FAQ

Gumblar infection is spreading through PDF and Flash files (.pdf and .swf) that are in most cases downloaded from infected FTP servers where it creates copies of mentioned files.

Users with unpatched vulnerabilities in Adobe Acrobat Reader or Adobe Flash Player applications may be infected through exploits in the .pdf and .swf files. The security of FTP server is compromised by searching for saved connections to FTP servers, so it is suggested to change the passwords after infection is removed.

Malware infection known as Gumblar is detected by AVG under following designations: trojan Horse Agent2.HYG, Defiler, variants of trojan horse Exploit or Exploit.PDF.

The first version of this virus which is recognized by AVG as Downadup (alternativelly I-Worm.Generic) has been detected at the end of November / begining of December, 2008. Currently there are over 300 unique versions of this virus. AVG detects and protects against all known variants of the worm.

The main mean of infecting computers used by this virus is a security vulnerability in Windows operating systems, which is described in MS Security Bulletin MS08-67 released on October 23, 2008 (including links for respective Windows update files). Apart from using this security vulnerability, the virus spreads also across local networks by attacking weak passwords for shared folders, and using the Autorun function on removable devices.

To protect against the virus, it is necessary to install the mentioned Windows update and make sure your AVG is fully up-to-date. In case your computer is infected by this virus, it may not be possible to update your AVG Free correctly. In order to allow correct AVG Free update, please proceed as follows:

• Open Start -> Run.
• Type 'cmd'.
• In the opened command line windows type the following command and press Enter:
  net stop dnscache
• It will be possible to update your AVG Free now. Once updated, run an AVG scan to remove the infection:
  AVG Free -> Computer Scanner -> Scan whole computer
• When the scan is finished, please restart your computer.

Trojan Horse is a malicious application, which can not spread itself. Original Trojan Horses were programs which acted as a useful utility. Although, in fact, their start used to cause damage to disc content (or part of it).

At the present time the most spreading Trojan Horses are BackDoor Trojans. They enable remote access to infected computers and PSW (Password Stealers) - they are trying to gather as much private information from the infected computer as possible and to send the info through the Internet.

To remove the Trojan Horse, it is enough to delete the detected file.

Most of today's viruses (Trojan horses, I-Worms, Worms, etc) create their own files which contain nothing but a body of the virus. In such cases the only way to remove the infection is to delete the infected file. When you moved the file to the AVG Free Virus Vault it was deleted from its original location, coded, and then saved in a non-executable file in a hidden folder. Your PC is no longer infected then.

If you are not missing any data file and your applications are running, then you can delete these vaulted files from the AVG Virus Vault program:

•  Double-click the AVG Free icon on your desktop -> choose the "History" menu and select the "Virus Vault" option -> click on the "Empty Vault" button.

AVG Free gives the following message: Warning: hidden extension . exe

Some viruses hide themselves by doubling their file extension. For example, the VBS/Iloveyou virus attaches a file, ILOVEYOU.TXT.VBS, to e-mails. The default Windows setting is to hide known extensions, so the file looks like ILOVEYOU.TXT. When you open it you do not open a .TXT text file but instead execute a .VBS script file.

Because of the increased use of this technique we have added detection of the double file extension into AVG Free. Of course there are cases of valid, harmless double extensions, e.g. uninstall.rar.bat, which is part of some installations of the RAR compression utility.

If a virus is found during an AVG Free test and the status is Infected, Embedded it means that the virus file is part of an archive file (ZIP, RAR, CAB…) or part of a self-extractor archive (EXE). AVG Free detects this file of course but is not able to remove this file automatically from an archive file and compress it again without this infected file or move it to the Virus Vault automatically because of data security.

We have chosen the user interaction method in this case of virus removal. Please follow these steps to remove this kind of virus files:

1. Move it to the Virus Vault– if the size of the archive is less than 5 MB.

Choose Test Results (run AVG->choose History menu->click on the Test Results item) in the Test Result mark the line with the infection (click on the line with the red exclamation mark icon)->choose the Move to Vault button.

2. Delete the archive– if the size of the archive is more than 5 MB it’s not possible to move it to the Virus Vault.

!Please make sure that this archive doesn’t contain your important data!

Choose Test Results (run AVG->choose History menu->click on the Test Results item) in the Test Result mark the line with the infection (click on the line with the grey exclamation mark icon)->choose the Go to file button, you will be transferred to the archive file automatically and you can delete it by right-clicking on its name and left-clicking the "Delete" option from the menu.

Please note

If you have deleted the archive file you also have to empty the Recycle Bin where the deleted archive file has been removed to:

• Double-click on the Recycle Bin icon on the desktop of your computer
• Choose File menu and the Empty Recycle Bin option

Please let us inform you that JS/Psyme may be found in the "Temporary Internet Files" folder in case you have visited some infected web page. It is not possible to heal this infection because it is an original part of that web page.

The easiest way of removing this infection is to delete temporary files of Internet Explorer browser. You may do it this way:

• launch Internet Explorer
• click on the "Tools" menu
• select the "Internet Options..." item
• click on the "Delete files..." button
• check off "Delete all offline content" option
• confirm this clicking on the "OK" button
• then please run the Complete test once again to be sure that the infection is not detected by AVG Free again

The location and names could be a little bit different, depending on the version of Internet Explorer.

Now the infection may by detected by AVG Free repeatedly in case you visit the infected web page again.

Please try to update your AVG Free system and run the whole computer scan again. When the file is not detected and you are still in doubt, put the file into password protected archive using WinZip, WinRar, PowerArchiver etc., attach this archive to an e-mail and send it to virus@avg.com. Describe why you are sending the file and write the password for the archive into the e-mail.

The AVG Free test may report a warning - potentially dangerous object on some files, which may be infected or pose a potential threat. Typical examples of such detection are hidden files, cookies, suspicious registry keys, password protected documents or archives, etc. This is a brief description of the most common examples of such objects:

• Hidden files
  The hidden files are by default not visible in Windows, and some viruses or other threats may try to avoid their detection by storing their files with this attribute. If your AVG reports a hidden file which you suspect to be malicious, you can move it to your AVG Virus Vault and send it to us for analysis.
• Cookies
  Cookies are plain-text files which are used by websites to store user-specific information, which is later used for loading custom website layout, pre-filling user name, etc. More information is available in the FAQ dedicated to this detection.
• Suspicious registry keys
  Some malware stores its information into Windows registry, to ensure it is loaded on startup or to extend its effect on the operating system. However, the detection in Windows registry may be also related to an "immunization" function of some anti-spyware programs, as described in this FAQ. Such detections should not be healed to maintain the anti-spyware application functionality.
• Password protected documents or archives
  Password protected files can not be scanned by AVG (or an Anti-Malware program in general), as explained in this FAQ topic.

If you wish, you can adjust the AVG test settings in such way, that only the warnings you are interested in are reported:

• open AVG Free User Interface
• click on Computer scanner
• click "Change scan settings"
• alternatively, you can change these settings in menu Tools - Advanced settings

More information about the files detected by AVG is available in the FAQ section covering viruses.

In the case where AVG Free detects a file on your PC as infected, moves it to the AVG Virus Vault, and you are sure that this file is correct and clean, it is possible that the detected file is a false alarm. If so, we shall prepare the correction as soon as possible. Unfortunately, false alarms do appear from time to time in every Anti-Virus software.

To solve the problem, please send us this file for analysis directly from the AVG Free program this way:

• Open AVG Free User Interface.
• Choose the "Virus Vault" option from the "History" menu.
• Right-click the false positive file and select the "Send to analysis" option from context menu.
• Fill in your e-mail address
• Confirm the dialog

This file will be sent to our virus specialists for analysis and we will inform you about the result.

Even the best security software cannot protect your computer from an infection where the harmful code is abusing some bug in the installed operating system.

The updating of your operating system is enabled and is very often set as an automatic default. This means that the operating system looks for new updates periodically. If a new update is available, it is downloaded and installed by the operating system automatically. You may change these settings according to your individual needs. 

Windows XP SP2:

Right click  "My Computer" on the desktop (or in "Start" menu -> "My Computer") -> select "Properties" -> switch to "Automatic Updates" tab

Windows Vista:

Right click "Computer" on the desktop (or in "Start" menu -> "Computer") -> select "Properties" -> click on "Windows Update" link -> click on "Change settings" link

There are the following options available:

• Automatic.
• Download updates for me, but let me choose when to install them.
• Notify me but don't automatically download or install them.
• Turn off Automatic Updates.

It is not recommended to deactivate the updates completely.

Please follow these steps to check for new updates of MS Windows operating system:

• please click on the "Start" menu -> "Windows Update"

Tracking cookies are not viruses or malicious code. Cookies are only text files and therefore cannot be dangerous to your computer. 

The main purpose of cookies is to identify users and possibly prepare customized web pages for them. When you enter a web site using cookies, you may be asked to fill in a form providing such information as your name and interests. This information is sent to your web browser as a cookie file. The next time you go to the same web site, your browser will send the cookie to the web server. The server can use this information to present you with custom web pages. 

If you don’t want to use cookies you can check the settings of Internet Explorer browser to accept/deny the cookie file. More information can be found at:
http://www.microsoft.com/info/cookies.mspx
question " If You Want to Control Which Cookies You Accept" 

If you are using a Mozilla Firefox browser, you can find more information at:
http://mozilla.gunnars.net/firefox_help_firefox_cookie_tutorial.html

More information about cookie files can be found at:
http://en.wikipedia.org/wiki/HTTP_cookie

You can also set AVG Free to not detect cookies on your computer:

1. Resident Shield settings
- open AVG Free User Interface
- double-click on the AVG Resident Shield component
- unmark the "Detect cookies" option
- press "Save changes" button

2. AVG test settings
- launch AVG Free User Interface
- open Computer Scanner
- choose "Change scan settings" under "Scan whole computer" item
- in the newly opened window please unmark "Scan for cookies

3. Scheduled test settings
- open AVG Free User Interface
- choose "Advance settings" from Tools menu
- extend "Schedules" item and select "Scheduled scan"
- switch to "How to scan" tab
- please unmark "Scan for cookies" option

These files (for example documents or archives) are password protected, therefore it is not possible to check its contents by the test. In the case where you know the password and can open the archive, the content is checked by the AVG Free Resident Shield immediately. This AVG Free component is unable to open/launch the possibly infected code from such an archive.

This means that the document contains a macro. A macro is a list of instructions to automate or simplify operations in a document. It is a part of the document file which is, for example, able to calculate using some fixed values. However, it does not mean that the file contains a virus. If the file is infected AVG Free will give the exact name of the virus in the test result.

If you need to exclude a certain "Potentially unwanted program" from any detection by AVG Free (for example if you are using an Ad-sponsored program or utility, which could be dangerous, but could also be used with your knowledge), you can exclude it from AVG Free Resident Shield and AVG Free tests detection this way:

• Please open the AVG Free program -> "Tools" menu -> "Advanced settings" -> "PUP exceptions" -> push the "Add exception" button to add a new exception.
• Now find the file you want to except from AVG Free detection. If you are not sure that the file location is static, enable "Any location - do not use full path" function.
• Save the setting using the "Add" button.

These exceptions can be used for "Potentially unwanted programs" only. If you set the exception for a viral file (Trojan horse, I-Worm, Worm, W32...), this file will be still detected by AVG Free tests and the AVG Free Resident Shield. 

These exceptions are not used for the AVG Free Email Scanner.

Note: The exceptions can be created for files only, not for folders.

"Potentially Unwanted Program" files are not detected as a virus or adware/spyware, even though they sometimes act very similarly. The reason is that the Potentially Unwanted Programs are usually installed legitimately as a part of another program (often designated as an "AD-Supported program" – in which the End User License Agreement typically prompts the user to accept that, in addition to the desired program, an additional program (Potentially Unwanted Program) will also be installed). 

AVG Free is able to detect some Potentially Unwanted Programs and remove the detected files.

NOTE: Removal of the Potentially Unwanted Programs can result in damage to the AD-Supported program which was installed with them.

It is also possible to create exception for files detected as Potentially unwanted. Such files included in exceptions will be not detected as threats any more.

Procedure how to add file to PUP exceptions is described here.