Virus is cleaned but remains

  Gaw 12:27 29 Aug 2003

I have a virus which I clean with AVG free edition. The report says that the file has been cleaned. Without connecting to my e-mail or web it re-appears almost immediately. It appears in C:\program files\EHC\hc2\printers\troubles.hoo\images\epl.bmp.shs. Has anyone any ideas how to get rid of it.

  alcudia 12:36 29 Aug 2003

If you are using XP or ME it could be locked in your System Restore. Disable S/R and try again. When clean re-enable S/R.

  Gaw 14:49 29 Aug 2003

Thank you Alcudia. I am using XP. I disabled S/R and cleaned. The virus came back immediately. I have re-enabled S/R. What else can I do.


  Gaz 25 14:53 29 Aug 2003

What is the virus name please, then I may be able to forward instructions for manual removal.

Remember to delete the infected e-mail.

  Gaz 25 15:29 29 Aug 2003


After sending this mail to someone I know here is what he said: (I didnt notice)

Hi Gareth,

Nice to hear from you!

epl.bmp.shs is a dual extension, look, the name of the file is epl, then the .bmp.shs is the extensions.

However I believe he is using AVG by what it says on the e-mail you sent me, it includes hidden (dual extension) detection, which most common viruses using this to probe you to open the file AVG has decided to detect the file.

However the .bmp, tricks you to think it is a Bitmap file (image) however the file is a .shs

This at first sight makes it harder to think it is a virus. Here is information on the .shs extension: click here

The .shs extension is used by a few viruses in the wild, here is the methord being used as a .txt.shs to disguise a virus: click here

Gareth, I hope I have been of help to you,

Mark Richards,
Flamewall Security Virus Response Lab

  Gaz 25 15:36 29 Aug 2003

The scrap file can be named with most any extension to make it look like a benign file (e.g., .GIF, .JPG, .TXT, etc.) and then Windows adds the .SHS extension to that. In most cases, even if you have Windows set to show all file extensions, the .SHS extension will not show up after you've saved the file to disk (it should be visible as an attachment to an E-mail message). This can make scrap files more dangerous as they can easily appear to be something they are not just by giving the file a benign name.

  Gaz 25 15:36 29 Aug 2003

Windows assigns "RUNDLL32.EXE SHSCRAP.DLL, OPENSCRAP_RUNDLL %1" to the .SHS extension by default and, when opened, Windows will unpack the scrap file and open or execute whatever is in the file. You will have no control over this once you attempt to open the scrap file.

There is really never any reason for anyone to send you a scrap file. If you ever receive one via E-mail you should delete it without attempting to open it. Tell the sender to send you the actual object instead if you think there was something useful involved. The main reason is that scrap files can easily hide code without any indication of what that code really represents so there is no guarantee the scrap file will be what you think it is.

  Gaz 25 15:51 29 Aug 2003

Run your computer over with click here - Active scan,

If it finds anything it will remove it.

Ensure Unknown virus detection is enabled!

  Gaw 16:47 29 Aug 2003

Hi Gaz 25
thanks a lot. I can't pretend that I understand it all. I still have a problem. In your final missive you ask me to ru a "click here". When I click nothing happens. Also how do I enable 'unknown virus detection.


  Gaz 25 16:55 29 Aug 2003

Ok type excluding the spaces: http :// pandasoftware .com/activescan


Once you go there a page will load, click 'Scan your PC'

Once the box Opens, click next >

Then it prompts for an e-mail address, enter: [email protected]

Then click next>

Wait while it downloads the files, click yes if it asks, THESE ARE SAFE.

Then once you have the main Panda Active scan interface, there is a list with ticks in, one which hasnt: Detect Unknown Viruses, Put a tick in that Box.

Once done so, click 'All my computer'

This will scan your PC for viruses, once it has finished you can then chose to send the file to panda for a test via the lab or you might be able to remove it.

  Gaz 25 19:08 29 Aug 2003

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Dell XPS 13 9370 (2018) review

No need to scan sketches into your computer with Moleskine's new smart pen

How to use 3D Touch on iPhone

Comment importer des contacts d’un iPhone à un autre iPhone ?