wirusy rozwiazanie [off topic] wazne i dlugie !!!!!
InSane
wiem ze to nie ta lista ale hyba warto to jednak postnac, gdyz wirusa ma
pare osob z listy...
wirus nazywa sie [MTX], poznac go mozna wlasnie po zalacznikach ktore maja
nastepujaca budowe:
I_wanna_see_you.txt.pif
Matrix_screen_saver.scr
Love_letter_for_you.txt.pif
New_playboy_screen_saver.scr
Bill_gates_piece.jpg.pif
Tiazinha.jpg.pif
Feiticeira_nua.jpg.pif
Geocities_free_sites.txt.pif
New_napster_site.txt.pif
Metallica_song.mp3.pif
Anti_cih.exe
Internet_security_forum.doc.pif
Alanis_screen_saver.scr
Reader_digest_letter.txt.pif
Win_$100_now.doc.pif
Is_linux_good_enough!.txt.pif
Qi_test.exe
Avp_updates.exe
Seicho_no_ie.exe
You_are_fat!.txt.pif
Free_xxx_sites.txt.pif
I_am_sorry.doc.pif
Me_nude.avi.pif
Sorry_about_yesterday.doc.pif
Protect_your_credit.html.pif
Jimi_hendrix.mp3.pif
Hanson.scr
F___ing_with_dogs.scr
Matrix_2_is_out.scr
Zipped_files.exe
Blink_182.mp3.pif
w systemie widac go w postaci plikow:
z koncowka *.mtx oraz:
IE_PACK.EXE
WIN32.DLL
MTX_.EXE
ja usunalem go w nastepujacy sposob:
- zainstalowale nowego Sophosa (bo mam na niego licenje w pracy)
- wykryl go w 70 plikach *.exe w katalogu Windows
- w pracy znalazlem czysty komputer u udostepnilem przez siec katalog
c:\windows
- skopiowalem go calego na swoj (zarazony) komputer do nowego katalogu
c:\new
- wszedlem do DOS'a i overwrite tych zarazonych plikow (Sophos sporzadzil mi
loga z nazwami wiec wrzucilem to do batcha i gotowe)
- uruchomiemie Widowsa i odpalilem Sophosa
- wykasowalem te pliki ktore sie nie overwritnely pod DOS'em (bylo pare) i
potem znow DOS i znow kopiowanie
- potem bylo to gotowe znow Sophos i nic nie wykryl
te pliki:
IE_PACK.EXE
WIN32.DLL
MTX_.EXE
mozna wykasowac bez problemow (tzn. pod jakims antywirusem, normalnie i tak
sie przeniosa...)
mam jeszcze problem z winsockiem ale na tym pracuje :)))))
pozdrawiam
http://station75.com
[ ins...@station75.com ]
grupa pasimito.com
ps. ponizej zamieszczam wersje jak to usunac przy pomocy Norton AntyVirus'a:
(wersja angielsko jezyczna):
MTX Removal Instructions
By Abid Oonwala, Help & How-To
October 25, 2000 2:14 PM PT
URL: http://www.zdnet.com/zdhelp/stories/main/0,5594,2644979,00.html
October 25, 2000
[MTX] is a complex and difficult virus to remove. It alters system files and
on some systems these files cannot be repaired. In some cases, after
attempting to repair the virus, you will not be able to start Windows until
you restore the needed system files from the original Windows installation
CD. This document assumes that you are familiar with basic Windows and DOS
procedures. If you are not, we suggest that you obtain the services of a
qualified computer consultant.
CAUTION:
Windows 98 allows you to create a startup disk that contains both system
files and drivers that will work with most CD-ROMs. Windows 95 does not.
Before you start this procedure, it is strongly recommended that you create
or obtain a Windows 98 Startup disk. This can be used to boot a Windows 95
or a Windows 98 computer. If you do not create this disk first, and the
first part of the removal procedure does not work on your system, you may
not be able to restore some Windows files if this is needed.
NOTES:
Due to the nature of this virus, some files will not be repairable. The
unrepairable files will need to be restored from clean backup copies, or
from the original distribution disks.
To remove this threat you will need to carefully watch Norton AntiVirus
(NAV) during the detection process. The files infected by the virus portion
of W95.MTX should be detected as W95.MTX and W95.MTX (.dll). Any files that
are detected as being infected with either W95.MTX or W95.MTX (.dll) should
be able to be repaired.
Files that are part of the Trojan and worm part of the infection should be
detected as W95.MTX.dr. Any files detected as being infected with W95.MTX.dr
must be removed.
