"WIN32:Trojan-gen. {UPX!}" Spoof or Real?

Is the “WIN32:Trojan-gen. {UPX!}” a real virus or is it a false alarm? I’m reading articles both ways on this one.

How can I remove this if it is real?? Avast cannot get rid of it, is there a cleaner out there?

Thanks in advance for the help,

B.

What’s the exact path and name of the file?

Platinum
Welcome to the Forums.
It sound like a false positive but to be sure go here and double check.
http://forum.avast.com/index.php?action=search2

Why does it sound like a false positive? :slight_smile:
There’s certainly a lot of real malware detected under the mentioned name…

Exactly. You two are split on what it may or may not be.

I don’t have the filename, the person infected will get back to me soon I hope, I’ve asked her. She says it was found in memory as well as in a file.

I had her download and install Avast since I prefer it myself, and do a system scan and this is what was found. She has a directory on her hard drive “_RESTORE” that cannot be deleted and is constantly filling the hard drive up.

She runs WinME.

That’s the best I can get you guys now, any ideas?

B.

yes…

  • please give us more infos, and

  • also read “VirusRemoval” below.

  • Try Onlinescanners on the file (with avast shield paused)

  • Also read your windows documentation or Microsoft help pages on System RESTORE utility
    :wink:

_Restore is a windows protected folder and is used by system restore.

These _restore points keep eating up disk space to help you roll back and recover from problems. They also hang on to files that have been deleted from certain areas (windows system folders, etc. This can be a problem when you delete a virus in a system folder it gets into the _restore folder.

By disabling System Restore and re booting you will clear virtually all of this restore point information (not to mention recover lots of disk space), allowing viruses to be properly deleted.

We also as Igor said need the full path and filename, etc. take a look at this thread for full info we need, User’s FAQ and General Advice&Tools for virus/trojan/malware removal

HTH David

Edit, I must improve my typing speed

Ok, the name of the file with the virus warning is:

c:\windows\msmgt.exe

I never use WinME (Microsoft’s worst joke ever), but I didn’t know WinME had the system restore, I thought that was XP. But it makes sense. Unfortunately that folder is filling up with the user, not knowingly, setting restore points.

I will get her to do an online scan while avast is paused.

Thanks for the ideas and help,

B.

Hi,

msmgt.exe
→ Total Velocity adware/hijacker

http://www.sysinfo.org/startuplist.php?filter=msmgt.exe

so it’s probably NOT a false positive !
:wink:

Platinum
You should first uninstall Memory Meter if it is installed on your system.
Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)
Browse to the key:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
In the right pane, delete the value called MSMGT, if it exists.
Browse to the key:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \Windows \ CurrentVersion \ Uninstall
In the right pane, delete the value called MSMGT, if it exists.
Exit the registry editor.
Restart your computer.
Delete %WinDir%\MSMGT.exe and %WinDir%\TINYINSTALLER.exe.
Note: %WinDir% is a variable (?). By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\WINNT (Windows NT/2000).
Before you make any changes in the registry, do a BACKUP of the registry by selecting file and then export.
Good luck

Bob3160 & whocares,

Thanks for all your help. It is greatly appreciated.

Once this is done, I will be installing spywareblaster and adaware for her so this does not re-occur.

Thanks again,

B.

Platinum
Hopefully that means you have solved the problem which is always nice to hear.
Remember, that’s what this forum is for.