Win32:Dropper-FVB[DRP]

Hello everyone,

today I unfortunately found out my computer has been infected by a Trojan called Win32:Dropper-FVB[DRP] , Avast! tried to eliminate it but everytime I start my computer up Avast warns me and tells me it has blocked and eliminated the trojan.
I runned Malwarebytes’ Anti-Malware and scan my computer, it found 70 infected items. It
told me they were eliminated but when I started my Pc up again Avast warned me about the Dropper trojan (C:\Documents and Settings\Andrea\Dati applicazioni\svchost.exe Win32:Dropper-FVB[DRP]). I cant eliminate it! I am very worried about.
I’m going to attach the Malwarebytes’ Anti-Malware log.

Anyone can help me, please ?

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here in this topic and not in the guide)

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTS log )

Essexboy will look at the log`s when he arrives here later today

Thank you so much Pondus!

Here’s my OTS log file.

Please go to PROFILE then Modify Profile then Forum Profile Information then select your country in Please select your country: then update your Signature: with information like my signature as this helps the helpers offer pertinent advice.

Ok, I did it. Thanks! :slight_smile:

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Processes - Safe List]
YY -> winlogon.exe -> C:\Documents and Settings\Andrea\Dati applicazioni\winlogon.exe
YY -> windowsdefender.exe -> C:\Documents and Settings\Andrea\Dati applicazioni\WindowsDefender.exe
YY -> 28818.exe -> C:\Documents and Settings\Andrea\Menu Avvio\Programmi\Esecuzione automatica\28818.exe
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1085031214-1563985344-725345543-1004\] > -> HKEY_USERS\S-1-5-21-1085031214-1563985344-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{00000000-0002-0002-0000-000000000000}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{965B54B0-71E0-4611-8DE7-F73FA0B20E26}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Windows Defender" -> C:\Documents and Settings\Andrea\Dati applicazioni\WindowsDefender.exe [C:\Documents and Settings\Andrea\Dati applicazioni\WindowsDefender.exe]
< Run [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "SpeedBitVideoAccelerator" -> [C:\Programmi\SpeedBit Video Accelerator\VideoAccelerator.exe]
< Run [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "SpeedBitVideoAccelerator" -> [C:\Programmi\SpeedBit Video Accelerator\VideoAccelerator.exe]
< Run [HKEY_USERS\S-1-5-21-1085031214-1563985344-725345543-1004\] > -> HKEY_USERS\S-1-5-21-1085031214-1563985344-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Windows Defender" -> C:\Documents and Settings\Andrea\Dati applicazioni\WindowsDefender.exe [C:\Documents and Settings\Andrea\Dati applicazioni\WindowsDefender.exe]
< Andrea Startup Folder > -> C:\Documents and Settings\Andrea\Menu Avvio\Programmi\Esecuzione automatica
YY -> ~EmptyValue -> C:\Documents and Settings\Andrea\Menu Avvio\Programmi\Esecuzione automatica\28818.exe
YY -> ~EmptyValue -> C:\Documents and Settings\Andrea\Menu Avvio\Programmi\Esecuzione automatica\JavaLoad.exe
YY -> ~EmptyValue -> C:\Documents and Settings\Andrea\Menu Avvio\Programmi\Esecuzione automatica\Rundll32.dll
YY -> ~EmptyValue -> C:\Documents and Settings\Andrea\Menu Avvio\Programmi\Esecuzione automatica\SystemCore.dll
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
YY -> \Run\\"Windows Defender" -> C:\Documents and Settings\Andrea\Dati applicazioni\WindowsDefender.exe [C:\Documents and Settings\Andrea\Dati applicazioni\WindowsDefender.exe]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\DOCUME~1\Andrea\IMPOST~1\Temp\21856.exe" -> [C:\DOCUME~1\Andrea\IMPOST~1\Temp\21856.exe:*:Enabled:Windows Messanger]
