MTX virus removal troubles
Results 1 to 15 of 15

Thread: MTX virus removal troubles

  1. #1
    Registered User
    Join Date
    May 2000
    Location
    Lebanon, KY
    Posts
    295

    Post MTX virus removal troubles

    I've removed MTX from twenty computers without any problem. This computer is a problem.

    It's a Win98 (first edition) machine.

    YES, I obtained the latest virus definitions (even though the MTX fix was made back in August)

    I've installed InoculateIT and Norton's from safe mode, and have run F-Prot from a Win98 StartUp Disk. I've also replaced the explorer.exe, regedit.exe, taskman.exe, wsock32.dll from a Startup Disk boot, then booted to Safe Mode to manually delete the HKey_Local_Machine\Software\[Matrix] subkey and the mtX.exe value at Key_Local_Machine\Software\Microsoft\Windows\Curre ntVersion\Run

    I've also run the <a href="http://www.sarc.com/avcenter/venc/data/w95.mtx.fix.tool.html">SARC MTX fix tool</a>. It doesn't find the virus if I run it after NAV or Inoculate-IT, but will if I boot to Windows after running F-Prot.

    The antivirus programs are set to check every file.

    Chkdsk finds 655,360 total bytes memory so it's probably not memory resident.

    I think I could scan for viruses in Safe Mode, reboot to Safe Mode, and still not find any viruses.

    Disableing all the startup files via msconfig or the load= files in te system.ini doesn't do anything.

    Any ideas?
    --------------------------
    Laugh at your problems... Everybody else does!

  2. #2
    Registered User
    Join Date
    Dec 1999
    Location
    Columbus Ohio U.S.A.
    Posts
    194

    Post

    I think mcafee still contains the old DOS scan.exe. boot from a write protected floppy and try running thier stuff. Maybe easier to just boot from a write protected floppy and fdisk and format. Cold booting between each.
    "I may not like what you have to say, but I will defend to the death your right to say it" Voltaire.

  3. #3
    Registered User
    Join Date
    Aug 2000
    Location
    Lake Orion, MI
    Posts
    241

    Post

    Originally posted by SavagePenguin:
    <STRONG>It doesn't find the virus if I run it after NAV or Inoculate-IT, but will if I boot to Windows after running F-Prot.

    Any ideas?</STRONG>
    It sounds to me like you didn't write protect your f-prot disk. check that on a safe system.
    -- I still do not understand the rampant growth of stupidity in this country.
    <a href="http://www.tabletop-battlezone.com" target="_blank">The TableTop BattleZone</a>

  4. #4
    Registered User Poseidon's Avatar
    Join Date
    Jan 2001
    Location
    Knoxville, TN USA
    Posts
    1,762

    Post

    Originally posted by SavagePenguin:
    <STRONG>

    . . . I've also replaced the explorer.exe, regedit.exe, taskman.exe, wsock32.dll from a Startup Disk boot, then booted to Safe Mode to manually delete the HKey_Local_Machine\Software\[Matrix] subkey and the mtX.exe value at Key_Local_Machine\Software\Microsoft\Windows\Curre ntVersion\Run
    . . .
    Disableing all the startup files via msconfig or the load= files in te system.ini doesn't do anything.

    Any ideas?</STRONG>
    This may be a stupid queston but I did not see it mentioned above.
    Did you delete the wininit.ini or IE_PACK.EXE files indigenous to that particular virus?

    Also some viruses have been known to launch applications under the following registry key:

    HKEY_CLASSES_ROOT\exefile\shell\open\command


    Just a thought.
    The early bird may get the worm; but the second mouse gets the cheese!

  5. #5
    Registered User
    Join Date
    May 2000
    Location
    Lebanon, KY
    Posts
    295

    Post

    All my disks are write-protected, so that wasn't a problem.

    F-Prot will find the virus on the C: if I boot to Windows (thereby infecting the files), then reboot with a write-protected startup disk, install F-Prot, and run it. but as soon as I boot to Windows again the computer is reinfected.

    So something is infected on the machine McAfee can't see wen booted with a StartUp Disk, and Notrons & InoculateIT can't see from Windows. I'm assuming that it's a Windows file that loads before the antivirus programs, or maybe it's even infected te AV programs themselves.

    My boss checked it out for a few hours yesterday and he recommended that we fdisk and format, then reload the clients programs. I'd ate to do all that for a lousy virus though.
    --------------------------
    Laugh at your problems... Everybody else does!

