pennsicdance: OT BUT IMPORTANT! -- WARNING! Don't open attached files from me!
Bess Libby
besslibby at mediaone.net
Tue Nov 28 00:23:17 PST 2000
> Hello,
>
> I am sending this email to warn everyone I've sent email to recently NOT
to
> open attached files from me. I didn't send anything with an attached file
> out, and last night I discovered (with help from Matt Ender- thanks! (no
> sarcasm)) that my computer had a nasty virus called W95.mtx that managed
to
> affect 68 files and add things to my registry. I do not know how my
machine
> got infected.It took about 7 hours total to get it out of my system,
> following the 7 pg instructions Matt found on the web for me. It
presented
> as a separate email from me that is blank with an attached file called
> hanson.scr.
>
> If I did infect your machine, I deeply apologize Instructions for removal
> are below.
>
> Thanks,
> Jon and Bess
> (Pandaulf and Maria)
>
>
> Removal:
>
> How to repair
>
> This is a complex and difficult virus to remove. It
alters
> system files and on
> some systems these files cannot be repaired. In some
> cases, after attempting
> to repair the virus, you will not be able to start
Windows
> until you restore the
> needed system files from the original Windows
installation
> CD. This document
> assumes that you are familiar with basic Windows and DOS
> procedures. If you
> are not, we suggest that you obtain the services of a
> qualified computer
> consultant.
>
> CAUTION:
> Windows 98 allows you to create a startup disk that
> contains both system files
> and drivers that will work with most CD-ROMs. Windows 95
> does not. Before
> you start this procedure, it is strongly recommended
that
> you create or obtain
> a Windows 98 Startup disk. This can be used to boot a
> Windows 95 or a
> Windows 98 computer. If you do not create this disk
first,
> and the first part of
> the removal procedure does not work on your system, you
> may not be able to
> restore some Windows files if this is needed.
>
> NOTES:
>
> Due to the nature of this virus, some files will
not
> be repairable. The
> unrepairable files will need to be restored from
> clean backup copies, or
> from the original distribution disks.
> To remove this threat you will need to carefully
> watch Norton AntiVirus
> (NAV) during the detection process. The files
> infected by the virus
> portion of W95.MTX should be detected as W95.MTX
and
> W95.MTX
> (.dll). Any files that are detected as being
infected
> with either W95.MTX
> or W95.MTX (.dll) should be able to be repaired.
> Files that are part of the Trojan and worm part of
> the infection should
> be detected as W95.MTX.dr. Any files detected as
> being infected with
> W95.MTX.dr must be removed.
> It is important to make the distinction between the
> virus and the worm
> components, because the virus part of W95.MTX can
> infect Windows
> system files and if you delete system files you
might
> damage Windows.
>
> To repair the damage done by this virus, follow in turn
> the instructions in each
> section.
>
> Create or obtain a Startup disk
> Before you begin the removal process, you must create or
> obtain a Windows
> 98 Startup disk. If you are running Windows 95, you may
be
> able to obtain one
> from a local computer store. To create one on a Windows
98
> computer, follow
> these steps:
>
> 1.Click Start, point to Settings, and then click
> Control Panel.
> 2.Double-click Add/Remove programs.
> 3.Click the Startup disk tab.
> 4.Place a new, formatted floppy disk in the floppy
disk
> drive.
> 5.Click Create Disk and follow the prompts.
>
> Ensure that you have the most recent virus definitions
>
> You must have Norton AntiVirus installed, and you must
> have virus definitions
> dated September 5, 2000 or later. If you do not, because
> this virus blocks
> access to most antivirus vendors Web sites, including
> Symantec's, you will not
> be able to run LiveUpdate or download the definitions
from
> the SARC Web
> site.
