24a450f0bf690d947e2891841.exe, trojan.killcmos.d.exe, trojan.killcmos.h.exe.

My questions are:

1) Where can I locate these '.exe' files? I don't, at present, know how to do a 'Find' in Windows XP, and don't know how to burrow down through whichever the relevant hierarchy is involved.

2) Bearing in mind the notion of false positives, is it indeed safe to get rid of the supposedly offending files?

3) How do I 'kill' the processes?

4) Will it then be obvious how to 'remove' them afterwards?

I feel that I'm on a steepish learning curve here. I'd be very grateful for some simply stated (i.e not too technically stated) steps to take in this matter.

pagefily.sys is the swap area of windows, it could have matching signature because of loaded malware or just because of some av loaded his signatures
it's not executed so it's harmless
you cannot scan it while windows is booted, there is an option to zap pagefile at windows exits
https://www.theeldergeek.com/clear_pagefile_on_system_shutdown.htm https://www.theeldergeek.com/clear_pagefile_on_system_shutdown.htm

you could also get rid of a pagefile by deleting it, windows will recreate it
of course osx mounts ntfs readonly
but latest linux live are able to mount rw
https://www.sysresccd.org/Main_Page https://www.sysresccd.org/Main_Page

it's a very good live, it can boot even from an usb key

Sherpya, thanks for the info.

When you say: you could also get rid of a pagefile by deleting it, windows will recreate it of course osx mounts ntfs readonly, I think I understand.

I have actually set up a FAT 32 partition for my Windows XP installation. Does that mean I could possibly deal with this from the Mac OS X side? I am very hesitant about doing damage to the Windows XP installation by fumbling through a routine I don't really understand - although I suppose I could give it a shot.

I went to the first link you gave me and then from a link on that page to the MS KB article, https://support.microsoft.com/default.aspx?scid=kb;en-us;Q314834 Article ID:314834.

Following the instructions, on that page, I got eventually to a final window, with the name 'Edit DWORD Value'. I got there after double-clicking on the icon for ClearPageFileAtShutdown in Memory Management.

Before I commit the final step and cross my fingers that I've done the correct thing, there is a heading 'Value Data' and a highlighted zero, which I am assuming should be changed to a one.

Am I correct?

You are right, you can just enter 1 in stead of 0 (or whatever is in there) and then reboot to clear the file.
As you are using FAT32, you could also run OSX and delete pagefile.sys from there. Windows will automatically create a new pagefile.sys on next startup. Do be sure to shut down the system before you that, not hibernate or standby.

regards,
budtse

Thanks Budtse for the thumbs up. The deed is done, without any problems, and a scan with ClamXav from the Mac OS X side shows the Windows XP volume to be clean. Brilliant!