FAQ

More information about this virus can be found in our Virus Encyclopedia.

VCLEANER.EXE can be used for removing some specific viruses and their variants. Full list of infections the VCleaner can heal is available in the download section.

Use:

Download the vcleaner.exe and run it on the infected computer.
Note: Some viruses can stop the action during the removing process. In this case rename the vcleaner.exe to some different exe file (e.g. something.exe). Restart your computer in Safe mode (recommended) and run the remover on the infected computer.
Other removal tools are available on web page Downloads-Utilities.

Please use the Lop.AH virus removal tool for the removing of this trojan horse. This removal tool can be downloaded here.

If any problem persists, please contact our technical support.

AVG gives the following message: Warning: hidden extension . exe

Some viruses hide themselves by doubling their file extension. For example, the VBS/Iloveyou virus attaches a file, ILOVEYOU.TXT.VBS, to e-mails. The default Windows setting is to hide known extensions, so the file looks like ILOVEYOU.TXT. When you open it you do not open a .TXT text file but instead execute a .VBS script file.

Because of the increased use of this technique we have added detection of the double file extension into AVG. Of course there are cases of valid, harmless double extensions, e.g. uninstall.rar.bat, which is part of some installations of the RAR compression utility.

Windows 95/98/ME:

Before continuing further we recommend to backup the system areas on the infected computer. Do this using the Rescue Disk function in AVG (in the menu select Service -> Rescue Disk).

Restoring system areas from backup can only be done in very specific cases. It is necessary to do it from the Rescue Disk created on the same computer you need to restore, otherwise there can be a permanent loss of hard drive access.

Before you attempt to use this function please contact our technical support at support@avg.com.

• First please create a clean, bootable floppy. On a clean computer, insert an empty floppy disk, start MS DOS prompt and run format a: /s
  This will create a System floppy disk.
  
• Now create AVGRescue Disk (in AVG menu select Service -> Rescue Disk) on another floppy disk and write protect them both.
• Start your computer using the System floppy disk to boot to DOS (by inserting it into your floppy drive before you turn it on).
• Replace the floppy with AVG Rescue Disk and from the command prompt run avg.exe command. Now select Test and Restore.

Windows NT/2000/XP/2003/XP Pro x64/2003 Server x64:

We recommend using AVG Rescue CD product in this case (for more information about this product please click here). The AVG Rescue CD is basically a portable variant of AVG based on the Windows PE platform. It is distributed as a bootable CD intended for operating system recovery in such an event where the system cannot be loaded in the regular way - for example due to substantial virus infection. Initially the AVG Rescue CD will load the temporary operating system Windows PE edition and run AVG, which can be then used in the usual way for virus and spyware detection and removal.

For more information about AVG Rescue CD creation please see FAQ 491.

You do not need to worry because of that. These files were changed because of some change in the computer (un/installation, Windows Update, configuration etc.).
You can accept these changes. If there is a virus, you would be able to see its exact name in the AVG test result.

Files placed in the _RESTORE folder are source files for the system restore function that is available in Windows Millenium operating system. Files that were healed were moved in their original INFECTED state into this folder and it is necessary to DELETE them by following these steps:

• Close all open programs. Then right-click My Computer on the Windows desktop
• Click on Properties
• Click on the Performance tab
• Click on File System
• Click on the Troubleshooting tab
• Check Disable System Restore
• Click on OK.

Sometimes with Windows ME is required to do these steps repeatedly. It means that you should disable restore function, restart your computer and enable restore function. These steps has to be done as many times as the virus is found.

Files placed in the System volume information folder are source files for the system restore function that is available in Windows XP operating system. Files that were healed were moved in their original INFECTED state into this folder and it is necessary to DELETE them by following these steps:

• Close all open programs. Then right-click My Computer on the Windows desktop
• Click on Properties
• Click on the System Restore tab
• Check Turn off System Restore on all drives
• Restart the system
• Go through the first four steps again and uncheck the item mentioned in step 4.

If a virus is found during an AVG test and the status isInfected, Embedded it means that the virus file is part of an archive file (ZIP, RAR, CAB…) or part of a self-extractor archive (EXE). AVG detects this file of course but is not able to remove this file automatically from an archive file and compress it again without this infected file or move it to the Virus Vault automatically because of data security.

