Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

w32 mariofev mem trojan removal


  • This topic is locked This topic is locked
28 replies to this topic

#1 msbox1984

msbox1984

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 04 January 2012 - 03:25 PM

Hi everyone,

So, through a McAfee scan, I found that I have the w32 mariofev trojan on my computer & McAfee can't remove it :angry:

So, I'm here at bleepingcomputer.com for assistance

Now, I have read through the "Preparation Guide For Use Before Using...", and have downloaded all the programs that are listed. My problem is that my computer freezes at step 7, when I'm using DDS. It loads to that black popup screen and it looks like it's working [those *'s or whatever they are load], but then it freezes my whole computer.... :smash:

So..... what should I do? I do have a log from HiJackthis, should I upload that here?

Attached File  hijackthis.log   8.08KB   5 downloads

Any feedback would be much appreciated

BC AdBot (Login to Remove)

 


#2 msbox1984

msbox1984
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 04 January 2012 - 04:13 PM

Update:

After a number of attempts, I can see that step 7 just keeps freezing my computer...

I'm currently running the GMER [so I can save time while I try to figure out Step 7], but even that's taking a long time [I dunno if that's normal, for me it's been 20+ minutes...]

Other issues:

1. McAfee real time scan keeps turning off even though I turn it back on. And also, Microsoft Security Center firewall keeps turning off. I have uninstalled McAfee & the problem with MSC has been fixed [at least temporary]

#3 msbox1984

msbox1984
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 04 January 2012 - 04:41 PM

From reading other posts, I saw that some suggested to use OTL, so here is the log from that program:




OAttached File  OTL.Txt   84.31KB   5 downloads

OTL extras:Attached File  Extras.Txt   52.4KB   0 downloads

#4 msbox1984

msbox1984
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 04 January 2012 - 04:47 PM

Here also is a print screen of Task Manager
Attached File  PrintScreen - Task Manager.doc   76KB   4 downloads

#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,241 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:11 AM

Posted 10 January 2012 - 02:04 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Please post the logs for my review.

#6 msbox1984

msbox1984
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 10 January 2012 - 05:19 PM

Hi, & thanks for the reply!

So I downloaded the programs as you suggested & the first one froze my computer while scanning.... :killcomp:

What should I do now? Should I just format my computer?

I tried it twice & it froze twice, I'm going to try 1 more time...

#7 msbox1984

msbox1984
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 10 January 2012 - 06:06 PM

I'm not sure if this is the whole log from the first program, but I uploaded it anyway, if it's not please let me know:

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-10 17:16:55
-----------------------------
17:16:55.453 OS Version: Windows 5.1.2600 Service Pack 3
17:16:55.453 Number of processors: 2 586 0x170A
17:16:55.453 ComputerName: D21X7YH1 UserName: db
17:16:58.781 Initialize success
17:17:11.125 AVAST engine defs: 12011001
17:19:09.437 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\nvgts1Port3Path0Target0Lun0
17:19:09.437 Disk 0 Vendor: ST350062 DE12 Size: 476940MB BusType: 1
17:19:09.437 Device \Driver\nvgts -> DriverStartIo SCSIPORT.SYS b9eb640e
17:19:09.453 Disk 0 MBR read successfully
17:19:09.453 Disk 0 MBR scan
17:19:09.781 Disk 0 unknown MBR code
17:19:09.812 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 62 MB offset 63
17:19:09.890 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 466874 MB offset 128520
17:19:09.937 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 9993 MB offset 956301255
17:19:10.031 Disk 0 Partition 4 80 (A) 17 Hidd HPFS/NTFS NTFS 2 MB offset 976768065
17:19:10.031 Disk 0 Partition 4 **INFECTED** MBR:Alureon-K [Rtk]
17:19:10.062 Disk 0 scanning sectors +976773152
17:19:10.203 Disk 0 scanning C:\WINDOWS\system32\drivers
17:19:20.687 Service scanning
17:19:21.843 Modules scanning
17:19:25.203 Disk 0 trace - called modules:
17:19:25.218 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll SCSIPORT.SYS nvgts.sys
17:19:25.218 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8af17030]
17:19:25.218 3 CLASSPNP.SYS[ba0c8fd7] -> nt!IofCallDriver -> \Device\00000072[0x8b034730]
17:19:25.218 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Scsi\nvgts1Port3Path0Target0Lun0[0x8af53a38]
17:19:26.312 AVAST engine scan C:\WINDOWS
17:19:47.343 AVAST engine scan C:\WINDOWS\system32
17:22:56.390 AVAST engine scan C:\WINDOWS\system32\drivers
17:23:13.093 AVAST engine scan C:\Documents and Settings\db
17:39:46.968 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\db\Desktop\MBR.dat"
17:39:46.968 The log file has been saved successfully to "C:\Documents and Settings\db\Desktop\aswMBR.txt"

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,241 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:11 AM

Posted 11 January 2012 - 09:30 AM

The malware is in a partition which is hidden.

