Page 1 of 1

Have a worm need help to get rid of it

PostPosted: Mon Nov 15, 2004 11:17 pm
by fareryqueen73
I was just informed today by mcafee virus scan that I have a worm on my computer that cannot be deleted, cleaned or quarantined. The virus is called W32/Bereb.worm!p2p. I have looked on the computer for possible solutions and alot of spyware/adware comes up. i was told that this doesn't work. Could someone please help me? :cry:

PostPosted: Mon Nov 15, 2004 11:31 pm
by Nessmaster
Lol Mcafee? That piece of crap sucks. Use Norton, or better yet NOD32 :wink:

PostPosted: Mon Nov 15, 2004 11:58 pm
by cacahead
I had a nasty one on my computer a while back. Nothing could get rid of it except spy sweeper. I even have Norton A.V. 2005, Norton Internet security 2005, and system works 2005. All with current definitions. My wife go it somehow (she could'nt remember). Now she has a limited account :x

PostPosted: Tue Nov 16, 2004 12:32 am
by SlyckChuck
1 - get avg6 it is free and works with others

2 - once installed run a sweep

3 - locate the worm file on search

4 - each time the worm is spotted during AV sweep delete it


This way the worm can not jump back into another area. Also, if you have xp or any type of nt windows installed, please turn off system restore. You might need to run another sweep after reboot because of restore files may have the worm still.


Hope this helps. I remember a kak worm that was a total pain one 5 yrs ago and above were the steps I took to rid myself of the nasty bastard. Good luck!! 8)

PostPosted: Tue Nov 16, 2004 12:40 am
by Allied
Trend Micro online virus scanner,
http://housecall.trendmicro.com/houseca ... t_corp.asp

That and AVG Free are all I use.

PostPosted: Tue Nov 16, 2004 6:42 am
by j_dogg
1 - get avg6 it is free and works with others


Bad idea. AVG may be free, but thats its only pro. It misses a lot of known and in the wild viruses and it removal abilities are useless.
NOD32 is the way to go. P.M me if you ned help cracking it, it's quite hard...

Also, check out virusbulletin, it's a good anaylis of whos, who in the AV world.

PostPosted: Tue Nov 16, 2004 7:29 am
by HouseCrowd
Well, whichever AV software you choose to use fareryqueen73 (personally, I prefer Symantec Corporate) - in answer to your original question of how to get rid of it: Disable System Restore, and boot into Safe Mode, then run a full scan.

PostPosted: Tue Nov 16, 2004 9:02 am
by thejynxed
You might also try downloading programs like Stinger, etc, and running those. Also, read here: http://vil.nai.com/vil/content/v_101130.htm

This worm spreads through the WinMX file sharing network. When an infected file is run, the local machine becomes a host of the virus and IRC zombie system, carrying out the commands of a remote attacker.


Apparently if you are using McAfee, this worm was supposed to be detected and removed via a DAT file released back in March of 2004.

If you can read Dutch or wish to translate a page with good removal instructions, read here: http://www.lobika.be/Virus/2004/03/W32.Bereb.worm.html

PostPosted: Tue Nov 16, 2004 9:53 am
by Bunny101
Hmm the normal reason is that the file is in the windows restore file.
Try to turn of system restore.

how to: http://www.pchell.com/virus/systemrestore.shtml

PostPosted: Tue Nov 16, 2004 10:55 am
by lordfoul
A lot of anti-virus opinions get the facts...
http://www.virusbtn.com/vb100/archives/ ... .xml?table

PostPosted: Thu Nov 18, 2004 1:04 am
by fareryqueen73
so after i scan this and restart am i supposed to turn on the system restore? I am sorry this is the first time i have ever had to do this. The AVG 6 deal also found trojan horses also and i do say this plural because there was two.

PostPosted: Thu Nov 18, 2004 1:07 am
by SlyckChuck
Yes once you rid yourself of the bug it is all right. The reason why HC and I asked you to turn it off is because it may record the worm in a restore file. :wink:

PostPosted: Thu Nov 18, 2004 1:14 am
by fareryqueen73
you guys and gals are awsome thanks

PostPosted: Thu Nov 18, 2004 2:12 am
by fareryqueen73
ok one more question if i delete any of the files that have the virus attached will it mess up my system. do i need to have a restore cd ready?

PostPosted: Thu Nov 18, 2004 9:25 am
by lordfoul
If you mean delete them to the recycle bin you are ok just don't execute them; then empty the recycle bin immediately.

PostPosted: Sat Nov 20, 2004 4:20 am
by fareryqueen73
I am sorry to keep asking questions but what is a WIN32/parite. And do migpwd.exe, dxdllreg.exe and netsetup.exe mean anything. I mean could I just delete them and not have to worry about anything?

PostPosted: Sat Nov 20, 2004 4:20 am
by fareryqueen73
I am sorry to keep asking questions but what is a WIN32/parite. And do migpwd.exe, dxdllreg.exe and netsetup.exe mean anything. I mean could I just delete them and not have to worry about anything?

PostPosted: Sat Nov 20, 2004 10:47 am
by thejynxed
dxdllreg - dxdllreg.exe - Process Information

Process File: dxdllreg or dxdllreg.exe
Process Name: Microsoft DXDllRegExe

Description:
dxdllreg.exe is an application which is supposed to request you register your version of DirectX, however sometimes it stays resident.
Author: Microsoft Corp.
Part Of: Microsoft Windows Operating System
=======================================================
netsetup.exe is a generic install program for some 3rd party apps, and there is also a file by the same name that is part of the Windows OS. The OS needs this file, do not delete it.
=======================================================
migpwd.exe is the file that allows you to migrate your Windows passwords. It is an important system file and without it you can't log into Windows.
=======================================================
Win32/Parite
=======================================================
The virus consists of a dropper, which is witten in assembler, and the virus part itself, written in Borland C++.

When an infected file is launched, the control flow is passed to the virus dropper, which writes the virus to a temporary file and executes its infection procedure.

The virus searches for Win32 EXE PE files with .scr and .exe extensions on all logical drives of computer, and also in shared resources of local network, and infects them.

The virus doesn't manifest itselfs presence in any way.

The structure of infected file looks like this:

Host file
Virus
dropper - drops "main" to TEMP dir and executes it.
main - searches for files and infects them, e.t.c.

Removal Tool: http://www.bitdefender.com/bd/site/viru ... &v_id=137#