TechSpot

Worm/Def.GAL

By plasma dragon00
Dec 5, 2007
  1. well, i was eating dinner, and then i went to hang up some shirts from the washing machine. right as i went to sit down when i finished, AVG antivirus picked up the virus WORM/Def.GAL in a system restore file. im about to do a scan, but i have a question first. actually a few.

    1) the virus was healed, but should i still clear out my restore files or leave them for now

    2) how safe is my pc still? i read that backdoor trojans leave your pc compromised until a format in most cases. what do Worm viruses do?

    3) whenever i scan with AVG it detects that my hosts file is changed. is this normal? i do a lot of pc gaming, mainly halo, age of empires 3, and maple story. any idea what would cause the hosts file to change like that? when avg detects it, it is always able to successfully restore it back to the way it should be.

    4) is my pc still safe? im only 15, so i dont do any banking or other stuff like that. i just wouldnt want my gaming acounts to be hacked into. gladly, none of them have yet.

    5) should i post any logs? if so, what one(s) should i post?

    thanks for the time and help,

    ~plasma

    EDIT: i looked in avg virus vault, the object is in there, unhealed, even though avg says it was healed when i clicked heal before. what should i do now? thanks.

    EDIT2: im sorry, somehow it made a double topic. if you could lock the other one, delete it, whatever you can do, i would be appreciative of that also once again thanks.

    EDIT3: and once again avg detected my hosts file to be changed.
     
  2. Jase123

    Jase123 Banned Posts: 1,012

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the Panda Antirootkit scan.

    Regards Jason :)

    This thread is for the use of plasma dragon00 ONLY. Please do NOT post your own virus/spyware problems into this thread. Instead, open a new thread in our security and the web forum.
     
  3. plasma dragon00

    plasma dragon00 TS Rookie Topic Starter Posts: 172

    hmm avg scan randomly restarted on me...
     
  4. momok

    momok TS Rookie Posts: 2,265

    Hi,

    To answer your queries:

    1) Usually when we clean out an infection, we would advise the user to flush all his/her previous restore points to clean out any nasties residing in earlier restore points. I would advise you to do the same. But don't just yet (read no. 3 below)

    2) From Wiki,
    Understanding how safe your system is would require knowledge of the extent of the damage that the infection has caused. It is likely that such worms may compromise your internet security and cause trojans to infect your system too.

    3) Your hosts file should not be changed when you are gaming. I would highly suspect that your system is still not clean. Thus I recommend you run through the 15 step removal instructions and post your logs. Do not flush your restore points yet as occasionally we may need to restore to an earlier point to work out the problem.

    4) Considering the use, I would recommend cleaning rather than a format. We will try our best to clear the infections; in most cases the systems remain clean, but please understand we cannot guarantee 100% that your system remains clean.

    5) See 3.

    Hope the information suffices.

    Regards,
    momok =)
     
  5. plasma dragon00

    plasma dragon00 TS Rookie Topic Starter Posts: 172

    thanks momok, ill try to let a few scans run while im out, those being adaware, house call, and spybot sd. im gonna be out at school.

    man, it seems like there has been a huge surge of viruses going around lately. i wonder whats with this? bad luck or something else lol

    thanks again,

    ~plasma
     
  6. momok

    momok TS Rookie Posts: 2,265

    It's usually associated with user online surfing habits ;) Just post the logs at one go in one post when you're done.

    Regards,
    momok =)

    This thread is for the use of plasma dragon00 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
     
  7. plasma dragon00

    plasma dragon00 TS Rookie Topic Starter Posts: 172

    will do. im scanning with house call right now.

    it is weird though why my hosts file keeps changing. what are the security risks associated with the hosts file changing, and what does the hosts file even do? and is there a way to stop it from being changed involuntarily in the future?

    thanks, will post all logs when done.

    ~plasma :)

    EDIT: is it normal for house call to get stuck on the removal process? i have 98 infections under ADWARE_MEMWATCHER and 5 infections under HTTP Cookies. my pc is lagging horribly right now.
     
  8. plasma dragon00

    plasma dragon00 TS Rookie Topic Starter Posts: 172

    a slew of log files for you guys to hopefully review and find something that can fix my pc. ill upload them, but i can tell you right now that the avg anti spyware scan showed up 100% clean, as did spybot s&d. same thing with vundofix. ill still upload them though. also, have a look at this: this makes me wonder what else i have hiding...

