Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Marioforever


  • Please log in to reply
7 replies to this topic

#1 pcmaddeanp

pcmaddeanp

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southampton, UK
  • Local time:08:20 AM

Posted 13 June 2008 - 09:49 AM

Hi,

On my Dad's office PC I have found a file called 'MarioFever.exe' and it's only on the Network Shares. :thumbsup:
What is it and how do I remove it?
Deleting it doesn't do anything as it just come back again.

Thanks in advance

pcmaddeanp

Server Room Geek - IT Professionals Community


BC AdBot (Login to Remove)

 


#2 pcmaddeanp

pcmaddeanp
  • Topic Starter

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southampton, UK
  • Local time:08:20 AM

Posted 13 June 2008 - 09:57 AM

Just looking at AVG Anti-Virus Free 7.5 Logs I found this:

<rec time="2008/06/13 12:49:02" user="SYSTEM" source="Virus">
  <value>@HL_ReportFindRS</value>
  <attr name="filename">C:\Files\MarioForever.exe</attr>
  <attr name="finding">@EID_Id_trj</attr>
  <attr name="virusname">SHeur.BMHH</attr>
</rec>
<rec time="2008/06/13 12:49:39" user="SYSTEM" source="Virus">
  <value>@HL_ReportFindRS</value>
  <attr name="filename">C:\Files\MarioForever.exe</attr>
  <attr name="finding">@EID_Id_trj</attr>
  <attr name="virusname">SHeur.BMHH</attr>
</rec>
<rec time="2008/06/13 15:40:30" user="SYSTEM" source="Virus">
  <value>@HL_ReportFindRS</value>
  <attr name="filename">C:\Files\MarioForever.exe</attr>
  <attr name="finding">@EID_Id_trj</attr>
  <attr name="virusname">SHeur.BMHH</attr>
</rec>
<rec time="2008/06/13 15:40:41" user="SYSTEM" source="Virus">
  <value>@HL_ReportFindRS</value>
  <attr name="filename">C:\MEDIA\MarioForever.exe</attr>
  <attr name="finding">@EID_Id_trj</attr>
  <attr name="virusname">SHeur.BMHH</attr>
</rec>
<rec time="2008/06/13 15:47:44" user="SYSTEM" source="Virus">
  <value>@HL_ReportFindRS</value>
  <attr name="filename">C:\MEDIA\MarioForever.exe</attr>
  <attr name="finding">@EID_Id_trj</attr>
  <attr name="virusname">SHeur.BMHH</attr>
</rec>
<rec time="2008/06/13 15:48:54" user="SYSTEM" source="Virus">
  <value>@HL_ReportFindRS</value>
  <attr name="filename">C:\MEDIA\MarioForever.exe</attr>
  <attr name="finding">@EID_Id_trj</attr>
  <attr name="virusname">SHeur.BMHH</attr>
</rec>
<rec time="2008/06/13 15:49:55" user="SYSTEM" source="Virus">
  <value>@HL_ReportFindRS</value>
  <attr name="filename">C:\Documents and Settings\All Users\Documents\MarioForever.exe</attr>
  <attr name="finding">@EID_Id_trj</attr>
  <attr name="virusname">SHeur.BMHH</attr>
</rec>
<rec time="2008/06/13 15:50:00" user="SYSTEM" source="Virus">
  <value>@HL_ReportFindRS</value>
  <attr name="filename">C:\Files\MarioForever.exe</attr>
  <attr name="finding">@EID_Id_trj</attr>
  <attr name="virusname">SHeur.BMHH</attr>
</rec>

Before that, however, Realplayer is said to be a DownloaderAgent:

<rec time="2008/06/12 18:36:48" user="SYSTEM" source="Virus">
  <value>@HL_ReportFind</value>
  <attr name="where">C:\WINDOWS\realplayer.exe</attr>
  <attr name="type">@EID_Id_trj</attr>
  <attr name="what">Downloader.Agent.ZZU</attr>

And before that there is this:

<rec time="2008/06/12 18:34:36" user="SYSTEM" source="Virus">
  <value>@HL_ReportFind</value>
  <attr name="where">C:\Program Files\xerox\nwwia\nortonupdate.exe</attr>
  <attr name="type">@EID_Id_trj</attr>
  <attr name="what">Downloader.Agent.ZZU</attr>
</rec>


What are these??

pcmaddeanp

Server Room Geek - IT Professionals Community


#3 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:20 AM

Posted 13 June 2008 - 10:27 AM

http://en.securitylab.ru/viruses/352672.php

it's all over P2P, doesn't look like a false positive

http://www.bleepingcomputer.com/forums/ind...mp;#entry811062

run a scan and fix with MBAM, some of these infections(if that's what it is) can update into something a lot worse

It's best to get a second or even a third opinion on files or malware

http://virusscan.jotti.org/

http://www.virustotal.com/

are 2 good sites to submit questionable files to

it's best to then get someone to look at their results
Chewy

No. Try not. Do... or do not. There is no try.

#4 pcmaddeanp

pcmaddeanp
  • Topic Starter

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southampton, UK
  • Local time:08:20 AM

Posted 13 June 2008 - 10:56 AM

Thanks.

I clicked on it and found that this PC is now messed up.
No Tools > Folder Options.
I am currently running a scan and will inform you about what I find.
AVG Anti-Virus FREE 8.0 has found 10 infections in 18 minutes.
:thumbsup:

pcmaddeanp

Server Room Geek - IT Professionals Community


#5 pcmaddeanp

pcmaddeanp
  • Topic Starter

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southampton, UK
  • Local time:08:20 AM

Posted 13 June 2008 - 11:16 AM

I will pull the network cable out (well, turn the wireless off) so that the virus isn't sent to other PCs on the network.
Just to let you know that I won't reply.

pcmaddeanp

Server Room Geek - IT Professionals Community


#6 pcmaddeanp

pcmaddeanp
  • Topic Starter

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southampton, UK
  • Local time:08:20 AM

Posted 13 June 2008 - 11:51 AM

I have got rid of the Virus on my PC, I think, by using that Malwarebytes' Anti-Malware and AVG Anti-Virus Free 8.
Thanks.
I am going to scan my Dad's PC now and make sure that all threats are removed.

pcmaddeanp

Server Room Geek - IT Professionals Community


#7 marctampa

marctampa

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 07 November 2008 - 09:51 AM

We had the Marioforever.exe running rampant on our network, spreading itself via shared drives, etc.

We installed Malwarebyte's Malware removal tool and it seemed to do the trick on our desktops & servers.

It appears the program installing the Marioforever.exe is called Trojan.dropper

FYI, our Symantec Endpoint Protect (aka SAV 11), and our Symantec Anti-Virus v10 Ent Ed did not detect (or repair this). The folks at Symantec told us that Marioforever.exe was "unrepairable", so I guess we proved them wrong. SAV does appear to be blocking the spread of this because we are watching the logs this morning & we missed a machine somewhere in our deployment.

SAV is still great, but it's good to have a second tool around like this one.

#8 pcmaddeanp

pcmaddeanp
  • Topic Starter

  • Members
  • 147 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southampton, UK
  • Local time:08:20 AM

Posted 08 November 2008 - 02:07 PM

Hi,

Yeah that MalwareBytes AntiMalware is brilliant. I have reccomended it to many people, especially at work.
Oh and Symantec are rubbish XD so that wont find anything. Get some proper AV like Kaspersky ;)

Dean

pcmaddeanp

Server Room Geek - IT Professionals Community





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users