FAQ

Please let us inform you that even the best security software cannot protect your computer from the infection in case the harmful code is abusing some bug of installed operating system.

The updating of operating system is enabled and set as automatic by default very often. It means that operating system is looking for new updates periodically. In case a new update is available, it is downloaded and installed by operating system automatically. You may change this settings according to your individual needs.

Windows XP SP2:

Right click  "My Computer" on the desktop (or in "Start" menu -> "My Computer") -> select "Properties" -> switch to "Automatic Updates" tab

Windows Vista:

Right click "Computer" on the desktop (or in "Start" menu -> "Computer") -> select "Properties" -> click on "Windows Update" link -> click on "Change settings" link

There are following options available:

• Automatic.
• Download updates for me, but let me choose when to install them.
• Notify me but don't automatically download or install them.
• Turn off Automatic Updates.

It is not recommended to deactivate the updates completely.

Please follow these steps to check for new updates of MS Windows operating system:

• Please click on the "Start" menu -> "Windows Update"
  (Alternatively, you can directly open Microsoft webpage www.windowsupdate.com to download and install updates)

During last years, there have been many computer viruses, especially "worm" type of viruses, which are distributed mainly via e-mail. This has caused a panic for users, which is parasiting a special group of messages called HOAX, which are NOT based on truth.

 

These false-alarm messages are usually composed using the same scheme: Warning of some extremely dangerous, dramatically spreading virus and following a demand on some user action. In best case, they are asking the user to send this message to everyone in user's contact list (action is known from "chain" games), which causes the e-mail to collapse because of overload. In worse case, these messages ask to delete the suspicious virus, altough the file is actually a CORRECT system file. Deleting such files may lead to serious problems (some programs will not work, or the whole system may crash).

 

The the most known HOAX messages is:

 

Please check and verify if you have this virus. It was sent to me
(accidentally) and it is said that it is passed on to everyone on
my address list. It is very probable that you have it.
If you do have it, contact all the people in YOUR ADDRESS BOOK
because the
program AUTOMATICALLY sends everyone in your address book a message
with the virus.
The virus' name is jdbgmgr.exe and it is not detected with
McAfee nor Norton. It remains in your computer's system for 14 days
before it erases all you files.
To delete and eliminate it completely, please do the
following immediately:
1. Go to START -- FIND --FILES OR FOLDERS
2. Under NAMED, type jdbgmgr.exe and click FIND NOW.
Make sure you are looking under Drive (C)
******DO NOT CLICK ON IT IF IT APPEARS********
3. If the virus appears *(the icon next to it will be a
small teddy bear), the name will be jdbgmgr.exe
4. *****DO NOT OPEN IT************ Just right click on it
and DELETE it. it will be sent to the Recycle Bin.
5. After you see it disappear, go to the RECYCLE BIN and
DELETE it from there as well. If at all possible, EMPTY the Recycle
Bin under FILE.
If you find this virus in your system, please send this
message to everyone in your address list asap.

 

The best protection from the user's side is the users choice. If the message has such content, the user should check the anti-virus pages on the internet, such as: www.icsa.net, www.avg.com or http://en.wikipedia.org/wiki/Hoax. Or any pages that are dedicated to a Virus problems. The user can also send a query to the technical support of the anti-virus companies, where the user can consult with tech support personnel about the users problem.

 

If the user unknowingly distribute such as messages, it is exactly the effect the author of the HOAX wanted to have. Note that Alerts from the Anti- virus companies are more professionally composed , and are not usually sent from unknown addesses and without any demand for it!

Some files cannot be opened for checking because they are being permanently used by the Windows operating system or some running application. It´s not possible to infect them by a virus as well as to check them.

Tracking cookies are not viruses or malicious code. Cookies are only text files and therefore cannot be dangerous to your computer.

The main purpose of cookies is to identify users and possibly prepare customized web pages for them. When you enter a web site using cookies, you may be asked to fill in a form providing such information as your name and interests. This information is sent to your web browser as a cookie file. The next time you go to the same web site, your browser will send the cookie to the web server. The server can use this information to present you with custom web pages.

If you don’t want to use cookies you can check the settings of Internet Explorer browser to accept/deny the cookie file. More information can be found at:
http://www.microsoft.com/info/cookies.mspx
question "If You Want to Control Which Cookies You Accept"

If you are using a Mozilla Firefox browser, you can find more information at:
http://mozilla.gunnars.net/firefox_help_firefox_cookie_tutorial.html

More information about cookie files can be found at:
http://en.wikipedia.org/wiki/HTTP_cookie

You can also set AVG to not detect cookies on your computer:

1. Resident Shield settings
- open AVG User Interface
- double-click on the AVG Resident Shield component
- unmark the "Scan for Tracking Cookies" option
- press "Save changes" button

2. AVG test settings
- launch AVG User Interface
- open Computer Scanner
- choose "Change scan settings" under "Scan whole computer" item
- in the newly opened window please unmark "Scan for Tracking Cookies"

3. Scheduled test settings
- open AVG User Interface
- choose "Advance settings" from Tools menu
- extend "Schedules" item and select "Scheduled scan"
- switch to "How to scan" tab
- please unmark "Scan for Tracking Cookies" option

These files (for example documents or archives) are password protected, therefore it was not possible to check its content by the test. In case that you know the password and open the archive, the content is checked by the AVG Resident Shield immediately. This AVG component does not allow to open/launch the possibly infected code from such archive.