    [​IMG]


    and may i add, i wrongly titled this thread, the worm is called Delf.GAL, not Def.GAL.

    i cannot thanks all of you enough for the patience, experience, kindness, and help you all provide :) :) :)

    ~plasma

    also, just so you know, i AM running windows XP Home edition. this just has a program called the Vista Transformation Pack on it.

    i guess ill just upload these five since thats the limit. the other ones (vundo fix, avg AS) found absolutely nothing, but if you want, i can still upload them or post their contents if you wish.

    EDIT: OOPS!! i forgot to add that the panda anti rootkit showed up clean as a whistle, and i couldnt do the trend micro scan, because it would start to clean the items, but even after an hour never made any progress. sub-edit i forgot to add also that the trend micro scan items were 98 under ADWARE_MEMWATCHER (i looked at the manually select files option, looked like it was all the entries modified into the hosts file) and 5 HTTP Cookies.
     
  9. evilfantasy

    evilfantasy Banned Posts: 428

    -
    Your logs look fine, that alert is showing the infection in the temp. files.

    We will clean that in a minute.

    --------------------

    Open HijackThis and select Do a system scan only and place a check mark next to:

    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)

    Close all windows except for HijackThis anc click Fix checked

    --------------------

    Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

    * Download OTMoveIt.exe from here and place it on your desktop:
    http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

    * Double click OTMoveIt.exe to launch it.
    * Click on the CleanUp! button.
    * OTMoveIt will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
    * You will be prompted to allow the clean up procedure, click Yes
    * When finished exit out of OTMoveIt
    * Now delete OTMoveIt.exe (if still present)

    --------------------

    Go to Start > Run and copy and paste next command in the field:

    ComboFix /u

    [​IMG]

    Make sure there's a space between Combofix and /
    Then hit Enter.

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again

    --------------------

    Please download ATF Cleaner by Atribune. ATF Cleaner.exe

    Make sure that all browser windows are closed.
    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All and UNCHECK Cookies.
    * Click the Empty Selected button.
    If you use Firefox browser
    * Click Firefox at the top and choose: Select All and UNCHECK Cookies.
    * Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    * Click Opera at the top and choose: Select All and UNCHECK Cookies.
    * Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main ATF Cleaner menu to close the program.

    -------------------

    That should take care of it.

    Let us know how things are now.
     
  10. plasma dragon00

    plasma dragon00 TS Rookie Topic Starter Posts: 172

    all worked, except i couldnt do the combofix /u prompt. what do i have to do, i can do it manually. i just need the folders/files, it never changed my clock, i re-hid the system files and file extensions (i always keep hidden files visible, though) and do i just need to disable and re-enable system restore?

    and one last thing - how can i stop my hosts file from being changed? is it protected now, or what can i do to protect it from being changed? it just irks me that something thats not supposed to be changed shows up as changed every single time i do an avg scan.

    thanks for your help :)

    ~plasma

    nooooo now one of my websites that i use to aid my selling of items in maplestory doesnt display right in firefox!!! it displays somewhat correctly in internet explorer, but that somewhat is due to a coding error on their end, as they have announced it and are working n a fix for it. the website is http://www.basilmarket.com.

    heres a screenie of how it looks now and how it should look:

    now:


    how it should look:



    i use this site every single day. it is a website that is basically like ebay, but it is used to sell items in game for in game money. i will try rebooting my pc to see if that helps. the screenie of it working is rendered with ie7, but in firefox via the use of the firefox extension IETab. please help!!

    EDIT: i removed the pictures, because after the reboot, firefox now works.
    (Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.
     
  11. evilfantasy

    evilfantasy Banned Posts: 428

    The combofix was uninstalled by OTMoveit. I forgot about that, so it is gone.

    AVG showing Hosts changes is nothing to worry about. It happens with some updates. The only time that you should worry is if they also show as infected.
    AVG Response To CHANGED FILE ALERTS

    To clear your existing system restore points and establish a new clean restore point:

    * Go to Start > All Programs > Accessories > System Tools > System Restore
    * Select Create a restore point, and click Next.
    * Next, go to Start > Run and type in cleanmgr
    * Select the More options tab
    * Next to System Restore click Clean up....
    This will remove all restore points except the new one you just created.
     
  12. plasma dragon00

    plasma dragon00 TS Rookie Topic Starter Posts: 172

    thanks a bunch for the help man :)

    ~plasma
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...