Virus detected at every start up!! Help!

[cmda]

Avast keeps detecting a virus every time I start up my computer.  I move it to the chest as advised but I cannot delete it!!!  :'(

This is what comes up........ Win 32 Trojan gen UPX

Can anyone help me get rid of it as my computer is running really slow and this keeps on popping up! 
 
Incase you hadn't guessed, I really dont know a lot about this sort of thing! So please bear with me!!!!! 

Thank you!!!!

[polonus]

Hi cmda,

Get CrapCleaner from here: http://www.ccleaner.com/download/

then a possible fix…

start in DOS mode.

navigate to:

C:\Window\System

run

Scanreg /Restore

Select a date prior to the infection.

Re-boot.

Interrupt the boot sequence, and select "Safe Mode"

Run an anti-virus engine.

On reboot interrupt boot.

run a dirty reinstall.

If this is not getting you out the woods, consider the following cleansing routine,
found here: http://www.bullguard.com/forum/5/Help-Win32-Trojan-gen-UPX_11109.html

polonus

[DavidR]

What was the infected file name, where was it found example (C:\windows\system32\infected-file-name.xxx) ?
Check the avast Log Viewer (right click the avast icon), Warnings section for details.

Why can't it be deleted (although deletion isn't a good first option), what warnings/errors are being given ?

[cmda]

Thank you for replying!  I have tried the first option of the poster above you but Virus is still there.  So here's the information I think you were asking for!!! (Thank you so much !)

I opened the Avast log viewer and got these details:
Win32:Trojan-gen.{UPX!} found in C:/.....
I expanded to clumn width in the Avast viewer to try and read the rest but it was cut off.
 
This is what's written in the Standard SHield page;
last scanned C:\Documents and Settings\local setting\temporary internet files\content.IE5\YGIV7MUO\index[6]htm.
last infected C:/Documents and Settings/rundl32.exe

[DavidR]

The one you give in the last infected: filed, C:/Documents and Settings/rundl32.exe is probably the same as the one whose details you couldn't expand.

Thank you for replying!  I have tried the first option of the poster above you but Virus is still there.
What warnings or errors are you getting, e.g. why is it still there (presumably because it is in use) ?

You could try deleting it 'C:/Documents and Settings/rundl32.exe' manually using either:
- MoveOnBoot http://www.snapfiles.com/get/moveonboot.html
- Unlocker http://ccollomb.free.fr/unlocker/ is also good as it also has a few additional features to not only delete the files but stop any process that is stopping you from deleting a file.

What Operating System are you using ?

I expanded to clumn width in the Avast viewer to try and read the rest but it was cut off.

You can also export the contents to a .txt file, File, Export Current List. or double clicking between the two column headings should expand the column to see the full text (both work for me).

17/05/2006 17:42    David    1344    Sign of "EICAR Test-NOT virus!!" has been found in "C:\DOCUME~1\Username\LOCALS~1\Temp\AAWTMP\C13632218\37BA06\eicar.com" file. 
17/05/2006 17:45    Username 1344    Sign of "EICAR Test-NOT virus!!" has been found in "C:\DOCUME~1\Username\LOCALS~1\Temp\AAWTMP\C13632218\3F4974\eicar.com" file. 
23/05/2006 23:03    SYSTEM    1348    Sign of "EICAR Test-NOT virus!!" has been found in "C:\TEMP\eicar.com" file. 

[cmda]

I am using Windows XP.  I use Avast and I use Windows Firewall.

After Avast recommends moving the virus to the chest a script error appears on the desktop:

Script Error
Line 151
Char 1
Error the system cannot find the file specified
Code 0
URL file//C:Documents and Settings\All Users\Start\Menu\Program\Startup\Windows Update.hta

Also, if I select start up and then Windows Update from the menu, Avast detects the Virus again.

