Virus is cleaned but remains

  [DELETED] 12:27 29 Aug 2003

I have a virus which I clean with AVG free edition. The report says that the file has been cleaned. Without connecting to my e-mail or web it re-appears almost immediately. It appears in C:\program files\EHC\hc2\printers\troubles.hoo\images\epl.bmp.shs. Has anyone any ideas how to get rid of it.

  [DELETED] 12:36 29 Aug 2003

If you are using XP or ME it could be locked in your System Restore. Disable S/R and try again. When clean re-enable S/R.

  [DELETED] 14:49 29 Aug 2003

Thank you Alcudia. I am using XP. I disabled S/R and cleaned. The virus came back immediately. I have re-enabled S/R. What else can I do.


  [DELETED] 14:53 29 Aug 2003

What is the virus name please, then I may be able to forward instructions for manual removal.

Remember to delete the infected e-mail.

  [DELETED] 15:29 29 Aug 2003


After sending this mail to someone I know here is what he said: (I didnt notice)

Hi Gareth,

Nice to hear from you!

epl.bmp.shs is a dual extension, look, the name of the file is epl, then the .bmp.shs is the extensions.

However I believe he is using AVG by what it says on the e-mail you sent me, it includes hidden (dual extension) detection, which most common viruses using this to probe you to open the file AVG has decided to detect the file.

However the .bmp, tricks you to think it is a Bitmap file (image) however the file is a .shs

This at first sight makes it harder to think it is a virus. Here is information on the .shs extension: click here

The .shs extension is used by a few viruses in the wild, here is the methord being used as a .txt.shs to disguise a virus: click here

Gareth, I hope I have been of help to you,

Mark Richards,
Flamewall Security Virus Response Lab

  [DELETED] 15:36 29 Aug 2003

The scrap file can be named with most any extension to make it look like a benign file (e.g., .GIF, .JPG, .TXT, etc.) and then Windows adds the .SHS extension to that. In most cases, even if you have Windows set to show all file extensions, the .SHS extension will not show up after you've saved the file to disk (it should be visible as an attachment to an E-mail message). This can make scrap files more dangerous as they can easily appear to be something they are not just by giving the file a benign name.

  [DELETED] 15:36 29 Aug 2003

Windows assigns "RUNDLL32.EXE SHSCRAP.DLL, OPENSCRAP_RUNDLL %1" to the .SHS extension by default and, when opened, Windows will unpack the scrap file and open or execute whatever is in the file. You will have no control over this once you attempt to open the scrap file.

There is really never any reason for anyone to send you a scrap file. If you ever receive one via E-mail you should delete it without attempting to open it. Tell the sender to send you the actual object instead if you think there was something useful involved. The main reason is that scrap files can easily hide code without any indication of what that code really represents so there is no guarantee the scrap file will be what you think it is.

  [DELETED] 15:51 29 Aug 2003

Run your computer over with click here - Active scan,

If it finds anything it will remove it.

Ensure Unknown virus detection is enabled!

  [DELETED] 16:47 29 Aug 2003

Hi Gaz 25
thanks a lot. I can't pretend that I understand it all. I still have a problem. In your final missive you ask me to ru a "click here". When I click nothing happens. Also how do I enable 'unknown virus detection.


  [DELETED] 16:55 29 Aug 2003

Ok type excluding the spaces: http :// pandasoftware .com/activescan


Once you go there a page will load, click 'Scan your PC'

Once the box Opens, click next >

Then it prompts for an e-mail address, enter: [email protected]

Then click next>

Wait while it downloads the files, click yes if it asks, THESE ARE SAFE.

Then once you have the main Panda Active scan interface, there is a list with ticks in, one which hasnt: Detect Unknown Viruses, Put a tick in that Box.

Once done so, click 'All my computer'

This will scan your PC for viruses, once it has finished you can then chose to send the file to panda for a test via the lab or you might be able to remove it.

  [DELETED] 19:08 29 Aug 2003

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Amazon Prime Day 2018: Best Deals & Launches

42 Tips for How to Make Digital Artworks That Look Hand-made

The best Amazon Prime Day Apple deals 2018

Les meilleures séries Amazon Prime Video (2018)