TechSpot

Win32:Crypt-GIM [Drp] on my computer

Solved
By celadon
May 11, 2010
Topic Status:
Not open for further replies.
  1. Dear all,

    For two days straight my Avast! Home Edition has caught the trojan in the title on two locations on my computer; both in the Windows folder. On the first day they were moved to the virus chest, but the day after it came right back. I had a look at when they were created and it seems to be around 8.00 AM each time, which is suspicious enough for me to look for help.

    I'm running Windows 7 32 bit and attached are the 8 step process files. Please tell me how to remove this pesky virus, thank you!
     
  2. celadon

    celadon TS Rookie Topic Starter

    Logfiles

    Deleting logs per member request.
     
  3. celadon

    celadon TS Rookie Topic Starter

    More Logfiles

    Deleting logs per member request.
     
  4. celadon

    celadon TS Rookie Topic Starter

    More Logfiles

    Deleting logs per member request
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Thank you for pasting the logs in. On 5/8/2010, it looks like you booted to the Recovery Console and did a repair. You added or updated an Intel Chipset Software Installation Utility among other things. This was done 3 days before the current logs you posted.

    Did the problem exist before you did the recovery or did it start after? I need to know why you did the Recovery and specifically if the problem began after.

    You did include this file sharing program and download:
    2010-05-08 10:39:34 0 d-----w- c:\program files\uTorrent
    2010-05-08 10:39:16 0 d-----w- c:\users\eugene\appdata\roaming\uTorrent


    I think you infected the system from the backup you used, but until I know why you did the recovery in the first place, I can't be sure.

    I also need to know what was included from Canon
     
  6. celadon

    celadon TS Rookie Topic Starter

    Hi Bobbye,

    I had had the problems after doing the recovery. I had upgraded to Windows 7 and was reinstalling the required drivers, including the Intel Chipset Software. I had also restored settings using the Windows utility, Windows Easy Transfer so that I could get my previous settings. Is uTorrent causing the problems? For Canon, I was reinstalling the drivers to access my network printer. So most of the changes I have done in recent days were driver installations, and installation of essential software such as chrome browser, office and utorrent. I did not experience this from my previous installation; I was upgrading for the sake of new features and not to remove viruses.

    For the Recovery Console, the problems began a day after that.

    Thank you for responding!
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    It would appear that this could be the root of the problem:
    2010-05-08 09:00:18 0 d-sh--w- C:\Recovery
    2010-05-08 10:39:34 0 d-----w- c:\program files\uTorrent
    2010-05-08 10:39:16 0 d-----w- c:\users\eugene\appdata\roaming\uTorrent
    According to the times here, you first did the recovery, then installed uTorrent and got some data from it.

    Some information on File sharing:

    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall utorrent for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning (link)to help you better understand these dangers.

    I suggest the following:
    Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    If this catches the malware, I can move it and if you run Combofix (below) I can remove uTorrent and all of it's entries.
    ======================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    It's up to you.
     
  8. celadon

    celadon TS Rookie Topic Starter

    Deleting logs per member request
     
  9. celadon

    celadon TS Rookie Topic Starter

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    Serial number deleted
    # end=finished
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-05-11 05:46:26
    # local_time=2010-05-12 01:46:26 (+0800, Malay Peninsula Standard Time)
    # country="Singapore"
    # lang=1033
    # osver=6.1.7600 NT
    # compatibility_mode=768 16777215 100 0 283296 283296 0 0
    # compatibility_mode=5893 16776573 100 94 0 25227457 0 0
    # compatibility_mode=8192 67108863 100 0 2304 2304 0 0
    # scanned=75973
    # found=0
    # cleaned=0
    # scan_time=3720
     
  10. celadon

    celadon TS Rookie Topic Starter

    Also, I will be checking if the virus is caught at the same time today; I checked the spots it always hangs around and it doesn't seem to have been downloaded by the dropper yet. As it was found in the temporary files, did the temporary file cleaner in the 8 step process remove it?
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, so it looks like no Virut! That's a good thing. Can you give me a name for this virus you say "hangs around"? The Eset scan was clean.

    Also, have you sent Parental Controls and/or Network restrictions on the system?
     
     
  12. celadon

    celadon TS Rookie Topic Starter

    Hi Bobbye, the virus didn't come back today! The virus is called Win32:Crypt-GIM[Drp] by Avast and came up daily after removing them, but since starting the process recommended by this forum I have not seen it back. For network restrictions, my wireless router does only accept connections from specified MAC addresses as well as WEP encryption. No parental restrictions as this is my personal computer.

    Thank you for your guidance so far! If possible, can the previous logs/posts be removed? My name was on the logs and it does show some details about my computer, so I want to remove them for privacy.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sorry about that! You did leave the name as the subject of the thread! You can run another online virus scan if you want:

    Run Kaspersky Online Scanner in Internet Explorer

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
    • Click Accept and the web scanner will begin to load
    • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
    • You will be prompted to install an ActiveX component from Kaspersky, click Install
    • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT and then Scan Settings
    • In the scan settings make that the following are selected:
      [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
      [o] Scan Options: Scan Archives> Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      [o] Select My Computer
    • The program will start to scan your system.
    • Once the scan is complete, click on the Save as Text button and save the file to your desktop
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

    As for deleting your posts- I'm not going to delete all the material but I can go in a remove small bits. What is it specifically you don't want? the only 'personal' thing I see is the name 'Eugene.' Is there something else.

    I will make a comment though- you're using uTorrent, a file sharing program, which allows other to come in to your system to share. Aren't you aware that your personal information is available to them?
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The logs were deleted per your request. The thread is now closed.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.