>
> There are two ways to work around this:
>
> If you have access to an uninfected computer,
> download the most
> recent definitions from the SARC Web site, and then
> install the
> definition files on the infected computer. For
> instructions on how to do
> this, see the following documents:
>
> Title: How to update virus definition files
using
> the Virus Definition
> Update Installer
> Document ID: 1998082013035306
>
> Title: How to update virus definitions on
> computers without
> Internet or network connections.
> Document ID: 199811293832
>
> If you do not have access to a uninfected computer,
> you can download
> the Virus Update Definition Installer from the
Tucows
> Web site. Follow
> these steps to do this:
>
> 1.Go to the following URL:
>
> http://www.tucows.com
>
> 2.In the Search Software Library! box, type the
> following and then
> click GO!:
>
> norton dat
>
> 3.Locate the entry--it should be the first in the
> list--for the
> Platform: Windows 95/98 and then click Download
> Now.
> 4.Choose your region and state or locality and
then
> click GO!
> 5.Click the download site nearest your location.
> 6.Download the file to a location on the hard
drive
> such as the
> Windows desktop.
> 7.When the download is finished, double click the
> file that you
> downloaded to install it.
>
> Restart the computer to a command prompt
> You need to restart the computer to a command prompt.
> Follow the steps for
> your operating system:
>
> How to start Windows 95 to a command prompt:
> 1.Click Start and click Shut Down. The Shut Down
> Windows dialog
> box appears.
> 2.Click Restart, then click Yes. Windows will
shut
> down and the
> computer will restart.
> 3.When "Starting Windows 95..." appears on the
> screen, press F8.
> The Windows 95 Startup Menu appears.
> 4.Select "Command Prompt only" and press Enter.
>
> How to start Windows 98 to a command prompt:
> 1.Click Start and click Shut Down. The Shut Down
> Windows dialog
> box appears.
> 2.Click Restart, then click OK. Windows will shut
> down and the
> computer will restart.
> 3.As the computer restarts, press and hold down
the
> Ctrl key until
> the Windows 98 Startup Menu appears. Note: On
> some
> computers, a keyboard or other error may appear
> during restart
> as you hold down the Ctrl key. If so, then
follow
> the prompts to
> press a key to continue (for example, the
message
> may prompt
> you to press the Esc key), then immediately
press
> the Ctrl key
> again.
> 4.Select "Command Prompt only" and then press
> Enter.
>
> Delete the infected files
> Follow these steps to delete the infected files:
>
> NOTE: These instructions assume that you have Windows
> installed to the
> default location of C:\Windows. If you have Windows
> installed to a different
> location, please make the appropriate substitutions.
>
> 1.Type each of the following commands and press Enter
> after each one:
>
> set path=c:\windows\command;%path%
> cd \windows
> attrib -r -s -h *.*
> del ie_pack.exe
> del win32.dll
> del mtx_.exe
>
> NOTE: If after entering any of these commands, you
> see a messages
> such as "File not found," type the command again to
> make sure that it
> was typed exactly as shown. For example,
ie_pack.exe
> is "ie" then an
> underscore then "pack.exe"
>
> 2.Type the following command and then press Enter
after
> each one:
>
> dir /s \navdx.exe
>
> This will search the hard drive for the location of
> the Norton AntiVirus
> DOS scanner. If you have NAV installed to a
different
> drive, changed to
> the root of that drive first.
>
> 3.Write down the location that follows "Directory
of,"
> for example,
> C:\Progra~1\Norton~1.
>
> 4.Change to the directory whose location you wrote
down
> in the previous
> step by typing cd followed by the path. For
example,
> to change to the
> default location shown in step 3, type the
following
> command and then
> press Enter:
>
> cd \progra~1\norton~1
>
> 5.Type the following command and then press Enter:
>
> navdx /a /doallfiles /repair /delete
>
> This will scan all hard drives and files. NAV will
> attempt to repair any
> infected files; if it cannot repair an infected
file,
> the file will be deleted.
>
> CAUTION: This could take several hours or more on
> some computers.
