1. FAQ 51: AVG found a hidden extension, what does this mean?
2. FAQ 53: How to heal viruses in DOS using AVG? (AVG6 only)
3. FAQ 54: Removing virus infection from system areas (Partition table, Boot sector).
4. FAQ 55: Description for disabling restore function for Windows ME
5. FAQ 56: Description for disabling restore function for Windows XP
6. FAQ 140: What kind of information is necessary when the virus is found?
7. FAQ 141: Where can information about detected virus be found?
8. FAQ 168: AVG is indicating that a virus has been found and the test results status reads "Infected, embedded object."
9. FAQ 224: What is Trojan Horse?
10. FAQ 225: Jdbgmgr.exe? Is it hoax? What is a hoax?

1. AVG found a hidden extension, what does this mean?

AVG gives the following message: Warning: hidden extension . exe

Some viruses hide themselves by doubling their file extension. For example, the VBS/Iloveyou virus attaches a file, ILOVEYOU.TXT.VBS, to e-mails. The default Windows setting is to hide known extensions, so the file looks like ILOVEYOU.TXT. When you open it you do not open a .TXT text file but instead execute a .VBS script file.

Because of the increased use of this technique we have added detection of the double file extension into AVG. Of course there are cases of valid, harmless double extensions, e.g. uninstall.rar.bat, which is part of some installations of the RAR compression utility.

2. How to heal viruses in DOS using AVG? (AVG6 only)

1. Start the computer in MS-DOS mode (using F8 key while computer is booting up, then from Windows start-up menu select "start in MS-DOS mode" or "Command prompt only").
    
2. Switch to AVG Anti-Virus destination folder using these steps (assuming this is the path AVG is installed to) C:\Program Files\Grisoft\AVG6 as destination folder):
   
   cd \
   cd progra~1
   cd grisoft
   cd avg6
    
3. Start AVG for MS-DOS application:
   
   avg
    
4. In this DOS application, every feature could be selected by pressing the key with other color (or the key in combination with ALT key). So it is necessary to choose the Test menu, Complete test item, and start the test.
    
5. When the first virus is detected, the user should select Test NONSTOP option and find all infected files. At the end of test, message says "virus was detected" and user has to confirm the message by pressing Enter.
    
6. Now, test results are displayed. The user should select Select all option, then (using arrow) move down to the first virus name (which will enable Remove virus button) and choose Remove virus option.
    
7. New dialog will appear, the user has to select Heal option. All viruses will be healed. If any virus couldn't be healed, the user should remember its name and consult with us if he can remove the infected file or move the file into Virus Vault.

With Windows ME, you have to start your computer using Windows ME startup/rescue floppy, option "minimal boot" to get MS-DOS mode.

3. Removing virus infection from system areas (Partition table, Boot sector).

Before continuing further we recommend to backup the system areas on the infected computer. Do this using the Emergency diskette function in AVG (in the menu select Utilities -> Create Emergency Disk).

Restoring system areas from backup can only be done in a small number of cases. Before you to attempt to use this function please contact our technical support at techsupport@grisoft.cz.

1. First you must create a clean, bootable floppy. On a clean computer, insert an empty floppy diskette, start MS DOS prompt and run:
   format a: /s
2. Now create an Emergency Diskette (in the menu select Utilities -> Create Emergency Disk) on another diskette and write protect them both.
3. Start your computer using the system diskette to boot to DOS (by inserting it into your floppy drive before you turn it on).
4. Replace the floppy with the Emergency Diskette and from the command prompt run avg.exe. This will start AVG/SOS. Now select Test and Restore.

4. Description for disabling restore function for Windows ME

Files placed in the _RESTORE folder are source files for the system restore function that is available in Windows Millennium operating system. Files that were healed were moved in their original INFECTED state into this folder and it is necessary to DELETE them by following these steps:

1. Close all open programs. Then right-click My Computer on the Windows desktop
2. Click on Properties
3. Click on the Performance tab
4. Click on File System
5. Click on the Troubleshooting tab
6. Check Disable System Restore
7. Click on OK

5. Description for disabling restore function for Windows XP

Files placed in the _System volume information folder are source files for the system restore function that is available in Windows XP operating system. Files that were healed were moved in their original INFECTED state into this folder and it is necessary to DELETE them by following these steps:

1. Close all open programs. Then right-click My Computer on the Windows desktop
2. Click on Properties
3. Click on the System Restore tab
4. Check Turn off System Restore on all drives
5. Restart the system
6. Go through the first four steps again and uncheck the item mentioned in step 4.