We have chosen the user interaction method in this case of virus removal.

Please follow these steps to remove this kind of virus files:

1. Move it to the Virus Vault– if the size of the archive is less than 5 MB.

Choose Test Results (run AVG->choose Results menu->click on the Test Results item) in the Test Result mark the line with the infection (click on the line with the red exclamation mark icon)->choose the Move to Vault button.

2. Delete the archive – if the size of the archive is more than 5 MB it’s not possible to move it to the Virus Vault.

!Please make sure if this archive doesn’t contain your important data!

Choose Test Results (run AVG->choose Results menu->click on the Test Results item) in the Test Result mark the line with the infection (click on the line with the grey exclamation mark icon)->choose the Go to file button, you will be transferred to the archive file automatically (not in the Windows95 operating system, you have to mark the archive file manually) and you can delete it by right-clicking on its name and left-clicking the "Delete" option from the menu.

Please note

If you cannot see the line with the Infected, Embedded status, you have possibly deactivated the Hide viruses inside archives function in the context menu.

You can activate it this way:

• Open details of the positive test (run the AVG->choose Results menu->click on the Test Results item->double-click on the test result with the detected virus, you can see a red icon there)
• Right-click on any object here (line with the detected virus)
• Choose Filter list by result type option
• Un-tick the Hide viruses inside archives option
• If you have deleted the archive file you also have to empty the Recycle Bin where the deleted archive file has been removed to.
• Double-click on the Recycle Bin icon on the desktop of your computer
• Choose File menu and the Empty Recycle Bin option

A Trojan Horse is a malicious application, which can not spread itself. Original Trojan Horses were programs which acted as a useful utility. Although, in fact, their start used to cause damage to disc content (or part of it).

At the present time the most spreading Trojan Horses are BackDoor Trojans. They enable remote access to infected computers and PSW (Password Stealers) - they are trying to gather as much private information from the infected computer as possible and to send the info through the Internet.

To remove the Trojan Horse, it is enough to delete the detected file.

• Please check the Virus Encyclopedia web page and search for the exact name of virus mentioned in the test result.
• If you are not successful, please contact the technical support at support@avg.com and also send us an export of the latest test result:
  

Please run AVG program (basic or advanced interface) and choose Test Results from Results menu (you can also use F6 key to get the same). Now you can see the list of finished tests, double click the latest one (by date) and you will get the full list of detected viruses (if there were any), including the path, the name and status of infected object. When it is opened, go back to main AVG program screen -> Program menu -> Export... item (or you can user Ctrl+S shortcut to get Save as... option). Please send us this file for further analysis.

Most of today's viruses (Trojan horses, I-Worms, Worms, etc) create their own files which contain nothing but a body of the virus. In such cases the only way to remove the infection is to delete the infected file. When you moved the file to the AVG Virus Vault it was deleted from its original location, coded, and then saved in a non-executable file in a hidden folder. Your PC is no longer infected then.
If you are not missing any data file and your applications are running, then you can delete these vaulted files from the AVG Virus Vault program.

You can do it selectively from AVG Virus Vault program -> select files -> delete. Or you can delete all AVG Virus Vault contents in one go: - Open the AVG Control Center program -> right click on "AVG Virus Vault" tab -> choose "Empty vault".

Note that files removed from your e-mails are also moved to the AVG Virus Vault. If you do not have a content filter set, then these files are infected and can be removed, as shown above. If you have set a content filter, then you should decide what to do with the vaulted files.
If you want, you can set automatic actions in the AVG Virus Vault. Please open the AVG Virus Vault program -> "Service" menu -> "Program setting". Here you can set any required automatic actions.

Please let us inform you that JS/Psyme may be found in the "Temporary Internet Files" folder in case you have visited some infected web page. It is not possible to heal this infection because it is an original part of that web page.

The easiest way of removing this infection is to delete temporary files of Internet Explorer browser. You may do it this way:

• launch Internet Explorer
• click on the "Tools" menu
• select the "Internet Options..." item
• click on the "Delete files..." button
• check off "Delete all offline content" option
• confirm this clicking on the "OK" button
• then please run the Complete test once again to be sure that the infection is not detected by AVG again

The location and names could be a little bit different, depending on the version of Internet Explorer.

Now we would like to inform you that the infection may by detected by AVG repeatedly in case you visit the infected web page again.