Avast keeps detecting a virus every time I start up my computer. I move it to the chest as advised but I cannot delete it!!! 
This is what comes up… Win 32 Trojan gen UPX
Can anyone help me get rid of it as my computer is running really slow and this keeps on popping up! >:(
Incase you hadn’t guessed, I really dont know a lot about this sort of thing! So please bear with me!!! ???
Thank you!!! 
Hi cmda,
Get CrapCleaner from here: http://www.ccleaner.com/download/
then a possible fix…
start in DOS mode.
navigate to:
C:\Window\System
run
Scanreg /Restore
Select a date prior to the infection.
Re-boot.
Interrupt the boot sequence, and select “Safe Mode”
Run an anti-virus engine.
On reboot interrupt boot.
run a dirty reinstall.
If this is not getting you out the woods, consider the following cleansing routine,
found here: http://www.bullguard.com/forum/5/Help-Win32-Trojan-gen-UPX_11109.html
polonus
What was the infected file name, where was it found example (C:\windows\system32\infected-file-name.xxx) ?
Check the avast Log Viewer (right click the avast icon), Warnings section for details.
Why can’t it be deleted (although deletion isn’t a good first option), what warnings/errors are being given ?
Thank you for replying! I have tried the first option of the poster above you but Virus is still there. So here’s the information I think you were asking for!!! (Thank you so much !)
I opened the Avast log viewer and got these details:
Win32:Trojan-gen.{UPX!} found in C:/…
I expanded to clumn width in the Avast viewer to try and read the rest but it was cut off.
This is what’s written in the Standard SHield page;
last scanned C:\Documents and Settings\local setting\temporary internet files\content.IE5\YGIV7MUO\index[6]htm.
last infected C:/Documents and Settings/rundl32.exe
The one you give in the last infected: filed, C:/Documents and Settings/rundl32.exe is probably the same as the one whose details you couldn’t expand.
[url=http://Thank you for replying! I have tried the first option of the poster above you but Virus is still there.]Thank you for replying! I have tried the first option of the poster above you but Virus is still there. [/url]
What warnings or errors are you getting, e.g. why is it still there (presumably because it is in use) ?
You could try deleting it ‘C:/Documents and Settings/rundl32.exe’ manually using either:
What Operating System are you using ?
I expanded to clumn width in the Avast viewer to try and read the rest but it was cut off.You can also export the contents to a .txt file, File, Export Current List. or double clicking between the two column headings should expand the column to see the full text (both work for me).
17/05/2006 17:42 David 1344 Sign of "EICAR Test-NOT virus!!" has been found in "C:\DOCUME~1\Username\LOCALS~1\Temp\AAWTMP\C13632218\37BA06\eicar.com" file. 17/05/2006 17:45 Username 1344 Sign of "EICAR Test-NOT virus!!" has been found in "C:\DOCUME~1\Username\LOCALS~1\Temp\AAWTMP\C13632218\3F4974\eicar.com" file. 23/05/2006 23:03 SYSTEM 1348 Sign of "EICAR Test-NOT virus!!" has been found in "C:\TEMP\eicar.com" file.
I am using Windows XP. I use Avast and I use Windows Firewall.
After Avast recommends moving the virus to the chest a script error appears on the desktop:
Script Error
Line 151
Char 1
Error the system cannot find the file specified
Code 0
URL file//C:Documents and Settings\All Users\Start\Menu\Program\Startup\Windows Update.hta
Also, if I select start up and then Windows Update from the menu, Avast detects the Virus again.
This is getting stranger, you move ‘C:/Documents and Settings/rundl32.exe’ and then you get an unrelated system error about Windows Update.hta which was in a very strange location and a google search for this file shows it as a trojan, http://www.sophos.com/security/analyses/trojinordra.html and http://www.geekstogo.com/forum/index.php?showtopic=69637
Windows Start, Run, type ‘msconfig’ without the quotes, Startup Tab and untick (delete later if OK) any entry for Windows Update.hta.
Firstly I would get a good firewall otherwise you could be fighting an uphill battle. Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
Zone Alarm free http://www.zonelabs.com works fine with avast and has a reasonably friendly user interface. There are others, Jetico, Sunbelt Kerio, etc.
See some firewall tests for comparison, some are freeware but many are paid for versions http://www.firewallleaktester.com/tests.php. Also see http://www.thefreecountry.com/security/firewalls.shtml
Hi cmda :
At this point in time, I recommend you try "Ewido" from
www.ewido.net/en . This good & FREE program
"specializes" in detecting AND removing trojans and
"temporary internet files\content.IE5" . Either download,
install & update the program OR run its Online Scanner .
Thank you for your quick and detailed responses. David, Is the Windows Firewall and firewall protection from our router not enough protection?
Is it best that I avoid things such as online banking and email checking etc until this virus has been removed?
