avast isn't detecting troublesome trojans/viruses

I ran a “hyjackthis” log. I see a few entries that look like bad files, but I’m not sure and don’t want to do the wrong thing. Where do I post the log so someone who understands what it’s saying can read it? Then, what do I do from there?

What makes you believe you have a trojan/virus ?
What do you mean by troublesome ?

If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

Well, I know something’s wrong when I constantly get popups from “Green AV”,fake Windows firewall warnings, Etc. One of the Green AV boxes can’t be removed as I refuse to click on the “Remind me later” button. I also get an “Updates are ready for your computer. Click here to install updates” box.
I was able to remove irritating trojans and worms by running Windows Live OneCare in safemode before my husband decided to try Avast.

Whilst avast does detect these fake security applications, they are constantly creating new variants, I would suggest MBAM item 1. as the tool of choice on fake security applications.

The actual file isn’t a virus as such as all it is doing throwing up fake alerts, in what is a social engineering ploy as the fear factor cuts in and people click the various links, then there is the possibility of a real infection.


Welcome to the forums, all5inhim. :slight_smile:

If you will post your HJT log in this thread, I will analyze it for you. It will be tomorrow before I can do it.

Run the program but do not make any fixes and then post the log results using the “copy & paste” method. It will probably take more than one post to be able to get the complete log posted.

OR, you can post it as an attachment to your post by clicking on “Additional Options…” below left of the posting box.

When you post the log, be sure to include the complete log … header and ending.


I’ve downloaded and scanned with mbam and Superantispyware. I quarantined all infected files, but the adware or whatever this is keeps popping up. I do appreciate any help you can give.

So, here are my findings.

b Questionable entries[/b]
- C:\Documents and Settings\All Users\Application Data\gav\gav.exe
From what I know, this is part of a hoax antivirus called Green Antivirus 2009. If possible, send gav.exe to VirusTotal
PrevX Report

- O4 - HKLM\..\Run: [21098746521098765] C:\Documents and Settings\All Users\Application Data\gav\gav.exe
      Possible part of Green Antivirus 2009.

- O4 - HKLM\..\Run: [23094848483939484] C:\Documents and Settings\All Users\Application Data\gav\mgrdll.exe
     Possible part of Green Antivirus 2009.

- O20 - AppInit_DLLs: C:\WINDOWS\system32\fapawozi.dll
      Please submit fapawozi.dll to [url=http://www.virustotal.com]VirusTotal[/url] & tell us about the result of analysis.
     [url=http://www.pc1news.com/virus/file-fapawozi-dll-96807.html]PC1News Report[/url]

- O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Poker%20Superstars%203/Images/stg_drm.ocx
      This could be a possible malware dropper.
      [url=http://www.prevx.com/filenames/1545113104529264601-X1/STG_DRM.OCX.html]PrevX Report[/url]

b Fix these entries by ticking a check[/b]
- O1 - Hosts: ??? antivguardian.com
- O1 - Hosts: ??? wXw.antivguardian.com
- O1 - Hosts: 208.43.47.212 a1.review.zdnet.com
- O1 - Hosts: 208.43.47.212 a1.review.zdnet.com
- O1 - Hosts: 208.43.47.212 d1.reviews.cnet.com
- O1 - Hosts: 208.43.47.212 review.2009softwarereviews.com
- O1 - Hosts: 208.43.47.212 reviews.download.com
- O1 - Hosts: 208.43.47.212 reviews.pcmag.com
- O1 - Hosts: 208.43.47.212 reviews.techradar.com
- O1 - Hosts: 208.43.47.212 toptenreviews.com
- O1 - Hosts: 208.43.47.212 wXw.reevoo.com

b Unnecessarily deactivated that can be fixed[/b]
- O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll (file missing)
- O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll (file missing)
- O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL (file missing)

In addition to what L’ arc said go to Add remove progams and un-install Adobe reader and all Java installs as they are vulnerable to attacks.

Latest Version 6 Update 15:
http://www.java.com/en/download/manual.jsp

Download and install:
User Profile Hive Cleanup Service:
Brief Description
A service to help with slow log off and unreconciled profile problems.
http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en

Adobe Reader 9.1:
http://get.adobe.com/reader <== un-select Google Toolbar if you do not want it

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online


Looks like L’arc & Yokenny got it it before I could. Follow their advice, please.


You might want to also try IObit Security 360 - http://www.iobit.com/beta.html

Thanks L’arc and YoKenny. Worked like a charm. You guys ROCK!!!

You guys ROCK!!!!!!!!!
Its avast! that enables us to ROCK!!!!!!!