YN -> "C:\DOCUME~1\Andrea\IMPOST~1\Temp\5270.exe" -> [C:\DOCUME~1\Andrea\IMPOST~1\Temp\5270.exe:*:Enabled:Windows Messanger]
YY -> "C:\DOCUME~1\Andrea\IMPOST~1\Temp\70394.exe" -> C:\Documents and Settings\Andrea\Impostazioni locali\Temp\70394.exe [C:\DOCUME~1\Andrea\IMPOST~1\Temp\70394.exe:*:Enabled:Windows Messanger]
YN -> "C:\DOCUME~1\Andrea\IMPOST~1\Temp\91429.exe" -> [C:\DOCUME~1\Andrea\IMPOST~1\Temp\91429.exe:*:Enabled:Windows Messanger]
YY -> "C:\Documents and Settings\Andrea\Dati applicazioni\Java.exe" -> C:\Documents and Settings\Andrea\Dati applicazioni\Java.exe [C:\Documents and Settings\Andrea\Dati applicazioni\Java.exe:*:Enabled:Windows Messanger]
YN -> "C:\Documents and Settings\Andrea\Dati applicazioni\svchost.exe" -> [C:\Documents and Settings\Andrea\Dati applicazioni\svchost.exe:*:Enabled:Windows Messanger]
YN -> "C:\Documents and Settings\Andrea\Dati applicazioni\Windows@Live.exe" -> [C:\Documents and Settings\Andrea\Dati applicazioni\Windows@Live.exe:*:Enabled:Windows Messanger]
YY -> "C:\Documents and Settings\Andrea\Dati applicazioni\WindowsDefender.exe" -> C:\Documents and Settings\Andrea\Dati applicazioni\WindowsDefender.exe [C:\Documents and Settings\Andrea\Dati applicazioni\WindowsDefender.exe:*:Enabled:Windows Messanger]
YY -> "C:\Documents and Settings\Andrea\Dati applicazioni\winlogon.exe" -> C:\Documents and Settings\Andrea\Dati applicazioni\winlogon.exe [C:\Documents and Settings\Andrea\Dati applicazioni\winlogon.exe:*:Enabled:Windows Messanger]
YY -> "C:\Programmi\eMule AdunanzA\eMule_AdnzA.exe" -> C:\Programmi\eMule AdunanzA\eMule_AdnzA.exe [C:\Programmi\eMule AdunanzA\eMule_AdnzA.exe:*:Enabled:eMule]
[Files/Folders - Modified Within 30 Days]
NY ->  winlogon.exe -> C:\Documents and Settings\Andrea\Dati applicazioni\winlogon.exe
NY ->  NvApps.xml -> C:\WINDOWS\System32\NvApps.xml
NY ->  WindowsDefender.exe -> C:\Documents and Settings\Andrea\Dati applicazioni\WindowsDefender.exe
NY ->  wrar380it.exe -> C:\Documents and Settings\Andrea\Documenti\wrar380it.exe
NY ->  Java.exe -> C:\Documents and Settings\Andrea\Dati applicazioni\Java.exe
NY ->  SystemCore.dll -> C:\Documents and Settings\Andrea\Menu Avvio\Programmi\Esecuzione automatica\SystemCore.dll
NY ->  Rundll32.dll -> C:\Documents and Settings\Andrea\Menu Avvio\Programmi\Esecuzione automatica\Rundll32.dll
NY ->  28818.exe -> C:\Documents and Settings\Andrea\Menu Avvio\Programmi\Esecuzione automatica\28818.exe
NY ->  JavaLoad.exe -> C:\Documents and Settings\Andrea\Menu Avvio\Programmi\Esecuzione automatica\JavaLoad.exe
[Files - No Company Name]
NY ->  winlogon.exe -> C:\Documents and Settings\Andrea\Dati applicazioni\winlogon.exe
NY ->  WindowsDefender.exe -> C:\Documents and Settings\Andrea\Dati applicazioni\WindowsDefender.exe
NY ->  data.dat -> C:\Documents and Settings\Andrea\Dati applicazioni\data.dat
NY ->  Java.exe -> C:\Documents and Settings\Andrea\Dati applicazioni\Java.exe
NY ->  SystemCore.dll -> C:\Documents and Settings\Andrea\Menu Avvio\Programmi\Esecuzione automatica\SystemCore.dll
NY ->  Rundll32.dll -> C:\Documents and Settings\Andrea\Menu Avvio\Programmi\Esecuzione automatica\Rundll32.dll
NY ->  28818.exe -> C:\Documents and Settings\Andrea\Menu Avvio\Programmi\Esecuzione automatica\28818.exe
NY ->  AntiSpyNative64.exe -> C:\WINDOWS\System32\AntiSpyNative64.exe
NY ->  AntiSpyNative32.exe -> C:\WINDOWS\System32\AntiSpyNative32.exe
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Thank you essexboy.

