Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mariofev.worm Removal


  • Please log in to reply
3 replies to this topic

#1 AlphaOne

AlphaOne

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 11 December 2011 - 09:38 PM

Hey guys

Recently discovered a virus on a computer running windows XP Professional.
Ran McAfee Stinger and found a virus called mariofev.worm I previously tried running combofix, but it was looping through startup and thus freezing at "scanning for viruses". I appreciate that this takes time and I gave it an overnight chance twice with no luck. I'm seriously considering a fresh install of the OS, just wondering if you guys had any advice on getting rid of this particular virus

This is a link of all other known names:

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FMariofev.A

Any advice or ideas would be much appreciated

P.S. I also tried running kaspersky boot disk, AVG boot recovery disk, Malwarebytes, I checked Trend Micro "hijack this". I ran all of these in safe mode aswell.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:26 AM

Posted 11 December 2011 - 10:00 PM

Hello and wekcome, I moved this from XP to the Am I Infected forum.


If you connected a Flash drive to this PC ,it is also infected.

Please run these next...
Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

>>>
Run TFC by OT (Temp File Cleaner)
Please download TFC by Old Timer and save it to your desktop.
alternate download link

Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

>>>>>>
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.

Edited by boopme, 11 December 2011 - 10:10 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 AlphaOne

AlphaOne
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 11 December 2011 - 11:06 PM

MiniToolBox by Farbar
Ran by User (administrator) on 12-12-2011 at 12:03:57
Microsoft Windows XP Professional Service Pack 3 (X86)

***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================


========================= IP Configuration: ================================

Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC = Local Area Connection (Media disconnected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=static addr=192.168.10.201 mask=255.255.255.0
set address name="Local Area Connection" gateway=192.168.10.1 gwmetric=0
set dns name="Local Area Connection" source=static addr=192.168.10.1 register=PRIMARY
set wins name="Local Area Connection" source=static addr=none


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : NRH-WS02

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC

Physical Address. . . . . . . . . : 00-24-1D-1E-10-FF

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host google.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host yahoo.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host bleepingcomputer.com. Please check the name and try again.



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 24 1d 1e 10 ff ...... Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ethernet NIC - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
255.255.255.255 255.255.255.255 255.255.255.255 2 1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Catalog9 01 C:\Documents and Settings\All Users\Application Data\Sophos Web Intelligence\swi_lsp.dll [42736] (Sophos Plc)
Catalog9 02 C:\Documents and Settings\All Users\Application Data\Sophos Web Intelligence\swi_lsp.dll [42736] (Sophos Plc)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 08 C:\Documents and Settings\All Users\Application Data\Sophos Web Intelligence\swi_lsp.dll [42736] (Sophos Plc)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (12/09/2011 10:19:27 AM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

Error: (12/09/2011 10:19:26 AM) (Source: Userenv) (User: User)User
Description: Windows has backed up this user's profile. Windows will automatically try to use the backed up profile the next time this user logs on.

Error: (12/09/2011 10:19:26 AM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile. If this problem persists, contact your network administrator.


DETAIL - The process cannot access the file because it is being used by another process.

Error: (12/09/2011 10:19:24 AM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows was unable to load the registry. This is often caused by insufficient memory or insufficient security rights.


DETAIL - The process cannot access the file because it is being used by another process. for C:\Documents and Settings\User\ntuser.dat

Error: (12/09/2011 09:38:46 AM) (Source: Sophos Message Router) (User: SYSTEM)SYSTEM
Description: The network identity (also known as the Interoperable Object Reference or IOR) of the local computer is invalid.%%3

Error: (12/09/2011 09:38:04 AM) (Source: APCPBEAgent) (User: )
Description: "Communication Not Established"

Error: (12/09/2011 09:37:49 AM) (Source: APCPBEAgent) (User: )
Description: "Communication Not Established"

Error: (12/09/2011 09:37:47 AM) (Source: APCPBEAgent) (User: )
Description: "Communication Not Established"

Error: (12/09/2011 09:15:39 AM) (Source: APCPBEAgent) (User: )
Description: "Communication Not Established"

Error: (12/09/2011 09:04:37 AM) (Source: Sophos Message Router) (User: SYSTEM)SYSTEM
Description: DNS lookup failure trying to resolve the following addresses: server.%%3


System errors:
=============
Error: (12/12/2011 11:54:01 AM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (12/12/2011 10:54:00 AM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (12/12/2011 10:01:02 AM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (12/12/2011 09:43:57 AM) (Source: DCOM) (User: Administrator)
Description: DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error: (12/12/2011 09:43:25 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AFD
Fips
intelppm
IPSec
mfehidk
mfetdik
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
SAVOnAccessControl
SAVOnAccessFilter
Tcpip
WS2IFSL