> Do not attempt to stop the scan once it has
started.
>
> 6.When the scan is finished, go on to the next
section.
>
> Extract new copies of the Wsock32.dll, Explorer.exe, and
> Rundll32.exe
> files
> This is necessary because these files have very likely
> been infected by the
> virus and are critical for accessing the Internet and
> using the computer. You
> need to use the Extract command at a DOS prompt to
restore
> good copies of
> these files from the Windows installation files.
>
> There are two locations from which these files can be
> extracted:
>
> The Windows installation files on your hard drive.
On
> many newer
> computers, the Cab files that contain the Windows
> installation files are
> stored on the computer's hard drive. If you are
sure
> that this is the
> case, see the section How to extract files that are
> located on the
> hard drive.
> The Microsoft Windows 95/98 Installation CD. If you
> do not have the
> Cab files on the hard drive, see the section How to
> extract files that
> are located on the installation CD.
>
> How to extract files that are located on the hard drive
>
> 1.Type the following and then press Enter:
>
> dir /s \precopy1.cab
>
> This will search the hard drive for the location of
> the Cab files. If the file
> is not found, it is likely that the Cab files are
not
> on the hard drive. Skip
> to the section How to extract files that are
located
> on the
> installation CD.
> 2.Write down the location that follows "Directory
of,"
> for example,
> C:\Windows\Options\Cabs.
> 3.Change to the directory whose location you wrote
down
> in the previous
> step by typing cd followed by the path. For
example,
> to change to the
> location shown in step 2, type the following
command
> and then press
> Enter:
>
> cd \windows\options\cabs
> 4.What you do next depends on which operating system
> you are using:
>
> NOTES:
> If after entering any of these commands, you
see
> a messages
> such as "File not found," type the command
again
> to make sure
> that it was typed exactly as shown.
> If you see a message asking if you want to
> overwrite a file,
> (Yes/No/All) type Y and then press Enter.
> If you have Windows installed to a different
> location, please
> make the appropriate substitutions.
>
> If you are using Windows 98, type the following
> commands and
> press Enter after each one:
>
> extract /a precopy1.cab wsock32.dll /l
> c:\windows\system
> extract /a win98_40.cab explorer.exe /l c:\windows
> extract /a win98_40.cab rundll32.exe /l c:\windows
>
> If you are using Windows 95, type the following
> commands and
> press Enter after each one:
>
> extract /a win95_10.cab wsock32.dll /l
> c:\windows\system
> extract /a win95_10.cab explorer.exe /l c:\windows
> extract /a win95_10.cab rundll32.exe /l c:\windows
>
> If you experience no error messages, then you are
> finished with the
> extraction process. Go on to the section Edit the
> registry.
>
> How to extract files that are located on the
installation
> CD
>
> 1.Insert the Windows 98 Startup disk in the floppy
disk
> drive.
> 2.Insert the Windows 98 installation Cd in the CD-ROM
> drive.
> 3.Turn off the computer and wait thirty seconds.
> 4.Turn on the computer. The computer will start to a
> startup menu.
> 5.The default menu item is Start Computer with CD-ROM
> Support. Do not
> change this, but instead press Enter.
> 6.Allow the computer to finish booting to a A:
prompt.
> This could take a
> few minutes.
> 7.The next step is to change to the CD-ROM drive.
> Because you are
> using the Startup disk, the drive letter will be
one
> letter greater than the
> drive letter that usually represents the CD-ROM
> drive. For example, if
> the CD-ROM drive is the D: drive in Windows, it
will
> now be the E:
> drive.
>
> Type the following, changing the drive letter as
> necessary, and then
> press Enter:
>
> E:\Win98 (If the installation disk is for Windows
98)
>
> or
>
> E:\Win95 (If the installation disk is for Windows
95)
>
> If you see an error message, try retyping the
command
> with a different
> drive letter, for example, F:\Win98.
