PC Hell: W95.MTX - MTX Virus Removal Help

W95.MTX Virus Information and Removal Help

What is MTX Virus and How Did I Get It?

The W95.MTX virus is a particularly nasty virus that wreaks havoc on a system. Its generally contracted by opening an attachment with one of the following names:

I_wanna_see_you.txt.pif
Matrix_screen_saver.scr
Love_letter_for_you.txt.pif
New_playboy_screen_saver.scr
Bill_gates_piece.jpg.pif
Tiazinha.jpg.pif
Feiticeira_nua.jpg.pif
Geocities_free_sites.txt.pif
New_napster_site.txt.pif
Metallica_song.mp3.pif
Anti_cih.exe
Internet_security_forum.doc.pif
Alanis_screen_saver.scr
Reader_digest_letter.txt.pif
Win_$100_now.doc.pif
Is_linux_good_enough!.txt.pif
Qi_test.exe
Avp_updates.exe
Seicho_no_ie.exe
You_are_fat!.txt.pif
Free_xxx_sites.txt.pif
I_am_sorry.doc.pif
Me_nude.avi.pif
Sorry_about_yesterday.doc.pif
Protect_your_credit.html.pif
Jimi_hendrix.mp3.pif
Hanson.scr
F___ing_with_dogs.scr
Matrix_2_is_out.scr
Zipped_files.exe
Blink_182.mp3.pif

Most of these files are .pif files or Program Information Files that are used by Windows to run DOS programs. Since a PIF file is executable in Windows, once a person double-clicks on one of these files it activates the virus and the trouble starts.

The virus is distributed via email, it also has the capability of blocking access to certain web sites as well as hiding itself from Anti-Virus software used to detect it. Lastly, it corrupts certain Windows files beyond repair.

Technical Description of How W95.MTX infects a system

The program has a virus component and a worm component. It travels via email and infects some Win32 executable files in specific directories.

The worm component makes a copy of Wsock32.dll and names it Wsock32.mtx. The virus mails a copy of the worm to anyone receiving an email from the infected computer.

Wininit.ini is created by this component, which causes Wsock32.dll to be deleted and Wsock32.mtx to be renamed to Wsock32.dll. When the computer is restarted, wininit.ini executes the virus.

The virus component hides from certain anti-virus software and drops or creates three hidden files into the computer's Windows directory. These files are:

ie_pack.exe
mtx_.exe
win32.dll

The MTX_.exe file is used as a downloader program that has the ability to download plugins to the virus. It is invisible in the task list, however so its harder to detect.

How to Clean/Delete the MTX Virus?

Unfortunately this is a VERY DIFFICULT virus to remove. It alters some system files beyond repair. In some cases you will not be able to start Windows until you restore the original files from a Windows CD or from .cab files. You should create a startup disk with CD-ROM drivers on it before attempting to remove this virus.

Next, You'll probably want to download a cleaner/remover from Symantec's website. Its called fixmtx.exe and can be found at http://www.symantec.com/avcenter/venc/data/w95.mtx.fix.html. Save the file on your windows desktop.

First Remove the Registry Entries and Delete the files the virus created.

Click START|RUN
Type REGEDIT and hit ENTER key
In the left panel, click the "+" to the left of any of the following:
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion
Run
If this contains the value
SystemBackup = "c:\windows\mtx_.exe" delete the entire key by pressing the DELETE key. Answer YES when asked to confirm.
Next, look for the following registry entry:
HKEY_LOCAL_MACHINE
Software
(MATRIX)
Delete this key too and close regedit.
Click START|Find
Type "wininit.ini". On the list box "Look in" indicate the Drive C and hit the ENTER key.
If it returns a file matching our search, highlight on it and press the DELETE key.
Click START|Find
Type "wsock32.mtx". On the list box "Look in" indicate the Drive c:\ and hit the ENTER key.
If it returns a file matching our search, highlight on it and press the DELETE key.

Now, run the fixmtx.exe cleaner from Symantec to discover which files are infected with MTX.

Close all programs, including your Web Browser.
Click Start, point to Programs, and then click MS-DOS Prompt. An MS-DOS window will open.
Change to the following location where you saved the fixmtx.exe tool by typing the following and pressing Enter:

cd \windows\desktop\fixmtx
At the C:\windows\desktop\fixmtx> prompt, type the following and press Enter to scan ALL FILES ON THE INFECTED SYSTEM

fixmtx c:\

The fixmtx will give you information about what could be repaired, and what couldn't. In general, you will have to extract new versions of wsock32.dll, explorer.exe, and rundll.exe from your installation CD or .cab files since those files will be unrepairable.

