FAQ

The first version of this virus which is recognized by AVG as Downadup (alternativelly I-Worm.Generic) has been detected at the end of November / begining of December, 2008. Currently there are over 300 unique versions of this virus. AVG detects and protects against all known variants of the worm.

The main method of infecting computers used by this virus is a security vulnerability in Windows operating systems, which is described in MS Security Bulletin MS08-67 released on October 23, 2008 (including links for respective Windows update files). Apart from using this security vulnerability, the virus spreads also across local networks by attacking weak passwords for shared folders, and using the Autorun function on removable devices.

To protect against the virus, it is necessary to install the mentioned Windows update and make sure your AVG is fully up-to-date. In case your computer is infected by this virus, it may not be possible to update your AVG correctly. In order to allow correct AVG update, please proceed as follows:

• Open Start -> Run.
• Type 'cmd'.
• In the opened command line windows type the following command and press Enter:
  net stop dnscache
• It will be possible to update your AVG now. Once updated, run an AVG scan to remove the infection:
  AVG -> Computer Scanner -> Scan whole computer
• When the scan is finished, please restart your computer.

Trojan Horse is a malicious application, which can not spread itself. Original Trojan Horses were programs which acted as a useful utility. Although, in fact, their start used to cause damage to disc content (or part of it).

At the present time the most spreading Trojan Horses are BackDoor Trojans. They enable remote access to infected computers and PSW (Password Stealers) - they are trying to gather as much private information from the infected computer as possible and to send the info through the Internet.

To remove the Trojan Horse, it is enough to delete the detected file.

Most of today's viruses (Trojan horses, I-Worms, Worms, etc) create their own files which contain nothing but a body of the virus. In such cases the only way to remove the infection is to delete the infected file. When you moved the file to the AVG Virus Vault it was deleted from its original location, coded, and then saved in a non-executable file in a hidden folder. Your PC is no longer infected then.

If you are not missing any data file and your applications are running, then you can delete these vaulted files from the AVG Virus Vault program.

You can do it selectively from AVG Virus Vault program -> select files -> delete. Or you can delete all AVG Virus Vault contents in one go:

•  Double-click the AVG icon on your desktop -> choose the "History" menu and select the "Virus Vault" option -> click on the "Empty Vault" button.

Windows Safe Mode is a way to boot up the Windows operating system in order to let you troubleshoot or run administrative and diagnostic tasks. When it is booted into Safe Mode the operating system only loads the minimum software that is required for the operating system to work. Only basic video drivers are loaded so your programs may look different than normal.

Operation:

• Restart your computer.
• Immediately after "Starting Windows..." information is displayed, press the F8 key on your keyboard.
• Select the Safe Mode option from the menu using the arrow keys.
• Then press Enter on your keyboard to boot into Safe Mode.
  

VCLEANER.EXE can be used to remove some specific viruses and variants. Please visit the web page mentioned below for more details.

Use:
Download the vcleaner.exe and run it on the infected computer.

Note:
Some viruses can stop the action during the removing process. In this case rename the vcleaner.exe to some different exe file (e.g. something.exe). Restart your computer in Safe mode (recommended) and run the remover on the infected computer.

Also other removal tools are available on the mentioned web page.

AVG gives the following message: Warning: hidden extension . exe

Some viruses hide themselves by doubling their file extension. For example, the VBS/Iloveyou virus attaches a file, ILOVEYOU.TXT.VBS, to e-mails. The default Windows setting is to hide known extensions, so the file looks like ILOVEYOU.TXT. When you open it you do not open a .TXT text file but instead execute a .VBS script file.

Because of the increased use of this technique we have added detection of the double file extension into AVG. Of course there are cases of valid, harmless double extensions, e.g. uninstall.rar.bat, which is part of some installations of the RAR compression utility.

• Please check the Virus Encyclopedia web page and search for the exact name of virus mentioned in the test result.
• If you are not successful, please contact the technical support and attach an export of the latest test result:
  

Please run AVG program (basic or advanced interface) and choose Test results from History menu. Now you can see the list of finished tests, double click the latest one (by date) and you will get the full list of detected viruses (if there were any), including the path, the name and status of infected object. When it is opened please click the "Export overview to file..." option. Please send us this file for further analysis.

The first and most important information is the EXACT NAME of a VIRUS (as reported by AVG) and the path to the infected file(s). Information about the most dangerous viruses you can find in the Virus Encyclopaedia.

The AVG test may report a warning - potentially dangerous object on some files, which may be infected or pose a potentional threat. Typical examples of such detection are hidden files, cookies, suspicious registry keys, password protected documents or archives, etc.

Note:
In case some file is reported as Information, you can find more information about such detection in FAQ topic 1618.

Warning does refer to a file that cannot be scanned (password-protected archive), or to potentially suspicious files (hidden files, cookies, etc.). Such files do not present any direct threat to your computer or security. Information about these files is generally useful in case there is an adware or spyware detected on your computer. If there are only Warnings detected by an AVG test, no action is necessary.

This is a brief description of the most common examples of such objects:

• Hidden files
  The hidden files are by default not visible in Windows, and some viruses or other threats may try to avoid their detection by storing their files with this attribute. If your AVG reports a hidden file which you suspect to be malicious, you can move it to your AVG Virus Vault and send it to us for analysis.
• Cookies
  Cookies are plain-text files which are used by websites to store user-specific information, which is later used for loading custom website layout, pre-filling user name, etc. More information is available in the FAQ dedicated to this detection.
• Suspicious registry keys
  Some malware stores its information into Windows registry, to ensure it is loaded on startup or to extend its effect on the operating system.
  

If you wish, you can adjust the AVG test settings in such way, that only the warnings you are interested in are reported:

• open AVG User Interface
• click on Computer scanner
• click "Change scan settings"
• alternatively, you can change these settings in menu Tools - Advanced settings

More information about the files detected by AVG is available in the FAQ section covering viruses.