Execute the following attentively. If at any time you need help please ask.

You will need two new CD to complete the task.

Preferably from a clean computer, I need you to download: gparted-live-0.10.0-3.iso (115.1 MB) and
Windows XP Recovery Console rc.iso

Create a bootable CD, 1 for Gparted and 1 for the Windows XP Recovery Console, from the ISO images. You can use ImgBurn do this.

This may help burning the iso image(s) to a CD.
http://www.imgburn.com/index.php?act=screenshots#isowrite
===


Now boot off of the newly created Gparted CD.

Posted Image
You should be here...
Press ENTER

Posted Image
By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.

Posted Image
Choose your language and press ENTER. English is default [33]

Posted Image
Once again, at this prompt, press ENTER

You will now be taken to the main GUI screen below
Posted Image

I would like to see that last screen.

To do print screen follow these steps:

* Press Alt and Print Screen button on your keyboard
* Open Paint program
* From the menu choose Edit then Paste
* Now save the picture and attach it here for me to review.

Exit all programs.

Wait for further instructions.

#9 msbox1984

msbox1984
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 11 January 2012 - 12:50 PM

The version of the first program you asked me to download is no longer available, there is a new version, so that's the one I downloaded gparted-live-0.11.0-7.iso (119.8 MB)

I created both CD's using my mother's laptop. I put in the newly created GParted CD into my computer, but I couldn't figure out how to launch the program. The CD looks like the "GParted.JPG" image I uploaded.

I went through the files in the CD and came across the image shown in "GParted CD.JPG". It's asking for a USB??? I'm confused, so I closed the window

Attached Files


Edited by msbox1984, 11 January 2012 - 02:45 PM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,241 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:11 AM

Posted 11 January 2012 - 04:01 PM

Create a bootable CD, 1 for Gparted and 1 for the Windows XP Recovery Console, from the ISO images. You can use ImgBurn do this.

This may help burning the iso image(s) to a CD.
http://www.imgburn.com/index.php?act=screenshots#isowrite


Did you use ImgBurn to create the CD?

When the new created CD is created place it in the CD drive and and restart the computer it should start running the .iso.

If the CD does not start it may just be that your BIOS must be changed to read the CD first the the Hard drive.

If you need help please ask.

#11 msbox1984

msbox1984
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 11 January 2012 - 06:05 PM

I did use ImgBurn, I don't think I burned it right [didn't pick the right options - I'm a novice at computers] :oopsign:

So since I didn't understand the instructions via the link you provided, I found a tutorial on YouTube that shows how to create a bootable disk:



Before I'm allowed to burn the CD, it asks for a "boot image".... should I use ANY image [example: like the one the guy in the video suggest], or is there a specific image I should use? I'm going to need a step by step guide :unsure:

Edited by msbox1984, 11 January 2012 - 06:37 PM.


#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,241 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:11 AM

Posted 17 January 2012 - 11:03 AM

Sorry for this delay.

What do you find difficult with the instructions here.

This may help burning the iso image(s) to a CD.
http://www.imgburn.com/index.php?act=screenshots#isowrite
===

It looks very similar to the video you found but at least you have a chance to digest the information before proceeding.

#13 msbox1984

msbox1984
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 19 January 2012 - 01:20 PM

Ok, I have done these steps & the CD is still not working. This is what I do:

1. You said to use a clean computer, so I did [I used a laptop]
2. I put in the new CD and open ImgBurn
3. I click on "Mode" then choose "Write"
4. The screen changes to the popup screen in the link you showed me
5. I select the "gparted" file and click the burn icon
6. The CD burns & makes that ♪♪ happy music ♪♪ at the end
7. I put the new CD in my infected computer
8. I restart my computer & nothing happens.... I even went through "My Computer" and clicked on the newly created CD & nothing happens, all I get in a number of files that open...

I honestly don't know what I'm doing wrong & I have already wasted a number of CD's burning this program, so I'm about to give up & just format my computer......

#14 msbox1984

msbox1984
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 19 January 2012 - 01:28 PM

SN: I even went through Setup [using F2] at the beginning to the "boot section" & changed the settings from:

1. hard drive
2. Cd

to

1. cd
2. hard drive

& it still doesn't work.... :huh:

#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,241 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:11 AM

Posted 19 January 2012 - 02:36 PM

I even went through "My Computer" and clicked on the newly created CD & nothing happens, all I get in a number of files that open...


Right click on the newly created CD and use Run as Administrator.

Any luck?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users