6. What kind of information is necessary when the virus is found?

The first and most important information is the EXACT NAME of a VIRUS (as reported by AVG) and the path to the infected file(s).

7. Where can information about detected virus be found?

Please check for virus information and removal instructions for a particular virus in our Virus Encyclopaedia.

8. AVG is indicating that a virus has been found and the test results status reads "Infected, embedded object."

AVG has detected a virus that resides in an archive file (such as a zip file, .exe file, etc). AVG Anti-Virus cannot remove viruses that are embedded in objects. Therefore, you will need to delete this file manually. If the infected file is a zip file, you may try to extract the file to a folder and scan this folder to find the infected file(s).

9. What is Trojan Horse?

A Trojan Horse is a malicious application, which can not spread itself. Original Trojan Horses were programs which acted as a useful utility. Although, in fact, their start used to cause damage to disc content (or part of it).

At the present time the most spreading Trojan Horses are BackDoor Trojans. They enable remote access to infected computers and PSW (Password Stealers) - they are trying to gather as much private information from the infected computer as possible and to send the info through the Internet.

To remove the Trojan Horse, it is enough to remove infected files from the infected computer (these files are created by the Trojan Horse). Although, if the infected file is running in memory, its .EXE file is protected (by Windows) and can not be removed easily. In such cases, you need to follow the steps mentioned to remove the infected file (the steps depend on your Windows version):

Under Windows 95/98/ME, you need to remove these files under MS-DOS mode

Under Windows NT4, you need to remove infected files under VGA mode, again following this guide:

Under Windows 2000 and Windows XP, you need to start your computer in Safe mode with command prompt and follow this guide

Under Windows XP, you should disable System Restore feature too - then, the content of _System volume information folder will be accessible. Please follow these steps

10. Jdbgmgr.exe? Is it hoax? What is a hoax?

During last years, there have been many computer viruses, especially "worm" type of viruses, which are distributed mainly via e-mail. This has caused a panic for users, which is parasiting a special group of messages called HOAX, which are NOT based on truth.

These false-alarm messages are usually composed using the same scheme: Warning of some extremely dangerous, dramatically spreading virus and following a demand on some user action. In best case, they are asking the user to send this message to everyone in user's contact list (action is known from "chain" games), which causes the e-mail to collapse because of overload. In worse case, these messages ask to delete the suspicious virus, although the file is actually a CORRECT system file. Deleting such files may lead to serious problems (some programs will not work, or the whole system may crash).

The latest "hot-news" in the HOAX messages is:

Please check and verify if you have this virus. It was sent to me
(accidentally) and it is said that it is passed on to everyone on
my address list. It is very probable that you have it.
If you do have it, contact all the people in YOUR ADDRESS BOOK
because the program AUTOMATICALLY sends everyone in your address book a message with the virus.
The virus' name is jdbgmgr.exe and it is not detected with
McAfee nor Norton. It remains in your computer's system for 14 days
before it erases all you files.
To delete and eliminate it completely, please do the
following immediately:
1. Go to START -- FIND --FILES OR FOLDERS
2. Under NAMED, type jdbgmgr.exe and click FIND NOW.
Make sure you are looking under Drive (C)
******DO NOT CLICK ON IT IF IT APPEARS********
3. If the virus appears *(the icon next to it will be a
small teddy bear), the name will be jdbgmgr.exe
4. *****DO NOT OPEN IT************ Just right click on it
and DELETE it. it will be sent to the Recycle Bin.
5. After you see it disappear, go to the RECYCLE BIN and
DELETE it from there as well. If at all possible, EMPTY the Recycle
Bin under FILE.
If you find this virus in your system, please send this
message to everyone in your address list asap.

The best protection from the user's side is the users choice. If the message has such content, the user should check the anti-virus pages on the internet, such as: www.icsa.net, www.grisoft.com or any pages that are dedicated to a Virus problems. The user can also send a query to the technical support of the anti-virus companies, where the user can consult with tech support personnel about the users problem.

If the user unknowingly distribute such as messages, it is exactly the effect the author of the HOAX wanted to have. Note that Alerts from the Anti-virus companies are more professionally composed, and are not usually sent from unknown addresses and without any demand for it!