It is important to make the distinction between the virus and the worm
components, because the virus part of W95.MTX can infect Windows system
files and if you delete system files you might damage Windows.
To repair the damage done by this virus, follow in turn the instructions in
each section.
Create or obtain a Startup disk
Before you begin the removal process, you must create or obtain a Windows 98
Startup disk. If you are running Windows 95, you may be able to obtain one
from a local computer store. To create one on a Windows 98 computer, follow
these steps:
Click Start, point to Settings, and then click Control Panel.
Double-click Add/Remove programs.
Click the Startup disk tab.
Place a new, formatted floppy disk in the floppy disk drive.
Click Create Disk and follow the prompts.
Ensure that you have the most recent virus definitions
You must have Norton AntiVirus installed, and you must have virus
definitions dated September 5, 2000 or later. If you do not, because this
virus blocks access to most antivirus vendors Web sites, including
Symantec's, you will not be able to run LiveUpdate or download the
definitions from the SARC Web site.
There are two ways to work around this:
If you have access to an uninfected computer, download the most recent
definitions from the SARC Web site, and then install the definition files on
the infected computer. For instructions on how to do this, see the following
documents:
Title: How to update virus definition files using the Virus Definition
Update Installer
Document ID: 1998082013035306
Title: How to update virus definitions on computers without Internet or
network connections.
Document ID: 199811293832
If you do not have access to a uninfected computer, you can download the
Virus Update Definition Installer from the Tucows Web site. Follow these
steps to do this:
Go to the following URL:
http://www.tucows.com
In the Search Software Library! box, type the following and then click GO!:
norton dat
Locate the entry--it should be the first in the list--for the Platform:
Windows 95/98 and then click Download Now.
Choose your region and state or locality and then click GO!
Click the download site nearest your location.
Download the file to a location on the hard drive such as the Windows
desktop.
When the download is finished, double click the file that you downloaded to
install it.
Restart the computer to a command prompt
You need to restart the computer to a command prompt. Follow the steps for
your operating system:
How to start Windows 95 to a command prompt:
Click Start and click Shut Down. The Shut Down Windows dialog box appears.
Click Restart, then click Yes. Windows will shut down and the computer will
restart.
When "Starting Windows 95..." appears on the screen, press F8. The Windows
95 Startup Menu appears.
Select "Command Prompt only" and press Enter.
How to start Windows 98 to a command prompt:
Click Start and click Shut Down. The Shut Down Windows dialog box appears.
Click Restart, then click OK. Windows will shut down and the computer will
restart.
As the computer restarts, press and hold down the Ctrl key until the Windows
98 Startup Menu appears. Note: On some computers, a keyboard or other error
may appear during restart as you hold down the Ctrl key. If so, then follow
the prompts to press a key to continue (for example, the message may prompt
you to press the Esc key), then immediately press the Ctrl key again.
Select "Command Prompt only" and then press Enter.
Delete the infected files
Follow these steps to delete the infected files:
NOTE: These instructions assume that you have Windows installed to the
default location of C:Windows. If you have Windows installed to a different
location, please make the appropriate substitutions.
Type each of the following commands and press Enter after each one:
set path=c:windowscommand;%path%
cd windows
attrib -r -s -h *.*
del ie_pack.exe
del win32.dll
del mtx_.exe
NOTE: If after entering any of these commands, you see a messages such as
"File not found," type the command again to make sure that it was typed
exactly as shown. For example, ie_pack.exe is "ie" then an underscore then
"pack.exe"
Type the following command and then press Enter after each one:
dir /s navdx.exe
This will search the hard drive for the location of the Norton AntiVirus DOS
scanner. If you have NAV installed to a different drive, changed to the root
of that drive first.
Write down the location that follows "Directory of," for example,
C:Progra~1Norton~1.
Change to the directory whose location you wrote down in the previous step
by typing cd followed by the path. For example, to change to the default
location shown in step 3, type the following command and then press Enter:
cd progra~1norton~1
Type the following command and then press Enter:
navdx /a /doallfiles /repair /delete
This will scan all hard drives and files. NAV will attempt to repair any
infected files; if it cannot repair an infected file, the file will be
deleted.
CAUTION: This could take several hours or more on some computers. Do not
attempt to stop the scan once it has started.
When the scan is finished, go on to the next section.
Extract new copies of the Wsock32.dll, Explorer.exe, and Rundll32.exe files
This is necessary because these files have very likely been infected by the
virus and are critical for accessing the Internet and using the computer.
You need to use the Extract command at a DOS prompt to restore good copies
of these files from the Windows installation files.
