Our network is infected with marioforever.exe and I can't get rid of it.  I have tried everything in these post but nothing works.  Please help.

Posted on 2008-11-17
Last Modified: 2013-11-22
Our network has been infected with the marioforever.exe.  It has put the file in all the shares on the network servers.  I have tried many av programs including Kaspersky and malware bytes and both detected the virus and remove it for a short time but it just comes back.  I have also tried removing it in safe mode and that works for awhile but  the file still comes back.  Please help.
Question by:bbroussardexpert
    LVL 12

    Expert Comment

    LVL 27

    Accepted Solution

    This virus propagates itself to root on infected systems. Meaning, you will need to scan your network and your systems (I recommend in Safe Mode) with updated anti-virus. Norton and McAfee are stated as recogonizing this virus and have updated definition files for it.

    Expert Comment

    ARgh, I have this too on our network.....luckily its staying local and not going over the WAN to our other sites.

    Anyways, I've got about 15-20 infected PC's...........but no print jobs are coming out.  Every once in awhile I see the Marioforever.exe sitting in the shared drive.....AVG alerts me, then moves it to vault.  Of course it comes back.  I've emailed them already and still waiting for a response.

    The thing that I dont get, is if im fixing this 2 or 3 pc's at a time............Wont it just get reinfected from the other PC's ?   I mean, It started at one PC, and spread to the rest of them
    LVL 12

    Assisted Solution

    It's possible. According to the Symantec writeup, the worm tries to copy itself to network shares using one of the following passwords:
        * !@#
        * 1212
        * 123
        * 123456
        * 1313
        * 666
        * 777
        * adm
        * admin
        * administrator
        * administrator
        * asa
        * pass
        * password
        * qaz
        * qazxsw
        * qqq
        * qwerty
        * test
        * zaq
        * zaqwsx
        * zzz

    Once the AV signatures are updated, it will be blocked. If you've got an enterprise AV solution, it should just be a matter of getting the updates done. One of the recommendations is to enforce password policies to prevent simple guessable passwords.

    Expert Comment

    Well I believe I had 2 on our network at the same time possible.  

    The first one was a service created called OKAMAI and it was running CLS.EXE which was executing every few certain programs would just close (like our fax software).   I removed all OKAMAI entries from the registry, rebooted, and the service was gone.

    As for the whole marioforever.......we used AVG here,and all AVG would do is notify us of Marioforever.exe.  So, I ran I think 4-5 different anti-virus programs. Each would tell me a different file was a backdoor, or infected.  The big thing was to TURN OFF SYSTEM RESTORE......the virus was hiding it self in the restore points...which apparently aren't scanned. Once Sys Restore is turned off, all restore points are deleted.

    I also went around to every PC and deleted ATMAPI.SYS,   Re-installed a new USER32.DLL off the recovery console (one Anti-Vi told me it was infected)...del'd the back up User32, and the worst, was NVAUX32.dll.......had to be done from a dos prompt - eg: the recovery disk. (safe mode wouldnt work either..file was in use obviously)

    I also have a band-aid on things right now.....I created txt files and saved them as .exe's and named them marioforever.exe and put them in the shared drives.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Suggested Solutions

    You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
    Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now