Error: (12/12/2011 09:43:25 AM) (Source: Service Control Manager) (User: )
Description: The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Error: (12/12/2011 09:43:25 AM) (Source: Service Control Manager) (User: )
Description: The Messenger service depends on the NetBIOS Interface service which failed to start because of the following error:
%%31

Error: (12/12/2011 09:43:25 AM) (Source: Service Control Manager) (User: )
Description: The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31

Error: (12/12/2011 09:43:25 AM) (Source: Service Control Manager) (User: )
Description: The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31

Error: (12/12/2011 09:43:25 AM) (Source: Service Control Manager) (User: )
Description: The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:
%%31


Microsoft Office Sessions:
=========================
Error: (11/04/2011 08:57:42 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6562.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 10632 seconds with 1680 seconds of active time. This session ended with a crash.

Error: (02/12/2011 01:50:04 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 4 seconds with 0 seconds of active time. This session ended with a crash.


=========================== Installed Programs ============================

2007 Microsoft Office system (Version: 12.0.6425.1000)
7-Zip 4.65
Access Runtime (Version: 1.00.000)
Adobe Flash Player 11 ActiveX (Version: 11.1.102.55)
Adobe Reader 8.3.1 (Version: 8.3.1)
APC PowerChute Business Edition Agent (Version: 1)
Apple Application Support (Version: 1.5.0)
Apple Mobile Device Support (Version: 3.4.0.25)
Apple Software Update (Version: 2.1.2.120)
Bonjour (Version: 2.0.4.0)
Canon LBP5000
Canon LBP5050
Express ClickYes 1.2 (Version: 1.2)
FileZilla Client 3.2.7.1 (Version: 3.2.7.1)
Google Earth Plug-in (Version: 6.1.0.5001)
Google Update Helper (Version: 1.3.21.79)
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Java Auto Updater (Version: 2.0.6.1)
Java™ 6 Update 27 (Version: 6.0.270)
Kaseya Agent (nrh-ws02.root.ngiyali-roadhouse - saas8.kaseya.net) (Version: 6.2.0.0)
Local Cooling Setup (Version: 1.0)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft ActiveSync (Version: 4.5.5096.0)
Microsoft Cluster Config Validation Wizard V1.0
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft IntelliPoint 5.2 (Version: 5.20.413.0)
Microsoft IntelliType Pro 2.2 (Version: 2.20.447.0)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Professional Hybrid 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MYOB RetailManager v11
MYOB RetailManager v11 Update
Nero 7 Essentials (Version: 7.03.0546)
neroxml (Version: 1.0.0)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
Password Unmask 2.0
Pervasive PSQL v10 SP2 Workgroup (32-bit) (Version: 10.20.034)
QuickTime (Version: 7.69.80.9)
Realtek High Definition Audio Driver (Version: 5.10.0.5449)
Sophos Anti-Virus (Version: 9.5.5)
Sophos AutoUpdate (Version: 2.5.7)
Sophos Remote Management System (Version: 3.2.0)
TeamViewer 5 (Version: 5.0.8232 )
VCRedistSetup (Version: 1.0.0)
VNC Free Edition 4.1.2 (Version: 4.1.2)
WD SmartWare (Version: 1.2.0.8)
WebFldrs XP (Version: 9.50.7523)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Media Format 11 runtime
Windows Media Player 11
Winpower (Version: 3.7.0.6)
Xerox Phaser 3125
ZTE Handset USB Driver
ZTE Handset USB Driver (Version: 5.2066.1.9B03)

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 34%
Total physical RAM: 2037.42 MB
Available physical RAM: 1333.64 MB
Total Pagefile: 3930.39 MB
Available Pagefile: 3433.5 MB
Total Virtual: 2047.88 MB
Available Virtual: 1973.89 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:298.09 GB) (Free:253.49 GB) NTFS
3 Drive e: (Flash Drive) (Removable) (Total:1.87 GB) (Free:1.65 GB) NTFS

========================= Users: ========================================

User accounts for \\NRH-WS02

Administrator Guest HelpAssistant
Sophos SophosSAUNRH-WS020 SUPPORT_388945a0
User

========================= Minidump Files ==================================

No minidump file found

**** End of log ****

these are the results

#4 AlphaOne

AlphaOne
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 11 December 2011 - 11:14 PM

oh a little bit more information.all the programs were gone and desktop was hidden i used unhide.exe and found the programs folder found in
C:/documents settings/User/Local settings/Temp/smtp
Thats the approximate file path i can get you a more accurate one after the TFC stops running. cheers for all your help, we have had 5 computers come through with the same virus. this particular customer has agreed to a fresh install, but i would really appreciate a fix.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users