There are two locations from which these files can be extracted:
The Windows installation files on your hard drive. On many newer computers,
the Cab files that contain the Windows installation files are stored on the
computer's hard drive. If you are sure that this is the case, see the
section How to extract files that are located on the hard drive.
The Microsoft Windows 95/98 Installation CD. If you do not have the Cab
files on the hard drive, see the section How to extract files that are
located on the installation CD.
How to extract files that are located on the hard drive
Type the following and then press Enter:
dir /s precopy1.cab
This will search the hard drive for the location of the Cab files. If the
file is not found, it is likely that the Cab files are not on the hard
drive. Skip to the section How to extract files that are located on the
installation CD.
Write down the location that follows "Directory of," for example,
C:WindowsOptionsCabs.
Change to the directory whose location you wrote down in the previous step
by typing cd followed by the path. For example, to change to the location
shown in step 2, type the following command and then press Enter:
cd windowsoptionscabs
What you do next depends on which operating system you are using:
NOTES:
If after entering any of these commands, you see a messages such as "File
not found," type the command again to make sure that it was typed exactly as
shown.
If you see a message asking if you want to overwrite a file, (Yes/No/All)
type Y and then press Enter.
If you have Windows installed to a different location, please make the
appropriate substitutions.
If you are using Windows 98, type the following commands and press Enter
after each one:
extract /a precopy1.cab wsock32.dll /l c:windowssystem
extract /a win98_40.cab explorer.exe /l c:windows
extract /a win98_40.cab rundll32.exe /l c:windows
If you are using Windows 95, type the following commands and press Enter
after each one:
extract /a win95_10.cab wsock32.dll /l c:windowssystem
extract /a win95_10.cab explorer.exe /l c:windows
extract /a win95_10.cab rundll32.exe /l c:windows
If you experience no error messages, then you are finished with the
extraction process. Go on to the section Edit the registry.
How to extract files that are located on the installation CD
Insert the Windows 98 Startup disk in the floppy disk drive.
Insert the Windows 98 installation Cd in the CD-ROM drive.
Turn off the computer and wait thirty seconds.
Turn on the computer. The computer will start to a startup menu.
The default menu item is Start Computer with CD-ROM Support. Do not change
this, but instead press Enter.
Allow the computer to finish booting to a A: prompt. This could take a few
minutes.
The next step is to change to the CD-ROM drive. Because you are using the
Startup disk, the drive letter will be one letter greater than the drive
letter that usually represents the CD-ROM drive. For example, if the CD-ROM
drive is the D: drive in Windows, it will now be the E: drive.
Type the following, changing the drive letter as necessary, and then press
Enter:
E:Win98 (If the installation disk is for Windows 98)
or
E:Win95 (If the installation disk is for Windows 95)
If you see an error message, try retyping the command with a different drive
letter, for example, F:Win98.
What you do next depends on which operating system you are using:
NOTES:
If after entering any of these commands, you see a messages such as "File
not found," type the command again to make sure that it was typed exactly as
shown.
If you see a message asking if you want to overwrite a file, (Yes/No/All)
type Y and then press Enter.
If you have Windows installed to a different location, please make the
appropriate substitutions.
If you are using Windows 98, type the following commands and press Enter
after each one:
extract /a precopy1.cab wsock32.dll /l c:windowssystem
extract /a win98_40.cab explorer.exe /l c:windows
extract /a win98_40.cab rundll32.exe /l c:windows
If you are using Windows 95, type the following commands and press Enter
after each one:
extract /a win95_10.cab wsock32.dll /l c:windowssystem
extract /a win95_10.cab explorer.exe /l c:windows
extract /a win95_10.cab rundll32.exe /l c:windows
If you experience no error messages, then you are finished with the
extraction process. Go on to the next section.
Edit the registry
Follow these steps to remove the entry that the virus added to the registry:
CAUTION: We strongly recommend that you back up the system registry before
making any changes to it. Incorrect changes to the registry may result in
permanent data loss or corrupted files. Please make sure that you modify
only the keys specified. Please see the document How to back up the Windows
95/98/NT registry before proceeding. This document is available from the
Symantec Fax-on-Demand system. In the U.S. and Canada, call (541) 984-2490,
select option 2, and then request document 927002.
Remove the floppy disk from the floppy disk drive.
If you extracted the files from the Installation CD, remove the CD from the
CD-ROM drive.
Turn off the computer and wait thirty seconds.
Turn on the computer and allow Windows to start.
NOTE: It is normal at this point for error messages to appear. They will
refer to the virus files with messages such as "Windows cannot find..."