> 8.What you do next depends on which operating system
> you are using:
>
> NOTES:
> If after entering any of these commands, you
see
> a messages
> such as "File not found," type the command
again
> to make sure
> that it was typed exactly as shown.
> If you see a message asking if you want to
> overwrite a file,
> (Yes/No/All) type Y and then press Enter.
> If you have Windows installed to a different
> location, please
> make the appropriate substitutions.
>
> If you are using Windows 98, type the following
> commands and
> press Enter after each one:
>
> extract /a precopy1.cab wsock32.dll /l
> c:\windows\system
> extract /a win98_40.cab explorer.exe /l c:\windows
> extract /a win98_40.cab rundll32.exe /l c:\windows
>
> If you are using Windows 95, type the following
> commands and
> press Enter after each one:
>
> extract /a win95_10.cab wsock32.dll /l
> c:\windows\system
> extract /a win95_10.cab explorer.exe /l c:\windows
> extract /a win95_10.cab rundll32.exe /l c:\windows
>
> If you experience no error messages, then you are
> finished with the
> extraction process. Go on to the next section.
>
> Edit the registry
> Follow these steps to remove the entry that the virus
> added to the registry:
>
> CAUTION: We strongly recommend that you back up the
system
> registry
> before making any changes to it. Incorrect changes to
the
> registry may result
> in permanent data loss or corrupted files. Please make
> sure that you modify
> only the keys specified. Please see the document How to
> back up the
> Windows 95/98/NT registry before proceeding. This
document
> is available
> from the Symantec Fax-on-Demand system. In the U.S. and
> Canada, call
> (541) 984-2490, select option 2, and then request
document
> 927002.
>
> 1.Remove the floppy disk from the floppy disk drive.
> 2.If you extracted the files from the Installation
CD,
> remove the CD from
> the CD-ROM drive.
> 3.Turn off the computer and wait thirty seconds.
> 4.Turn on the computer and allow Windows to start.
>
> NOTE: It is normal at this point for error messages
> to appear. They will
> refer to the virus files with messages such as
> "Windows cannot find..."
> Ignore these messages. They are the result of the
> remaining entries in
> the Windows registry that you will remove next.
They
> do not indicate
> that the computer is still infected.
> 5.Click Start, and then click Run. The Run dialog box
> appears.
> 6.Type regedit and then click OK. The Registry Editor
> opens.
> 7.Navigate to and select the following subkey:
>
>
> HKey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
> 8.Delete the following value in the right pane:
>
> SystemBackup C:\WINDOWS\MTX_.EXE
> 9.Click Yes to confirm.
> 10.Delete the following subkey:
>
> HKey_Local_Machine\Software\[Matrix]
> 11.Click Yes to confirm.
> 12.In the left pane, click the My Computer key.
> 13.Click Edit and then click Find.
> 14.In the Find what box, type mtx and then click Find
> Next.
> 15.What you do will depend on whether any entries are
> found.
> If no entries are found that contain the string
> mtx, go on to the
> next step.
> If any entries are found, and they refer to
> MTX_.EXE, you should
> delete the entry. Because this is a string
> search, it could find
> entries for legitimate programs that happen to
> contain this string.
> Make sure that the references is to MTX_.EXE
> before you delete
> it. To continue the search if an entry is
found,
> press F3. Keep
> doing this until no more entries are found.
> 16.Repeat step 11, but this time search for [MATRIX].
> Delete any entries
> that are found.
> 17.Click the Registry menu, and then click Exit to
save
> the changes and
> close the Registry Editor.
> 18.Restart the computer.
>
>
>
>
-------------------------------------------------------------------------
To unsubscribe from this list, send email to majordomo at pbm.com containing
the words "unsubscribe pennsicdance". If you are subscribed to the digest
version, say "unsubscribe pennsicdance-digest". To contact a human about
problems, send mail to owner-pennsicdance at pbm.com
More information about the pennsicdance
mailing list