It means that the document contains a macro. Macro is a list of instructions to automate or simplified some operation in document. It is a part of the document file which is for example able to calculate using some fixed values. However it does not mean that the file contains a virus. If the file is infected AVG will call exact name of the virus in the test result.

You do not need to worry because of that. These files were changed because of some change in the computer (un/installation, Windows Update, configuration etc.).
You can accept these changes. If there is a virus, you would be able to see its exact name in the AVG test result.

AVG gives the following message: Warning: hidden extension . exe

 

Some viruses hide themselves by doubling their file extension. For example, the VBS/Iloveyou virus attaches a file, ILOVEYOU.TXT.VBS, to e-mails. The default Windows setting is to hide known extensions, so the file looks like ILOVEYOU.TXT. When you open it you do not open a .TXT text file but instead execute a .VBS script file.

 

Because of the increased use of this technique we have added detection of the double file extension into AVG. Of course there are cases of valid, harmless double extensions, e.g. uninstall.rar.bat, which is part of some installations of the RAR compression utility.

Windows Safe Mode is a way to boot up the Windows operating system in order to let you troubleshoot or run administrative and diagnostic tasks. When it is booted into Safe Mode the operating system only loads the minimum software that is required for the operating system to work. Only basic video drivers are loaded so your programs may look different than normal.

 

Operation:

 

• Restart your computer.
• Immediately after "Starting Windows..." information is displayed, press the F8 key on your keyboard.
• Select the Safe Mode option from the menu using the arrow keys.
• Then press Enter on your keyboard to boot into Safe Mode.
  

Most of today's viruses (Trojan horses, I-Worms, Worms, etc) create their own files which contain nothing but a body of the virus. In such cases the only way to remove the infection is to delete the infected file. When you moved the file to the AVG Virus Vault it was deleted from its original location, coded, and then saved in a non-executable file in a hidden folder. Your PC is no longer infected then.

If you are not missing any data file and your applications are running, then you can delete these vaulted files from the AVG Virus Vault program.

You can do it selectively from AVG Virus Vault program -> select files -> delete. Or you can delete all AVG Virus Vault contents in one go:

•  Double-click the AVG icon on your desktop -> choose the "History" menu and select the "Virus Vault" option -> click on the "Empty Vault" button.

Trojan Horse is a malicious application, which can not spread itself. Original Trojan Horses were programs which acted as a useful utility. Although, in fact, their start used to cause damage to disc content (or part of it).

 

At the present time the most spreading Trojan Horses are BackDoor Trojans. They enable remote access to infected computers and PSW (Password Stealers) - they are trying to gather as much private information from the infected computer as possible and to send the info through the Internet.

 

To remove the Trojan Horse, it is enough to delete the detected file.

If you need to exclude a certain "Potentially unwanted program" from any detection by AVG (for example if you are using an Ad-sponsored program or utility, which could be dangerous, but could also be used with your knowledge), you can exclude it from AVG Resident Shield and AVG tests detection this way:

 

• Please open the AVG program -> "Tools" menu -> "Advanced settings" -> "PUP exceptions" -> push the "Add exception" button to add a new exception.
• Now find the file you want to exclude from AVG detection. If you are not sure that the file location is static, enable "Any location - do not use full path" function.
• Save the setting using the "Add" button.

 

These exceptions can be used for "Potentially unwanted programs" only. If you set the exception for a viral file (Trojan horse, I-Worm, Worm, W32...), this file will be still detected by AVG tests and the AVG Resident Shield.

These exceptions are not used for the AVG Email Scanner.

Note: These exceptions can be created for files only, not for folders.

"Potentially Unwanted Programs" sometimes act very similarly to viruses or spyware. They are usually installed legitimately as a part of another program (often designated as an "AD-Supported program" – in which the End User License Agreement typically prompts the user to accept that, in addition to the desired program, an additional program (Potentially Unwanted Program) will also be installed).

AVG is able to detect some Potentially Unwanted Programs and remove the detected files.
NOTE: Removal of the Potentially Unwanted Programs can result in damage to the AD-Supported program which was installed with them.

It is also possible to create exception for files detected as Potentially unwanted. Such files included in exceptions will not be detected as threats any more.

Procedure how to add file to PUP exceptions is described here.

For detection of active rootkits the AVG program includes the Anti-Rootkit component. This component is able to detect rootkits according to a predefined set of rules. Please note, that all rootkits are detected (not just the infected). In case the AVG program finds some rootkits it does not necessarily mean, that the rootkit is infected. Sometimes, rootkits are used as drivers or they are a part of correct applications.

The list of such correct applications using the rootkit technology can be found below:

Daemon Tools

• Detected file is:
  • C:\Windows\System32\drivers\al887uj6.sys
  • Name can vary each time AVG removes the rootkit
• After removal and restart, same hidden driver is detected again (restored by the application).

Alcohol 120% 

• Detected file is:
  • C:\Windows\System32\drivers\ajp34rie.sys
  • Name can vary each time AVG removes the rootkit
• After removal and restart, the file is detected again (restored by the application).

User Profile Hive Cleanup Service

• Detected file is:
  • C:\Windows\System32\drivers\uphcleanhlp.sys 
  • uphcleanhlp.sys is used for completely terminate the user session when a user logs off. 
• Manufacturer is Microsoft Corp.

More information about rootkits can be found here:
http://en.wikipedia.org/wiki/Rootkit

The AVG test may report a warning - potentially dangerous object on some files, which may be infected or pose a potentional threat. Typical examples of such detection are hidden files, cookies, suspicious registry keys, password protected documents or archives, etc.

Note:
In case some file is reported as Information, you can find more information about such detection in FAQ topic 1618.

Warning does refer to a file that cannot be scanned (password-protected archive), or to potentially suspicious files (hidden files, cookies, etc.). Such files do not present any direct threat to your computer or security. Information about these files is generally useful in case there is an adware or spyware detected on your computer. If there are only Warnings detected by an AVG test, no action is necessary.

This is a brief description of the most common examples of such objects:

• Hidden files
  The hidden files are by default not visible in Windows, and some viruses or other threats may try to avoid their detection by storing their files with this attribute. If your AVG reports a hidden file which you suspect to be malicious, you can move it to your AVG Virus Vault and send it to us for analysis.
• Cookies
  Cookies are plain-text files which are used by websites to store user-specific information, which is later used for loading custom website layout, pre-filling user name, etc. More information is available in the FAQ dedicated to this detection.
• Suspicious registry keys
  Some malware stores its information into Windows registry, to ensure it is loaded on startup or to extend its effect on the operating system.
  

If you wish, you can adjust the AVG test settings in such way, that only the warnings you are interested in are reported:

• open AVG User Interface
• click on Computer scanner
• click "Change scan settings"
• alternatively, you can change these settings in menu Tools - Advanced settings

More information about the files detected by AVG is available in the FAQ section covering viruses.

In some cases, AVG detection that is designed to recognize files infected by one particular virus may be triggered by a file that is not infected. Such detection is called False Alarm. By providing us with the incorrectly detected files, you will allow us to fix the detection and ensure that only infected files will be reported by AVG.

Typical examples of false alarm are files that you have on your computer for a long time (old documents, backups, etc.), or files that are required by some common/commercial application.

If you suspect that AVG has detected a clean file on your computer, you can send us the file directly from your Virus Vault (Right-click the file in Virus Vault and select "Send to analysis" option from context menu). We will then inform you about the result of our analysis, as described on this website.

Mozilla Firefox browser uses a new format of downloaded cookies since its version 3. Now cookies are not in a plaintext format, but in a new SQLITE format. The AVG program with the newest major program update (SP2) is able to recognize a new Mozilla Firefox cookie file and even heal all dangerous parts in this file.

The first version of this virus which is recognized by AVG as Downadup (alternativelly I-Worm.Generic) has been detected at the end of November / begining of December, 2008. Currently there are over 300 unique versions of this virus. AVG detects and protects against all known variants of the worm.

The main method of infecting computers used by this virus is a security vulnerability in Windows operating systems, which is described in MS Security Bulletin MS08-67 released on October 23, 2008 (including links for respective Windows update files). Apart from using this security vulnerability, the virus spreads also across local networks by attacking weak passwords for shared folders, and using the Autorun function on removable devices.

To protect against the virus, it is necessary to install the mentioned Windows update and make sure your AVG is fully up-to-date. In case your computer is infected by this virus, it may not be possible to update your AVG correctly. In order to allow correct AVG update, please proceed as follows:

• Open Start -> Run.
• Type 'cmd'.
• In the opened command line windows type the following command and press Enter:
  net stop dnscache
• It will be possible to update your AVG now. Once updated, run an AVG scan to remove the infection:
  AVG -> Computer Scanner -> Scan whole computer
• When the scan is finished, please restart your computer.