[DavidR]

This is getting stranger, you move 'C:/Documents and Settings/rundl32.exe' and then you get an unrelated system error about Windows Update.hta which was in a very strange location and a google search for this file shows it as a trojan, http://www.sophos.com/security/analyses/trojinordra.html and http://www.geekstogo.com/forum/index.php?showtopic=69637

Windows Start, Run, type 'msconfig' without the quotes, Startup Tab and untick (delete later if OK) any entry for Windows Update.hta.

Firstly I would get a good firewall otherwise you could be fighting an uphill battle. Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

Zone Alarm free http://www.zonelabs.com works fine with avast and has a reasonably friendly user interface. There are others, Jetico, Sunbelt Kerio, etc.
See some firewall tests for comparison, some are freeware but many are paid for versions http://www.firewallleaktester.com/tests.php. Also see http://www.thefreecountry.com/security/firewalls.shtml

[Spiritsongs]

   Hi cmda :

     At this point in time, I recommend you try "Ewido" from
     www.ewido.net/en . This good & FREE program
     "specializes" in detecting AND removing trojans and
    "temporary internet files\content.IE5" . Either download,
     install & update the program OR run its Online Scanner .

[cmda]

Thank you for your quick and detailed responses.  David, Is the Windows Firewall and firewall protection from our router not enough protection? 
Is it best that I avoid things such as online banking and email checking etc until this virus has been removed?
I tried what you suggested but on re-starting my computer the virus is still detected by Avast.

I will now try ewido and see if that helps.

[DavidR]

Neither XP's firewall (spit) nor your router provide outbound protection and where you are more vulnerable is if there is a keylogger trojan on your system, it could copy what you are doing, usernames, passwords, etc, it could then connect to the internet and there is nothing to stop them. So it would make sense to pause internet banking until you get a firewall that provides this protection.

It shouldn't effect your collection of email or browsing as those two are monitored by avast, but adding ewido to your defences (run it in safe mode for the first time, this should be a priority) will improve overall detection. No one program is likely to catch/detect everything.

What was suggested for the startup was basically removing a registry key to run that Windows Update.hta so you don't get the error message aout the "Error the system cannot find the file specified" I assume that you are no longer getting the message no you have rebooted ?

[cmda]

Yes, that message has gone.  Thank you.

A little worrying that this Trojan might be able to access such information!!!! 

Can I just say thank you for youe help and speedy responses.
Not really sure where to go next to remove this! 

[DavidR]

I assume the file name and location are the same ?
Well if it is continually being restored there are other elements to this trojan and that is Ewido is the specialist tool for the task of finding and eliminating trojans.

But without an effective firewall to stop unauthorised internet access, as fast as you are removing it this trojan could be being downloaded, so you need to visit those links I gave you and decide which firewall to try. Remember this "Firstly I would get a good firewall otherwise you could be fighting an uphill battle."

[zzap64]

Hi Avast Tech-Team,

I seem to have the same virus/error messages as cdma.
I have searched on the net but cannot find a solution that works.

No matter how may times I delete or move/delete rundl32.exe (overwritten 10 times by ewido, used unlocker etc.), it still appears on log-on.
I cannot locate it in Registry Editor.

I also have the 'hijackthis' program but I am wary of deleting essential files.

Can anybody help?
Many Thanks!

[Lisandro]

Did you try the basic cleaning operations?

If a virus is replicant (coming and coming again), you should:

1) Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
2) Clean your temporary files.
3) Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
4) Use a-squared, ewido or Spyware Terminator (trojan removers).

[roscojones]

Howdy! I have the same problem, but the two files being detected are not virus's.
I just installed FreeKGBKeylogger 1.94. This fits into something detected by the Avast! VDB defintions & signatures. I have been trying to exclude the two files tripping the alarms in the resident scanner.  No success so far. That's why I am here.

Any chance your files are false positives & not going to be a problem?
Could it be that your slowdown is due to Avast! having issuses & not from an infection?

I wish us both luck on figuring these problems out.
I'll be back, if I find anything that may help.