FAQ

Gumblar infection is spreading through PDF and Flash files (.pdf and .swf) that are in most cases downloaded from infected FTP servers where it creates copies of mentioned files.

Users with unpatched vulnerabilities in Adobe Acrobat Reader or Adobe Flash Player applications may be infected through exploits in the .pdf and .swf files. The security of FTP server is compromised by searching for saved connections to FTP servers, so it is suggested to change the passwords after infection is removed.

Malware infection known as Gumblar is detected by AVG under following designations: trojan Horse Agent2.HYG, Defiler, variants of trojan horse Exploit or Exploit.PDF.

Please let us inform you that JS/Psyme or JS/Downloader may be found in the "Temporary Internet Files" folder in case you have visited some infected web page. It is not possible to heal this infection because it is an original part of that web page.

The easiest way of removing this infection is to delete temporary files of Internet Explorer browser. You may do it this way:

• launch Internet Explorer
• click on the "Tools" menu
• select the "Internet Options..." item
• click on the "Delete files..." button
• check off "Delete all offline content" option
• confirm this clicking on the "OK" button
• then please run the Complete test once again to be sure that the infection is not detected by AVG again

The location and names could be a little bit different, depending on the version of Internet Explorer.

Now we would like to inform you that the infection may by detected by AVG repeatedly in case you visit the infected web page again.

If a virus is found during an AVG test and the status is Infected, Embedded it means that the virus file is part of an archive file (ZIP, RAR, CAB…) or part of a self-extractor archive (EXE). AVG detects this file of course but is not able to remove this file automatically from an archive file and compress it again without this infected file or move it to the Virus Vault automatically because of data security.

We have chosen the user interaction method in this case of virus removal.

Please follow these steps to remove this kind of virus files:

1. Move it to the Virus Vault– if the size of the archive is less than 5 MB.

Choose Test Results (run AVG -> choose History menu -> click on the Test Results item) in the Test Result mark the line with the infection (click on the line with the red exclamation mark icon) -> choose the Move to Vault button.

2. Delete the archive– if the size of the archive is more than 5 MB it’s not possible to move it to the Virus Vault. Please make sure that this archive does not contain any important data before removing.

Choose Test Results (run AVG -> choose History menu -> click on the Test Results item) in the Test Result mark the line with the infection (click on the line with the grey exclamation mark icon) -> choose the Go to file button, you will be transferred to the archive file automatically and you can delete it by right-clicking on its name and left-clicking the "Delete" option from the menu.

Please note that if you have deleted the archive file you also have to empty the Recycle Bin where the deleted archive file has been removed to:

• Double-click on the Recycle Bin icon on the desktop of your computer
• Choose File menu and the Empty Recycle Bin option

Windows NT/2000/XP/2003/XP Pro x64/2003 Server x64:

We recommend using AVG Rescue CD product in this case (for more information about this product please click here). The AVG Rescue CD is basically a portable variant of AVG based on the Windows PE platform. It is distributed as a bootable CD intended for operating system recovery in such an event where the system cannot be loaded in the regular way - for example due to substantial virus infection. Initially the AVG Rescue CD will load the temporary operating system Windows PE edition and run AVG, which can be then used in the usual way for virus and spyware detection and removal.

For more information about AVG Rescue CD creation please see FAQ 491.

• Please check the Virus Encyclopedia web page and search for the exact name of virus mentioned in the test result.
• If you are not successful, please contact the technical support and attach an export of the latest test result:
  

Please run AVG program (basic or advanced interface) and choose Test results from History menu. Now you can see the list of finished tests, double click the latest one (by date) and you will get the full list of detected viruses (if there were any), including the path, the name and status of infected object. When it is opened please click the "Export overview to file..." option. Please send us this file for further analysis.

VCLEANER.EXE can be used to remove some specific viruses and variants. Please visit the web page mentioned below for more details.

Use:
Download the vcleaner.exe and run it on the infected computer.

Note:
Some viruses can stop the action during the removing process. In this case rename the vcleaner.exe to some different exe file (e.g. something.exe). Restart your computer in Safe mode (recommended) and run the remover on the infected computer.

Also other removal tools are available on the mentioned web page.

Please try to update your AVG system and run the whole computer scan again. When the file is not detected and you are still in doubt, put the file into password protected archive (WinZip, WinRar, PowerArchiver etc.), attach this archive to an e-mail and send it to virus@avg.com. Describe why you send the file and write password for the archive into e-mail. And send the e-mail.

In case AVG detects some file on your PC as infected, this file was moved to AVG Virus Vault, and you are sure that this file is correct and clean, it is possible that the detected file is a false alarm.
If so, we shall prepare the correction as soon as possible.
Unfortunately, false alarms do appear from time to time in every Anti-Virus software.

To solve the problem, please send us this file for analysis directly from the AVG program this way:

• Open AVG User Interface.
• Choose the "Virus Vault" option from the "History" menu.
• Right-click the false positive file and select the "Send to analysis" option from context menu.
• Fill in your e-mail address
• Confirm the dialog

This way file will be sent to our virus specialists for analysis and we will inform you about the result.

This FAQ topic describes rootkit infection with TDSSserv.sys/msqpd*.sys that is usually connected with Antivirus 2009 infection.
Symptoms of such infections include:

• Fake pop-up infection warnings advising user to buy some fake antivirus application that claims to remove the infection (e.g Antivirus 2009, Antivirus XP).
• Dektop background is changed to a warning message and cannot be changed back.
• Access to Task Manager and Registry editor is disabled.
• Web pages being redirected to wrong ones in internet browser.
• Windows cannot be updated (page www.windowsupdate.com is inaccessible).
• AVG cannot be updated.
• AVG detects infection using Anti-Rootkit scan as hidden drivers or files in system folders. Names of the detected files start with ‘TDSS’/'MSQPD' e.g. TDSSserv.sys, tdsslog.dll, TDSSl.dll, msqpdxserv.sys.

If your computer seems to be infected with the above described infection, you can remove the infection this way:

• Download the AVGRTK_remover utility.
• Extract the downloaded archive into a new folder.
• In the folder, please find the AVGRTK_remover.vbs file.
• Run this file by double-clicking on it.
• Confirmation will be displayed.
• Restart computer.
• Update your AVG.
• Run AVG complete scan and remove all detected infection.

This utility also removes side effects of the infection such as disabled access to system functions. If you are still unable to use some functions, please run the utility again as described above.

The infection is now completely removed. Should the issue persist, please contact the Customer Service.

It is possible that your computer is infected with the fake antispyware application called Antivirus 360. This application tries to look like a regular antivirus application but in fact it is not a product of any real antivirus company. The application only simulates false threats on your computer and forces you to buy full version of itself. Unfortunately you will just pay the money however you will not get any valuable service. The infection can have many other symptoms:

• Slowdown of a computer
• False positives on important system files
• Displaying of unwanted popup windows
• Downloading of other viruses and trojans to your computer

We would like to inform you that the AVG program detects and successfully removes most variants of the mentioned application. However there are many new variants generated every day therefore it is possible that some of them will not be detected and removed by AVG. If you experience any issues with the mentioned fake Antivirus 360 application and it cannot be removed using the AVG program, we would like to ask you to follow these simple steps to give us all needed information to rectify the issue and add the missing variant to AVG detection:

• Autoruns utility output
  • Download the AvgProci utility by clicking the following link (we recommend saving the file to your desktop):
    avgproci_en.exe
  • Run the downloaded file and follow the onscreen instructions to generate diagnostic output.
• Contacting AVG technical support
  • Run the runner.avgdx file which is located in the folder where the AvgProci tool was installed.
  • Enter your valid e-mail address in the appropriate field of the AVG Diagnostics tool.
  • As a description please enter "Undetected Antivirus 360" or something similar.
  • Then click the Attach file button and attach previously created avgproci diagnostic output (result.7z file).
  • Please click the Diagnose and send results button and all needed information will be sent to AVG technical support.

In case a virus is detected by the AVG program on an important system file, it is not automatically removed. This functionality has been added to prevent accidental removing of infected system files that are running the operating system.

Below you may find examples of important system files:

• "%WINDOWS%\system32\winlogon.exe"
• "%WINDOWS%\system32\user32.dll"
• "%WINDOWS%\explorer.exe"

Note: %Windows% variable usually stands for C:\Windows folder.

In case there is a virus detected in a system file, please restore the infected file from the system back-up. More information on how to restore the operating system to a previous state can be found in Microsoft’s knowledge base at: 

• Windows XP
  http://support.microsoft.com/kb/306084 
• Windows Vista
  http://windowshelp.microsoft.com/Windows/en-US/help/517d3b8e-3379-46c1-b479-05b30d6fb3f01033.mspx

In case the infection keeps returning back, please contact AVG Technical Support team using the Get Help Online option in AVG Help menu. More information about contacting AVG Customer Services can be found in FAQ 1467 – How to contact Customer Services.