[Khalvynnov]

Ok this is getting really, really dumb. This computer must like to be infected, invaded... or whatever.
I did a virus check at Trendmicro and I had 4 Trojanhorse viruses (more often then not I might add... so here I have this one called mmups.exe
I can't deleted with the virus scanner because the scanner says the mmups is in use and I don't know what could posibly be using it.

Any suggestion on hou to get rid of it? I tried to delete it manualy but it told me that the specfied file is being used for windows.

[psi42]

I believe mmups.exe is part of a spyware package, so antispyware programs such as ad-aware and spybot should be able to pick it up and remove it.

Try booting into Safe Mode (press F8 just before the windows splash screen), and then run your antivirus/antispyware from there...

[fredg]

Hi,
psi42's suggestion about running in SafeMode would be what I suggest also.

Here is a listing of steps to get rid of most spyware/malware/advertising files and registry entries safely:

If you think you already have Spyware/Advertising Ware in your computer, run these as follows:

http://www.security-related.com/download2.htm
Download: SpyBot Search & Destroy; 1.3

AdAware at:
www.lavasoftusa.com
Download: AdAware_SE

CWShredder at:
http://www.download.com/CWShredder/3...ml?tag=lst-0-1
(CWShredder is intended only for removal of CoolWebSearch files; placed as spyware on the harddrive). It is not a "stand alone" scan, but needs to be run.

All 3 of the above programs run better and much faster when run in SafeMode.
To get into SafeMode:

Re-boot the computer, and immediately after starting up, Press and hold down, F8, at top of keypad.
When the options show on the screen, use the up and down arrow keys on the keyboard to select
"Safe Mode".
Press Enter

It's best to run the AdAware scan first; 3 times; then re-boot.
Then, run the AdAware scan again 3 times; then run the SpyBot. Then, run CWShredder.
Re- Boot.
Reason for running so many times:
Some of these trojans' files can be deleted the first time; leaving some others; but on re-boot, they re-write the files that were deleted.
Running multiple times deletes most of it the first
Time.

If you wish to have a great program, after you clean out Spyware/Advertising Ware:
SpyWare Blaster 3.2
Great, free, program that STOPS spyware, trojans, home page hijacks, etc, BEFORE they get into your computer. Check it out at CNET at link:

http://www.download.com/SpywareBlast...ml?tag=lst-0-2

Two Tips:
If you notice the little green computer lights that show your dial-up connection to the internet staying on when they shouldn't be, located on the bottom right of the system tray, disconnect immediately and run AdAware. These lights staying on means that some URL is sending or receiving spyware/advertising ware to or from your computer, most of the time.

Other Tip: After being on the net, if you have visited any sites you don't really trust, then run AdAware BEFORE you shut down or re-start the computer. This will delete any Spyware easier, before the computer can configure it, set it up, spread it throughout the Registry, and make it more difficult to remove after re-booting.

Best of luck,
fredg

[SESaskDFC]

Howdy:

The Safe Mode method may work here but, if it doesn't, try going into start>Run type in msconfig and click "okay"..

Now, click on the "Startup" tab and look for the mmups.exe (or anything that looks like it) and uncheck it.. Apply to save the change and okay out.. You will probably have to reboot..

When you reboot, you may get a message that you have changed the startup folder and are running "selective startup".. just okay through those..

Now try running SpyBot and Ad-Aware.. If everything clears, go back into msconfig and select "normal startup" on the first page that opens..

Murray

[Khalvynnov]

Idon't know what to do... I've tried all the idea's you all suggested and still it remans. I don't think its dong any harm, but what do I know I'm just a noob lol when it comes to these things.
I tried the safe mode thing... nothing
I tried dl'n the spyware... nothing.(although others where detected and destroyed :D)

So now what?. seems like I'm stuck with this problem till I get another computer eh?

Although I do think it does send info somewhere, because about every 5-10 minutes whether I'm surfing the net or playing a game or whatever, the window I am in goes from blue to grey (like another window has opened up) then I have to click on the window that I am on to use it again.

[fredg]

Hi,
After a thorough reserch effort, the mmups.exe file is also called mediamotor.exe.
Good name, mediamotor! Sounds like it's motoring itself through your computer.

Here is a suggestion on how to get rid of it; but not sure it will work.
Have you ever edited the Registry? Here are steps to try:

To Edit the Registry:
First, back up your Registry. The simplest way to do it is to shut down the computer, wait a few seconds, then turn it back on. It will automatically back up the Registry when booting up.

BE CAREFUL when deleting things from the Registry; your computer might not re-boot.

Here are steps for deleting things that startup when you boot up the computer:

Go to Start/Run. Type in "regedit" without quotes, then click on OK.
At the top, Click on "Edit", then "Find".
In the space Find What: type in what you want to find. (in this case, start with "mediamotor", without quotes).
Then, uncheck "Match whole string only". This will stop the search at anything with the word mediamotor in it.
Then click "Find Next". It will search the registry for the first entry you typed in.
It will "open" a folder on the left hand side of the screen, showing what is in the folder on the right hand side. If you know that an entry on the right hand side is something you no longer have, or has just been added with a name you don't know, then right click on it, then left click "delete", tell it Yes or OK to remove it. If the right hand side has the word mediamotor, then delete it.
Then, press F3 on the top of the keypad to continue the search.
When finished, at the top, click on File, Exit.

Then, search the RUN folders for the word mediamotor or mmups.
Any StartUp programs, that start when the computer boots up will be listed in folders on the left hand side of the screen with names like:
RUN, RUNSERVICES, RUNONCE, RUN-, etc.
Click on the next folder down with the name RUN in it, to look at its startups on the right hand side.

You can also search for other words, rather than RUN, such as Hotsearchbar; or whatever; and delete values on the right hand side associated with it.

Best of luck,
fredg

[SESaskDFC]

Okay.. download the following program, unzip it and install it to its own directory..

http://www.merijn.org/files/hijackthis.zip

Once that is done, boot into Safe Mode and run both SpyBot and Ad-Aware SE deleting everything they find and mark as safe to remove..

Next, close ALL browser windows and run a scan using HiJackThis.. Once the scan is finished, save it to WordPad...

Now, reboot normally and copy and paste the ENTIRE HJT log here..

Murray

[Khalvynnov]

When I did a reg check for "run" I found this, is it something I need to delete?

C:\Program Files\Common Files\InstallShield\Professional\RunTime\0701\Inte l32

It was in the sharedDLLs registry files... I haven't deleted it but I though I check here to find out if it is OK to leave it or not. I guessing that its OK but just want to make sure so I don't mess up anything lol.

Also found

DXM_runtime?
Overrun?
Runsearch.com?
@inetplc.dll,-4474?

Have no idea what these are, guess I can always Google them.

Thanks for the help too all I really appreciate it :)

[Khalvynnov]

Ok I just ran this hijack program and saved a rundown of that it did I didn't delete anything because... I'm a noob :P


Logfile of HijackThis v1.99.0
Scan saved at 12:44:13 PM, on 01/02/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.begin2search.com/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKCU\.. \Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/def...ploader_v6.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab33902.cab
Rest of this msn lol

so I see no mmups.exe and sorry to say is still there :(

I think my computer is just to dumb for this problem.

[SESaskDFC]

That seems a little empty for an HJT log..

Run another scan and put a check beside the following and use the "fix" option..

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.begin2search.com/sidesearch.html

You can also remove all the 016 items as they will be rebuilt if needed when you start the program..

Once that is done, reboot and run another scan..

Murray