Ignore these messages. They are the result of the remaining entries in the
Windows registry that you will remove next. They do not indicate that the
computer is still infected.
Click Start, and then click Run. The Run dialog box appears.
Type regedit and then click OK. The Registry Editor opens.
Navigate to and select the following subkey:
HKey_Local_MachineSoftwareMicrosoft
WindowsCurrentVersionRun
Delete the following value in the right pane:
SystemBackup C:WINDOWSMTX_.EXE
Click Yes to confirm.
Delete the following subkey:
HKey_Local_MachineSoftware[Matrix]
Click Yes to confirm.
In the left pane, click the My Computer key.
Click Edit and then click Find.
In the Find what box, type mtx and then click Find Next.
What you do will depend on whether any entries are found.
If no entries are found that contain the string mtx, go on to the next step.
If any entries are found, and they refer to MTX_.EXE, you should delete the
entry. Because this is a string search, it could find entries for legitimate
programs that happen to contain this string. Make sure that the references
is to MTX_.EXE before you delete it. To continue the search if an entry is
found, press F3. Keep doing this until no more entries are found.
Repeat step 11, but this time search for [MATRIX]. Delete any entries that
are found.
Click the Registry menu, and then click Exit to save the changes and close
the Registry Editor.
Restart the computer.
Write-up by: Abid Oonwala
Updated: October 16, 20000 4:25:59 PM
Draker
Mam przynajmniej pewnosc ze usunolem tego syfa.
--
Archiwum grupy dyskusyjnej pl.rec.gry.karciane
http://niusy.onet.pl/pl.rec.gry.karciane
Lehoo
>Mam przynajmniej pewnosc ze usunolem tego syfa.
Ale zeby przekazac nam te fantastyczna informacje nie musiales cytowac 17Kb
postu...
Lehoo
insane
Użytkownik "Draker" <dra...@poczta.wp.pl> napisał w wiadomości
news:019301c03f78$776f9280$3ad24dd5@ppp...
> Ja to zrobilem prosciej - wywalilem caly system i zainstalowalem od
nowa.:)
> Mam przynajmniej pewnosc ze usunolem tego syfa.
tak ale sztuka jest usunac wirusa bez instalacji systemu, w moim przypadku
do 8 h roboty (soft graficzny itp...)
ale rozwiazanie jest przednie :)
insane
http://station75.com
Hoody
Draker wrote:
> Ja to zrobilem prosciej - wywalilem caly system i zainstalowalem od nowa.:)
> Mam przynajmniej pewnosc ze usunolem tego syfa.
A za pare dni zalapiesz nowego, inaczej dzialajacego
(teraz wiesz juz zeby nie otwierac zalacznikow gdy
mail nie ma tematu)
i ... wywalisz system na nowo!
(Odpukac 3x !!!) i tak w kolko... :-(
> a InSane <ins...@station75.com> napisal
> (...)
> > - w pracy znalazlem czysty komputer u udostepnilem przez siec katalog
> > c:\windows
> > - skopiowalem go calego na swoj (zarazony) komputer do nowego katalogu
> > c:\new
> > - wszedlem do DOS'a i overwrite tych zarazonych plikow (...)
no taaak, ale do tego niezbedna jest dzialajaca siec, ktora zalatwil mi MTX :-(
H.
InSane
> > > - w pracy znalazlem czysty komputer u udostepnilem przez siec katalog
> > > c:\windows
> > > - skopiowalem go calego na swoj (zarazony) komputer do nowego katalogu
> > > c:\new
> > > - wszedlem do DOS'a i overwrite tych zarazonych plikow (...)
>
> no taaak, ale do tego niezbedna jest dzialajaca siec, ktora zalatwil mi
MTX :-(
hmm... chcialem tylko napisac jak mi sie udalo to wytepic....
w sieci zawsze mozna zainstalowac system na jakism kompie (tym najbardziej
zawirusowanym) i niego pociagnac dobre pliki....
btw: z tego co wiem nawet aktualizowany Sophos nie pomogl...
insane
Hoody
InSane wrote:
>z tego co wiem nawet aktualizowany Sophos nie pomogl...
Sorry za kontynuowanie off-topicu, ale sprawa jest niezwykle
wazna, bo - jak sie okazuje - zarazilo sie mnostwo grupowiczow,
a nadal MTX jest intensywnie rozsylany!
Co do Sophosa:
1. czy aktualizacja byla z pazdziernika (baza pazdziernikowa
Sophosa zawiera juz tego brzydala MTX-a)?
2. S. mogl nie pomoc, gdyz podejmowane akcje sa zalezne od ustawionych
parametrow
Hoody