This extraction of new files should be done from a DOS prompt, you'll want to boot to DOS using the Start-up Disk, you should have made before you started any of this.

Extract new copies of the Wsock32.dll, Explorer.exe, and Rundll32.exe files
This is necessary because these files have very likely been infected by the virus and are critical for accessing the Internet and using the computer. You need to use the Extract command at a DOS prompt to restore good copies of these files from the Windows installation files.

There are two locations from which these files can be extracted:

The Windows installation files on your hard drive. On many newer computers, the Cab files that contain the Windows installation files are stored on the computer's hard drive. If you are sure that this is the case, see the section How to extract files that are located on the hard drive.
The Microsoft Windows 95/98 Installation CD. If you do not have the Cab files on the hard drive, see the section How to extract files that are located on the installation CD.

How to extract files that are located on the hard drive

Type the following and then press Enter:

dir /s \precopy1.cab

This will search the hard drive for the location of the Cab files. If the file is not found, it is likely that the Cab files are not on the hard drive. Skip to the section How to extract files that are located on the installation CD.
Write down the location that follows "Directory of," for example, C:\Windows\Options\Cabs.
Change to the directory whose location you wrote down in the previous step by typing cd followed by the path. For example, to change to the location shown in step 2, type the following command and then press Enter:

cd \windows\options\cabs
What you do next depends on which operating system you are using:

NOTES:
- If after entering any of these commands, you see a messages such as "File not found," type the command again to make sure that it was typed exactly as shown.
- If you see a message asking if you want to overwrite a file, (Yes/No/All) type Y and then press Enter.
- If you have Windows installed to a different location, please make the appropriate substitutions.
If you are using Windows 98, type the following commands and press Enter after each one:

extract /a precopy1.cab wsock32.dll /l c:\windows\system
extract /a win98_40.cab explorer.exe /l c:\windows
extract /a win98_40.cab rundll32.exe /l c:\windows

If you are using Windows 95, type the following commands and press Enter after each one:

extract /a win95_10.cab wsock32.dll /l c:\windows\system
extract /a win95_10.cab explorer.exe /l c:\windows
extract /a win95_10.cab rundll32.exe /l c:\windows

If you experience no error messages, then you are finished with the extraction process. Go on to the section Edit the registry. Caution: On occasion, other files, such as taskmon.exe can also be corrupted beyond repair and must be replaced. Use the same procedure seen above in replacing these files.

How to extract files that are located on the installation CD

Insert the Windows 98 Startup disk in the floppy disk drive.
Insert the Windows 98 installation Cd in the CD-ROM drive.
Turn off the computer and wait thirty seconds.
Turn on the computer. The computer will start to a startup menu.
The default menu item is Start Computer with CD-ROM Support. Do not change this, but instead press Enter.
Allow the computer to finish booting to a A: prompt. This could take a few minutes.
The next step is to change to the CD-ROM drive. Because you are using the Startup disk, the drive letter will be one letter greater than the drive letter that usually represents the CD-ROM drive. For example, if the CD-ROM drive is the D: drive in Windows, it will now be the E: drive.

Type the following, changing the drive letter as necessary, and then press Enter:

E:\Win98 (If the installation disk is for Windows 98)

or

E:\Win95 (If the installation disk is for Windows 95)

If you see an error message, try retyping the command with a different drive letter, for example, F:\Win98.
What you do next depends on which operating system you are using:

NOTES:
- If after entering any of these commands, you see a messages such as "File not found," type the command again to make sure that it was typed exactly as shown.
- If you see a message asking if you want to overwrite a file, (Yes/No/All) type Y and then press Enter.
- If you have Windows installed to a different location, please make the appropriate substitutions.
If you are using Windows 98, type the following commands and press Enter after each one:

extract /a precopy1.cab wsock32.dll /l c:\windows\system
extract /a win98_40.cab explorer.exe /l c:\windows
extract /a win98_40.cab rundll32.exe /l c:\windows

If you are using Windows 95, type the following commands and press Enter after each one:

extract /a win95_10.cab wsock32.dll /l c:\windows\system
extract /a win95_10.cab explorer.exe /l c:\windows
extract /a win95_10.cab rundll32.exe /l c:\windows

Reboot the computer and Run a virus check.

Hopefully, the MTX virus will be out of your system at this point. 90% of the time, I've been able to clean it using this method, however I have experienced a couple systems where the virus would return again and again. I had to reformat these systems to absolutely clean it.

Good luck with cleaning the MTX virus. It is a nasty one that is VERY HARD to get rid of. I hope these instructions help.

Links to:

Norton's MTX Removal Page

McAfee's MTX Removal Page

PC-Cillin's MTX Page