  6. #6
    Registered User 3M's Avatar
    Join Date
    Mar 2001
    Location
    Katy,Texas,USA
    Posts
    159

    Post

    Go online use trojan scan program.Like the one on homepage of windrivers <IMG SRC="smilies/eek.gif" border="0">

  7. #7
    Registered User
    Join Date
    Feb 2001
    Location
    Vancouver, B.C., Canada
    Posts
    83

    Post

    Mmmm, tricky one.

    You could do a fresh install of windows in a temp directory and then reinstall norton anti virus. Maybe the virus destroyed something in the win98.

    Try a fresh copy with some new NAV definitions, and scan again.

    After you can put your original windwos directory back into play. A fresh scan on a clean install may remove the left over traces that are still resident.

    Let me know how ya solve this one...

    .JL.
    He who can laugh at himself will never cease to be amused.

  8. #8
    Registered User
    Join Date
    May 2000
    Location
    Lebanon, KY
    Posts
    295

    Post

    Jettlag,

    I did something similiar, which I forgot to mention. I removed his hard drive and added it to my machine as a secondary. Then I ran InoculateIT on it and removed some infected files that way. I didn't do it really thorough though.

    I did notice that I wasn't checking everything in F-Prot. I set it to check everything and found an infected Symantec TMP file that I didn't notice before: c:\progra~1\common~1\symant~1\200110710.056\0001na v~.tmp

    I have to go out on a call now, but hopefully nuking htat will fix my prob. (Not likely, but oh well.)
    --------------------------
    Laugh at your problems... Everybody else does!

  9. #9
    Registered User Ebra's Avatar
    Join Date
    Nov 2000
    Location
    Fayetteville, AR
    Posts
    95

    Post

    Norton has a virus scanning tool that runs in DOS you have to go to were ever you have install norton and run a program in there called navdx /doallfiles and that will scan the computer find any files that are still infected

  10. #10
    Registered User
    Join Date
    Feb 2001
    Location
    Vancouver, B.C., Canada
    Posts
    83

    Post

    Mr.Pengiun,

    Was it those temp files that were causing your grief with the virus?
    He who can laugh at himself will never cease to be amused.

  11. #11
    Registered User
    Join Date
    Jun 2001
    Location
    Scotland & Spain
    Posts
    17

    Post

    been there ! Time spent trying to pin
    the little sod became excessive.

    FDISK, REFORMAT & REINSTALL is less time
    consuming

  12. #12
    pretzelboy
    Guest

    Post

    I had a very similar problem just a couple of days ago. It seemed to be related to another virus I found on the machine named W32.Magistr.24876@mm. Once I got rid of this virus, I found that the MTX virus was finally gone as well. I have no clue if/how they were related, but it's all clean now.

  13. #13
    Registered User Antimatter's Avatar
    Join Date
    Jan 2001
    Location
    Aotearoa
    Posts
    502

    Post

    There are a couple of MTX variants that can be a nightmare to remove. I've found booting from a normal 9x bootdisk and running the McAfee DOS scanner with up to date definitions from parallel port hdd or CD doesn't always remove it entirely(scan /all /clean). The problem comes in that it doesn't seem to catch the virus in compressed files so it usually requires plugging the infected HDD into a windows based machine and running the virus scanner on compressed files as well.
    As pretzelboy mentioned, there seems to be at least one variant that involves the w32/magistr virus as well. I haven't figured out exactly how but I'll take more note next time I encounter it.
    To prove something, one must first try to disprove it.

  14. #14
    Registered User gorfdaed's Avatar
    Join Date
    Apr 2001
    Location
    Office
    Posts
    37

    Post

    You said that you removed it from 20 computers, yet this is the only one with the problem. What is different about the other computers compared to this one?

    http://www.symantec.com/avcenter/venc/data/w95.mtx.html

    I'm sure your already familiar with that web site, but I didn't think it hurt to list it. It seems to describe the virus/worm pretty thoroughly.

    Good luck.
    Roger: "Gotta light?"
    Sarien Guard: "Sorry, don't drink."
    -- Aboard the Deltaur

  15. #15
    Registered User gizmo1_1's Avatar
    Join Date
    Aug 1999
    Location
    root@localhost>
    Posts
    350

    Post

    I know this is crude but if it is memory resident at boot

    try fdisk /mbr from a clean boot disk
    It is a miracle that curiosity survives formal education. -- Albert Einstein
    It said 'Insert disk #3', but only two will fit. -- The average customer.
    "There is no need for any individual to have a computer in their home." – Ken Olson, President of Digital Equipment Corp., 1977 …….

    [email protected]

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •