Our network is infected with marioforever.exe and I can't get rid of it. I have tried everything in these post but nothing works. Please help.

Our network has been infected with the marioforever.exe.  It has put the file in all the shares on the network servers.  I have tried many av programs including Kaspersky and malware bytes and both detected the virus and remove it for a short time but it just comes back.  I have also tried removing it in safe mode and that works for awhile but  the file still comes back.  Please help.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hugh FraserConsultantCommented:
This virus propagates itself to root on infected systems. Meaning, you will need to scan your network and your systems (I recommend in Safe Mode) with updated anti-virus. Norton and McAfee are stated as recogonizing this virus and have updated definition files for it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ARgh, I have this too on our network.....luckily its staying local and not going over the WAN to our other sites.

Anyways, I've got about 15-20 infected PC's...........but no print jobs are coming out.  Every once in awhile I see the Marioforever.exe sitting in the shared drive.....AVG alerts me, then moves it to vault.  Of course it comes back.  I've emailed them already and still waiting for a response.

The thing that I dont get, is if im fixing this 2 or 3 pc's at a time............Wont it just get reinfected from the other PC's ?   I mean, It started at one PC, and spread to the rest of them
Hugh FraserConsultantCommented:
It's possible. According to the Symantec writeup, the worm tries to copy itself to network shares using one of the following passwords:
    * !@#
    * 1212
    * 123
    * 123456
    * 1313
    * 666
    * 777
    * adm
    * admin
    * administrator
    * administrator
    * asa
    * pass
    * password
    * qaz
    * qazxsw
    * qqq
    * qwerty
    * test
    * zaq
    * zaqwsx
    * zzz

Once the AV signatures are updated, it will be blocked. If you've got an enterprise AV solution, it should just be a matter of getting the updates done. One of the recommendations is to enforce password policies to prevent simple guessable passwords.
Well I believe I had 2 on our network at the same time possible.  

The first one was a service created called OKAMAI and it was running CLS.EXE which was executing every few minutes...so certain programs would just close (like our fax software).   I removed all OKAMAI entries from the registry, rebooted, and the service was gone.

As for the whole marioforever.......we used AVG here,and all AVG would do is notify us of Marioforever.exe.  So, I ran I think 4-5 different anti-virus programs. Each would tell me a different file was a backdoor, or infected.  The big thing was to TURN OFF SYSTEM RESTORE......the virus was hiding it self in the restore points...which apparently aren't scanned. Once Sys Restore is turned off, all restore points are deleted.

I also went around to every PC and deleted ATMAPI.SYS,   Re-installed a new USER32.DLL off the recovery console (one Anti-Vi told me it was infected)...del'd the back up User32, and the worst, was NVAUX32.dll.......had to be done from a dos prompt - eg: the recovery disk. (safe mode wouldnt work either..file was in use obviously)

I also have a band-aid on things right now.....I created txt files and saved them as .exe's and named them marioforever.exe and put them in the shared drives.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.