-
July 18th, 2001, 07:17 AM
#1
MTX virus removal troubles
I've removed MTX from twenty computers without any problem. This computer is a problem.
It's a Win98 (first edition) machine.
YES, I obtained the latest virus definitions (even though the MTX fix was made back in August)
I've installed InoculateIT and Norton's from safe mode, and have run F-Prot from a Win98 StartUp Disk. I've also replaced the explorer.exe, regedit.exe, taskman.exe, wsock32.dll from a Startup Disk boot, then booted to Safe Mode to manually delete the HKey_Local_Machine\Software\[Matrix] subkey and the mtX.exe value at Key_Local_Machine\Software\Microsoft\Windows\Curre ntVersion\Run
I've also run the <a href="http://www.sarc.com/avcenter/venc/data/w95.mtx.fix.tool.html">SARC MTX fix tool</a>. It doesn't find the virus if I run it after NAV or Inoculate-IT, but will if I boot to Windows after running F-Prot.
The antivirus programs are set to check every file.
Chkdsk finds 655,360 total bytes memory so it's probably not memory resident.
I think I could scan for viruses in Safe Mode, reboot to Safe Mode, and still not find any viruses.
Disableing all the startup files via msconfig or the load= files in te system.ini doesn't do anything.
Any ideas?
--------------------------
Laugh at your problems... Everybody else does!
-
July 18th, 2001, 08:30 AM
#2
I think mcafee still contains the old DOS scan.exe. boot from a write protected floppy and try running thier stuff. Maybe easier to just boot from a write protected floppy and fdisk and format. Cold booting between each.
"I may not like what you have to say, but I will defend to the death your right to say it" Voltaire.
-
July 18th, 2001, 08:37 AM
#3
Originally posted by SavagePenguin:
<STRONG>It doesn't find the virus if I run it after NAV or Inoculate-IT, but will if I boot to Windows after running F-Prot.
Any ideas?</STRONG>
It sounds to me like you didn't write protect your f-prot disk. check that on a safe system.
-- I still do not understand the rampant growth of stupidity in this country.
<a href="http://www.tabletop-battlezone.com" target="_blank">The TableTop BattleZone</a>
-
July 18th, 2001, 08:44 AM
#4
Registered User
Originally posted by SavagePenguin:
<STRONG>
. . . I've also replaced the explorer.exe, regedit.exe, taskman.exe, wsock32.dll from a Startup Disk boot, then booted to Safe Mode to manually delete the HKey_Local_Machine\Software\[Matrix] subkey and the mtX.exe value at Key_Local_Machine\Software\Microsoft\Windows\Curre ntVersion\Run
. . .
Disableing all the startup files via msconfig or the load= files in te system.ini doesn't do anything.
Any ideas?</STRONG>
This may be a stupid queston but I did not see it mentioned above.
Did you delete the wininit.ini or IE_PACK.EXE files indigenous to that particular virus?
Also some viruses have been known to launch applications under the following registry key:
HKEY_CLASSES_ROOT\exefile\shell\open\command
Just a thought.
The early bird may get the worm; but the second mouse gets the cheese!
-
July 18th, 2001, 09:15 AM
#5
All my disks are write-protected, so that wasn't a problem.
F-Prot will find the virus on the C: if I boot to Windows (thereby infecting the files), then reboot with a write-protected startup disk, install F-Prot, and run it. but as soon as I boot to Windows again the computer is reinfected.
So something is infected on the machine McAfee can't see wen booted with a StartUp Disk, and Notrons & InoculateIT can't see from Windows. I'm assuming that it's a Windows file that loads before the antivirus programs, or maybe it's even infected te AV programs themselves.
My boss checked it out for a few hours yesterday and he recommended that we fdisk and format, then reload the clients programs. I'd ate to do all that for a lousy virus though.
--------------------------
Laugh at your problems... Everybody else does!
-
July 18th, 2001, 09:21 AM
#6
Registered User
Go online use trojan scan program.Like the one on homepage of windrivers <IMG SRC="smilies/eek.gif" border="0">
-
July 18th, 2001, 10:22 AM
#7
Mmmm, tricky one.
You could do a fresh install of windows in a temp directory and then reinstall norton anti virus. Maybe the virus destroyed something in the win98.
Try a fresh copy with some new NAV definitions, and scan again.
After you can put your original windwos directory back into play. A fresh scan on a clean install may remove the left over traces that are still resident.
Let me know how ya solve this one...
.JL.
He who can laugh at himself will never cease to be amused.
-
July 18th, 2001, 11:44 AM
#8
Jettlag,
I did something similiar, which I forgot to mention. I removed his hard drive and added it to my machine as a secondary. Then I ran InoculateIT on it and removed some infected files that way. I didn't do it really thorough though.
I did notice that I wasn't checking everything in F-Prot. I set it to check everything and found an infected Symantec TMP file that I didn't notice before: c:\progra~1\common~1\symant~1\200110710.056\0001na v~.tmp
I have to go out on a call now, but hopefully nuking htat will fix my prob. (Not likely, but oh well.)
--------------------------
Laugh at your problems... Everybody else does!
-
July 19th, 2001, 10:24 AM
#9
Registered User
Norton has a virus scanning tool that runs in DOS you have to go to were ever you have install norton and run a program in there called navdx /doallfiles and that will scan the computer find any files that are still infected
-
July 19th, 2001, 02:06 PM
#10
Mr.Pengiun,
Was it those temp files that were causing your grief with the virus?
He who can laugh at himself will never cease to be amused.
-
July 20th, 2001, 04:59 PM
#11
been there ! Time spent trying to pin
the little sod became excessive.
FDISK, REFORMAT & REINSTALL is less time
consuming
-
July 20th, 2001, 05:49 PM
#12
I had a very similar problem just a couple of days ago. It seemed to be related to another virus I found on the machine named W32.Magistr.24876@mm. Once I got rid of this virus, I found that the MTX virus was finally gone as well. I have no clue if/how they were related, but it's all clean now.
-
July 21st, 2001, 04:15 AM
#13
Registered User
There are a couple of MTX variants that can be a nightmare to remove. I've found booting from a normal 9x bootdisk and running the McAfee DOS scanner with up to date definitions from parallel port hdd or CD doesn't always remove it entirely(scan /all /clean). The problem comes in that it doesn't seem to catch the virus in compressed files so it usually requires plugging the infected HDD into a windows based machine and running the virus scanner on compressed files as well.
As pretzelboy mentioned, there seems to be at least one variant that involves the w32/magistr virus as well. I haven't figured out exactly how but I'll take more note next time I encounter it.
To prove something, one must first try to disprove it.
-
July 21st, 2001, 04:56 AM
#14
Registered User
You said that you removed it from 20 computers, yet this is the only one with the problem. What is different about the other computers compared to this one?
http://www.symantec.com/avcenter/venc/data/w95.mtx.html
I'm sure your already familiar with that web site, but I didn't think it hurt to list it. It seems to describe the virus/worm pretty thoroughly.
Good luck.
Roger: "Gotta light?"
Sarien Guard: "Sorry, don't drink."
-- Aboard the Deltaur
-
July 21st, 2001, 07:57 PM
#15
Registered User
I know this is crude but if it is memory resident at boot
try fdisk /mbr from a clean boot disk
It is a miracle that curiosity survives formal education. -- Albert Einstein
It said 'Insert disk #3', but only two will fit. -- The average customer.
"There is no need for any individual to have a computer in their home." – Ken Olson, President of Digital Equipment Corp., 1977 …….
[email protected]
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Bookmarks