FAQ

Please let us inform you that JS/Psyme or JS/Downloader may be found in the "Temporary Internet Files" folder in case you have visited some infected web page. It is not possible to heal this infection because it is an original part of that web page.

The easiest way of removing this infection is to delete temporary files of Internet Explorer browser. You may do it this way:

• launch Internet Explorer
• click on the "Tools" menu
• select the "Internet Options..." item
• click on the "Delete files..." button
• check off "Delete all offline content" option
• confirm this clicking on the "OK" button
• then please run the Complete test once again to be sure that the infection is not detected by AVG again

The location and names could be a little bit different, depending on the version of Internet Explorer.

Now we would like to inform you that the infection may by detected by AVG repeatedly in case you visit the infected web page again.

If a virus is found during an AVG test and the status is Infected, Embedded it means that the virus file is part of an archive file (ZIP, RAR, CAB…) or part of a self-extractor archive (EXE). AVG detects this file of course but is not able to remove this file automatically from an archive file and compress it again without this infected file or move it to the Virus Vault automatically because of data security.

We have chosen the user interaction method in this case of virus removal.

Please follow these steps to remove this kind of virus files:

1. Move it to the Virus Vault– if the size of the archive is less than 5 MB.

Choose Test Results (run AVG -> choose History menu -> click on the Test Results item) in the Test Result mark the line with the infection (click on the line with the red exclamation mark icon) -> choose the Move to Vault button.

2. Delete the archive– if the size of the archive is more than 5 MB it’s not possible to move it to the Virus Vault. Please make sure that this archive does not contain any important data before removing.

Choose Test Results (run AVG -> choose History menu -> click on the Test Results item) in the Test Result mark the line with the infection (click on the line with the grey exclamation mark icon) -> choose the Go to file button, you will be transferred to the archive file automatically and you can delete it by right-clicking on its name and left-clicking the "Delete" option from the menu.

Please note that if you have deleted the archive file you also have to empty the Recycle Bin where the deleted archive file has been removed to:

• Double-click on the Recycle Bin icon on the desktop of your computer
• Choose File menu and the Empty Recycle Bin option

Windows NT/2000/XP/2003/XP Pro x64/2003 Server x64:

We recommend using AVG Rescue CD product in this case (for more information about this product please click here). The AVG Rescue CD is basically a portable variant of AVG based on the Windows PE platform. It is distributed as a bootable CD intended for operating system recovery in such an event where the system cannot be loaded in the regular way - for example due to substantial virus infection. Initially the AVG Rescue CD will load the temporary operating system Windows PE edition and run AVG, which can be then used in the usual way for virus and spyware detection and removal.

For more information about AVG Rescue CD creation please see FAQ 491.

• Please check the Virus Encyclopedia web page and search for the exact name of virus mentioned in the test result.
• If you are not successful, please contact the technical support and attach an export of the latest test result:
  

Please run AVG program (basic or advanced interface) and choose Test results from History menu. Now you can see the list of finished tests, double click the latest one (by date) and you will get the full list of detected viruses (if there were any), including the path, the name and status of infected object. When it is opened please click the "Export overview to file..." option. Please send us this file for further analysis.

VCLEANER.EXE can be used to remove some specific viruses and variants. Please visit the web page mentioned below for more details.

Use:

Download the vcleaner.exe and run it on the infected computer.

Note: Some viruses can stop the action during the removing process. In this case rename the vcleaner.exe to some different exe file (e.g. something.exe). Restart your computer in Safe mode (recommended) and run the remover on the infected computer.

Also other removal tools are available on the mentioned web page.

Please try to update your AVG system and run the whole computer scan again. When the file is not detected and you are still in doubt, put the file into password protected archive (WinZip, WinRar, PowerArchiver etc.), attach this archive to an e-mail and send it to virus@avg.com. Describe why you send the file and write password for the archive into e-mail. And send the e-mail.

In case AVG detects some file on your PC as infected, this file was moved to AVG Virus Vault, and you are sure that this file is correct and clean, it is possible that the detected file is a false alarm.
If so, we shall prepare the correction as soon as possible.
Unfortunately, false alarms do appear from time to time in every Anti-Virus software.

To solve the problem, please send us this file for analysis directly from the AVG program this way:

• Open AVG User Interface.
• Choose the "Virus Vault" option from the "History" menu.
• Select the false positive file (one click) and click on the "Send to analysis" button.
• Fill in your e-mail address
• Confirm the dialog

This way file will be sent to our virus specialists for analysis and we will inform you about the result.

This FAQ topic describes rootkit infection with TDSSserv.sys that is usually connected with Antivirus 2009 infection.
Symptoms of such infections include:

• Fake pop-up infection warnings advising user to buy some fake antivirus application that claims to remove the infection (e.g Antivirus 2009, Antivirus XP).
• Dektop background is changed to a warning message and cannot be changed back.
• Access to Task Manager and Registry editor is disabled.
• Web pages being redirected to wrong ones in internet browser.
• Windows cannot be updated (page www.windowsupdate.com is inaccessible).
• AVG cannot be updated.
• AVG detects infection using Anti-Rootkit scan as hidden drivers or files in system folders. Names of the detected files start with ‘TDSS’ e.g. TDSSserv.sys, tdsslog.dll, TDSSl.dll.

If your computer seems to be infected with the above described infection, you can remove the infection this way:

• Download the AVGRTK_remover utility.
• Extract the downloaded archive into a new folder.
• In the folder, please find the AVGRTK_remover.vbs file.
• Run this file by double-clicking on it.
• Confirmation will be displayed.
• Restart computer.
• Update your AVG.
• Run AVG complete scan and remove all detected infection.

This utility also removes side effects of the infection such as disabled access to system functions. If you are still unable to use some functions, please run the utility again as described above.

The infection is now completely removed. Should the issue persist, please contact the Customer Service.