I followed your instructions but when I clicked Run Fix after I’ve pasted the information in the quotebox my computer warned me with a error message and the it shot down and started up abruptly. I didnt have the time to read the error message and I couldnt see the message box and the log. By the way when my Pc started up Avast didnt warned my about the Trojan. I dont know, maybe the problem is solved.

What do you advice me to do?

Could you re-run OTS please and this programme as well

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrscan.gif

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrsavelog.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

Ok, I runned OTS and aswMBR.

I’m posting the logs.

After you get your system fixed you need to update XP to SP3 as it provides many Critical Updates and performance improvements.

See:
Support for Windows XP Service Pack 2 ends on July 13, 2010
http://support.microsoft.com/gp/lifean31

OK lets now see if I can remove the last reluctant elements - if not I will use a bigger hammer

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "Windows Defender" -> [C:\Documents and Settings\Andrea\Dati applicazioni\WindowsDefender.exe]
< Run [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "SpeedBitVideoAccelerator" -> [C:\Programmi\SpeedBit Video Accelerator\VideoAccelerator.exe]
< Run [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "SpeedBitVideoAccelerator" -> [C:\Programmi\SpeedBit Video Accelerator\VideoAccelerator.exe]
< Run [HKEY_USERS\S-1-5-21-1085031214-1563985344-725345543-1004\] > -> HKEY_USERS\S-1-5-21-1085031214-1563985344-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "Windows Defender" -> [C:\Documents and Settings\Andrea\Dati applicazioni\WindowsDefender.exe]
< Andrea Startup Folder > -> C:\Documents and Settings\Andrea\Menu Avvio\Programmi\Esecuzione automatica
YY -> ~EmptyValue -> C:\Documents and Settings\Andrea\Menu Avvio\Programmi\Esecuzione automatica\Rundll32.dll
YY -> ~EmptyValue -> C:\Documents and Settings\Andrea\Menu Avvio\Programmi\Esecuzione automatica\SystemCore.dll
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\DOCUME~1\Andrea\IMPOST~1\Temp\21856.exe" -> [C:\DOCUME~1\Andrea\IMPOST~1\Temp\21856.exe:*:Enabled:Windows Messanger]
YN -> "C:\DOCUME~1\Andrea\IMPOST~1\Temp\5270.exe" -> [C:\DOCUME~1\Andrea\IMPOST~1\Temp\5270.exe:*:Enabled:Windows Messanger]
YY -> "C:\DOCUME~1\Andrea\IMPOST~1\Temp\70394.exe" -> C:\Documents and Settings\Andrea\Impostazioni locali\Temp\70394.exe [C:\DOCUME~1\Andrea\IMPOST~1\Temp\70394.exe:*:Enabled:Windows Messanger]
YN -> "C:\DOCUME~1\Andrea\IMPOST~1\Temp\91429.exe" -> [C:\DOCUME~1\Andrea\IMPOST~1\Temp\91429.exe:*:Enabled:Windows Messanger]
YY -> "C:\Documents and Settings\Andrea\Dati applicazioni\Java.exe" -> C:\Documents and Settings\Andrea\Dati applicazioni\Java.exe [C:\Documents and Settings\Andrea\Dati applicazioni\Java.exe:*:Enabled:Windows Messanger]
YN -> "C:\Documents and Settings\Andrea\Dati applicazioni\svchost.exe" -> [C:\Documents and Settings\Andrea\Dati applicazioni\svchost.exe:*:Enabled:Windows Messanger]
YN -> "C:\Documents and Settings\Andrea\Dati applicazioni\Windows@Live.exe" -> [C:\Documents and Settings\Andrea\Dati applicazioni\Windows@Live.exe:*:Enabled:Windows Messanger]
YN -> "C:\Documents and Settings\Andrea\Dati applicazioni\WindowsDefender.exe" -> [C:\Documents and Settings\Andrea\Dati applicazioni\WindowsDefender.exe:*:Enabled:Windows Messanger]
YN -> "C:\Documents and Settings\Andrea\Dati applicazioni\winlogon.exe" -> [C:\Documents and Settings\Andrea\Dati applicazioni\winlogon.exe:*:Enabled:Windows Messanger]
[Files/Folders - Modified Within 30 Days]
NY ->  Java.exe -> C:\Documents and Settings\Andrea\Dati applicazioni\Java.exe
NY ->  SystemCore.dll -> C:\Documents and Settings\Andrea\Menu Avvio\Programmi\Esecuzione automatica\SystemCore.dll
NY ->  Rundll32.dll -> C:\Documents and Settings\Andrea\Menu Avvio\Programmi\Esecuzione automatica\Rundll32.dll
[Files - No Company Name]
NY ->  Java.exe -> C:\Documents and Settings\Andrea\Dati applicazioni\Java.exe
NY ->  SystemCore.dll -> C:\Documents and Settings\Andrea\Menu Avvio\Programmi\Esecuzione automatica\SystemCore.dll
NY ->  Rundll32.dll -> C:\Documents and Settings\Andrea\Menu Avvio\Programmi\Esecuzione automatica\Rundll32.dll
NY ->  AntiSpyNative64.exe -> C:\WINDOWS\System32\AntiSpyNative64.exe
NY ->  AntiSpyNative32.exe -> C:\WINDOWS\System32\AntiSpyNative32.exe
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Ok, I followed your instructions and now I’m posting the OTS log file.
I hope the viruses have been removed!

OK they died that time - What are your current problems ?

Thank you very much essexboy for your precious help! I would never fix them without you!

I have no problems at the moment!

I was just wondering, If I’d had avast! Internet Security would it solve the problem easily? I mean, maybe avast! Internet Security protect me better as it’s not free and offers a better service. Am I right?

With AIS you do get an enhanced sandbox protection plus the firewall. Myself I think it is good value, and I like the ease of use

Run OTS and hit the clean up button to remove it, just delete aswmbr from the desktop

Done!

Is there anything I should do yet?

Nope just run OTS and hit the cleanup button to remove the tools I used

Ok !!!

Thank you very much again! It was very kind of you :slight_smile: :slight_smile: :slight_smile:

Thank you very much! I update it to SP3 :slight_smile:

You will be much happier now. 8)

With avast! V6.0.1044 you will be even happier. 8)