"MTX" Removal Instructions

Courtesy of the alt.comp.virus newsgroup participants.
(These "anti-malware" pages are the result of a continuing cooperative effort.)

Translated versions available: en Français, Deutsch and in het Nederlands

Anti-Virus Main Menu
Main Menu
Removal Helper Utility! - Graciously developed by Robert Green
Please read all of the information contained on this page thoroughly before proceeding.
  *REMMTX.EXE
(**The most convenient option | self-extracting executable)

  *REMMTX.zip
  (zipped archive)		   *Contains five files:
  1. Findcd.bat
  2. findcd.com
  3. Mtx.reg
  4. Readme.txt
  5. Remmtx.bat

**REMMTX.EXE will create the FSI directory and F-PROT should be unzipped to that directory.

Please NOTE: REMMTX.EXE can only be run in Windows.
If you're having problems, start the PC in Windows Safe mode to run REMMTX.EXE and install files on the hard drive.
Please carefully read all of the instructions below...

Quoted from Robert Green's "Documentation for REMMTX.BAT" (inluded in Readme.txt)

SARC (Symantec Antivirus Research Center) notes in its description of this virus that it is "complex and difficult to remove," and this has, in fact, been the case. REMMTX.BAT is offered as an attempt to alleviate the difficulties and simplify the removal of this virus for inexperienced, and non-technical users of Win95, 98, and ME, especially those not familiar or comfortable with the DOS command line.

REMMTX will delete files dropped by MTX in the Windows directory, rename WSOCK32.DLL (which the virus modifies) to WSOCK32.MTX, remove data placed by MTX in the registry autorun key, extract a fresh WSOCK32.DLL (if the CAB file containing it is available), and start the F-PROT command line scanner.

Planning the Cleanup

The user has to make a decision about how to approach the MTX cleanup. Will you delete and then replace infected files, or will you have the scanner attempt to disinfect them?

Delete and replace method:

PRO: the infected system can be returned to a pristine condiditon, which is not necessarily the case when disinfecting.

CON: the user has to go through the procedure of reinstalling Windows and, perhaps, some or all of his/her applications.

Disinfection method:

PRO: can get the infected system back into service more quickly and (possibly but not necessarily) avoids the hassles of a reinstallation.

CON: the scanner may not be able to disinfect all infected files or may leave some files damaged after disinfection (these are unavoidable outcomes of the method the virus uses to infect files). This can lead to a need to replace some files, or to operational issues after the disinfection, which can result in a need to completely reinstall everything.

For both of the above methods there have been reports of both success and of difficulties.

In most cases the delete and replace method will be the best choice.

Also, the replacement of WSOCK32.DLL must be planned for. In most cases this will be a simple matter, as the DLL will be available in a CAB file located on the hard drive. If it is not, however, then it needs to extracted from the original Windows installation media, if available. See the Restore WSOCK32.DLL page of this Web site for details.

For extraction from CDROM, you must load the DOS driver for your CDROM drive and MSCDEX.EXE in order for the CDROM to be accessible. The easiest way to do this is to boot the infected computer from a Windows EBD (emergency boot disk). The EBD *must* be one made on the same version of Windows that is on the infected hard disk. The extraction will fail otherwise.

The Windows95 EBD does not contain the necessary drivers for CDROM support. You can get a Win95 boot disk that does have CDROM support from www.bootdisk.com.

If the original Windows installation media is floppy disk, simply have your diskettes handy when you run REMMTX.BAT.

For WindowsME you will *have to boot from EBD* in order have the DOS functionality for REMMTX.BAT to run at all.
  1. Insert a formatted diskette
  2. Control Panel
  3. Add/Remove Programs
  4. Startup Disk
  5. Create Startup Disk
Preparing for the Cleanup
  1. Download the REMMTX.EXE self-extracting archive (if you haven't already) and execute it. The files will be extracted to the directory C:\FSI (by default, but you can change the directory name, if you prefer).
  2. Download F-PROT for DOS - f-prot.zip (if you haven't already).
  3. Unzip f-prot.zip into the FSI directory.
  4. Restart in DOS mode. [Note: some users will need to boot to DOS with a Windows EBD (emergency boot disk) in order to have DOS mode CDROM support. See the section "Planning the cleanup" above].
You must run REMMTX from a *pure* DOS prompt, not a Windows DOS box.
Running REMMTX.BAT after floppy boot:
  1. At the A:\> prompt, type C:     then press Enter
    type CD FSI     then press Enter
    type REMMTX     then press Enter
  2. Follow the prompts, normally selecting y(es).
  3. The first time you run REMMTX, select 3 for the scan option
    "Only report infected files"
    (This will let F-PROT scan the system and report infections without disinfecting or deleting any files. You can then view the report and see the extent of the infection. That may help you choose whether to delete and reinstall or disinfect the infected files. You can then start REMMTX again. It will go directly to the scan menu and you can select the cleanup option you have chosen.)
  4. Select y(es) to read the scan report. To manipulate in the DOS Editor use the up/down arrow keys. To exit from the Editor press Alt then down arrow to Exit. Press Enter.
  5. Reinstall windows and any applications, if necessary.
Files Needed by REMMTX
REMMTX checks for the existence of the following files, and will not run unless they are all found.

%winbootdir%\COMMAND\CHOICE.COM
%winbootdir%\COMMAND\ATTRIB.EXE
%winbootdir%\COMMAND\EXTRACT.EXE
%winbootdir%\REGEDIT.EXE
MTX.REG
FINDCD.COM
FINDCD.BAT
Windows Millennium users please note:
If you can't clean or delete infected files from the _Restore\Temp or _Restore\Archive folders... read this.

In the event REMMTX.BAT fails to extract the WSOCK32.DLL from the CAB file for some reason, See the Wsock32 extraction page on this Web site.

F-PROT anti-virus. (Detailed F-PROT for DOS Instructions here.)
REMMTX.EXE.
Restore Wsock32.dll Details.


- End Removal Instructions -


Some of you may now be wondering...

"How can I possibly keep my computer safe from further harm?"

Answer: Click Here for Some Tips!

© Claymania Creations 2001 - 2008. All rights reserved.

Rev. "A"   03/10/2001