I tried what you suggested but on re-starting my computer the virus is still detected by Avast.
I will now try ewido and see if that helps.
Neither XP’s firewall (spit) nor your router provide outbound protection and where you are more vulnerable is if there is a keylogger trojan on your system, it could copy what you are doing, usernames, passwords, etc, it could then connect to the internet and there is nothing to stop them. So it would make sense to pause internet banking until you get a firewall that provides this protection.
It shouldn’t effect your collection of email or browsing as those two are monitored by avast, but adding ewido to your defences (run it in safe mode for the first time, this should be a priority) will improve overall detection. No one program is likely to catch/detect everything.
What was suggested for the startup was basically removing a registry key to run that Windows Update.hta so you don’t get the error message aout the “Error the system cannot find the file specified” I assume that you are no longer getting the message no you have rebooted ?
Yes, that message has gone. Thank you.
A little worrying that this Trojan might be able to access such information!!! :o
Can I just say thank you for youe help and speedy responses.
Not really sure where to go next to remove this! :-[
I assume the file name and location are the same ?
Well if it is continually being restored there are other elements to this trojan and that is Ewido is the specialist tool for the task of finding and eliminating trojans.
But without an effective firewall to stop unauthorised internet access, as fast as you are removing it this trojan could be being downloaded, so you need to visit those links I gave you and decide which firewall to try. Remember this “Firstly I would get a good firewall otherwise you could be fighting an uphill battle.”
Hi Avast Tech-Team,
I seem to have the same virus/error messages as cdma.
I have searched on the net but cannot find a solution that works.
No matter how may times I delete or move/delete rundl32.exe (overwritten 10 times by ewido, used unlocker etc.), it still appears on log-on.
I cannot locate it in Registry Editor.
I also have the ‘hijackthis’ program but I am wary of deleting essential files.
Can anybody help?
Many Thanks!
Did you try the basic cleaning operations?
If a virus is replicant (coming and coming again), you should:
Howdy! I have the same problem, but the two files being detected are not virus’s.
I just installed FreeKGBKeylogger 1.94. This fits into something detected by the Avast! VDB defintions & signatures. I have been trying to exclude the two files tripping the alarms in the resident scanner. No success so far. That’s why I am here.
Any chance your files are false positives & not going to be a problem?
Could it be that your slowdown is due to Avast! having issuses & not from an infection?
I wish us both luck on figuring these problems out.
I’ll be back, if I find anything that may help.
For the Standard Shield provider (on-access scanning):
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize.
Go to Advanced tab and click on Add button…
For the other providers (on-demmand scanning):
Right click the ‘a’ blue icon, click Program Settings.
Go to Exclusions tab and click on Add button…
You can use wildcards like * and ?.
But be carefull, you should ‘exclude’ that many files that let your system in danger.
Keyloggers can be used for good and for evil, determining which is a problem for AVs. If you are happy that there is no problem and accept the risk then exclude the file being detected.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can’t do this with the file in the chest, you will need to move it out.
What are you entering in the Program Settings, Exclusions and the Standard Shield, Custonize button, Advanced sections ?
We can have a look at it and ensure the path is correct for the exclusions.
I have been trying to exclude the two files tripping the alarms in the resident
scanner. No success so far. That’s why I am here.
Tech Response
[b]For the Standard Shield provider (on-access scanning):
Left click the ‘a’ blue icon, click on the provider icon at left and then Customize.
Go to Advanced tab and click on Add button…
For the other providers (on-demand scanning):
Right click the ‘a’ blue icon, click Program Settings.
Go to Exclusions tab and click on Add button…
You can use wildcards like * and ?.
But be carefull, you should ‘exclude’ that many files that let your system in danger. [/b]
More from RJ
I did the search for false alarms & found a great post.
Go to: http://forum.avast.com/index.php?board=2;action=display;threadid=7779
“How to find out if it is a false alarm & what to do if it is”.
I don’t believe it is a false positive.
The file is saved on my system on C:\Documents and Settings..\rundl32.exe
File size: 4,688
File MD5: 429B5CC8C5D48CD025DC3CEAC70CBC22
Why would it be called rundl32 instead of the correct name rundll32 ?
Although it must be said on my system, a squared, ewido and spyware terminator do not pick it up or flag it as a virus/trojan.
System restore, various deletions and boot scans have not worked.
I now intend to delete the following from the registry, using the regedit command:
Scanning Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU*\f C:\Documents and Settings..\rundl32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe\a C:\Documents and Settings..\rundl32.exe
HKCU\Software\vAutoDel\Loader C:\Documents and Settings..\rundl32.exe
Would that finally remove it?
I appreciate your help guys!
Really strange… this is a malware behavior indeed.
Sorry to ask again, but did you submit the file to Jotti and VirusTotal on-line scanners?
These entries are innofensive… just your hdd search for the file.
I’m not so sure about this. It’s strange… : ???