I have a virus that keeps putting msupdate.exe into my startup. I run msconfig and remove it. It keeps going back in. I ran a trojan checker and it came back and said that my msupdate registry entry has also been changed to "%1 *%" which it says is bad. It then says I have an unidentified trojan process running. The trojan checker says that it should change the registry entry back to the original. I say OK but next time I reboot it is changed back. Before the registry is changed I can't run anything in my control panel. When the regeistry is changed to the original version everything is OK. I used RegProtect and it says that something is putting a line with wscript.exe in it with "%1 *%" which is bad. When it does run, it sends e-mails out, locks me out from my virus tools and I can't use the control panel. When I tell another tool to remove the wscript.exe entry, I am back to normal. Any idea what I can do? Can I identify what process is doing this? Logfile of HijackThis v1.97.7 Scan saved at 3:56:32 PM, on 1/25/04 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.exe C:\WINDOWS\SYSTEM\SPOOL32.exe C:\WINDOWS\SYSTEM\MPREXE.exe C:\WINDOWS\SYSTEM\MSTASK.exe C:\WINDOWS\SYSTEM\TPPSTRAY.exe C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.exe C:\BANETDSL\WINPOET\WINPPPOVERETHERNET.exe C:\WINDOWS\STARTER.exe C:\WINDOWS\SYSTEM\STIMON.exe C:\PROGRAM FILES\LEXMARKX83\ACMONITOR_X83.exe C:\PROGRAM FILES\LEXMARKX83\ACBTNMGR_X83.exe C:\WINDOWS\SYSTEM\PRINTRAY.exe C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.exe C:\PROGRAM FILES\OAK TECHNOLOGY\OAK SIMPLICD\OAKTASK.exe C:\PROGRAM FILES\OAK TECHNOLOGY\OAK SIMPLICD REWRITE\IWCTRL.exe C:\WINDOWS\TASKMON.exe C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.exe C:\WINDOWS\SYSTEM\QTTASK.exe C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.exe C:\PROGRAM FILES\KODAK\KODAK PICTURE TRANSFER SOFTWARE\PTS.exe C:\PROGRAM FILES\CHROMEDATA\AUTOBOOK\AUS.exe C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.exe C:\WINDOWS\SYSTEM\DDHELP.exe C:\WINDOWS\SYSTEM\RNAAPP.exe C:\WINDOWS\SYSTEM\TAPISRV.exe C:\WINDOWS\DESKTOP\HIJACKTHIS.exe C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\READER\ACRORD32.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.createwebsuccess.com/ O1 - Hosts: 203.161.127.141 www.dcsresearch.com O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [WinPoET] c:\BANetDSL\WinPoET\WinPPPoverEthernet.exe O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.exe O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe O4 - HKLM\..\Run: [LexStart] Lexstart.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe O4 - HKLM\..\Run: [OAKSTART] C:\PROGRA~1\OAKTEC~1\OAKSIM~1\OAKSTART.exe O4 - HKLM\..\Run: [OAKTASK] C:\PROGRA~1\OAKTEC~1\OAKSIM~1\OAKTASK.exe O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\OAKTEC~1\OAKSIM~2\IWCTRL.exe O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.exe TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [TDS3] C:\PROGRAM FILES\TDS3\TDS-3.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg O4 - HKLM\..\RunServices: [pcAnywhere Agent] C:\Program Files\Symantec\pcAnywhere\pcamgt.exe O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe O4 - Startup: KODAK Picture Transfer Software.lnk = C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Auto Update System.lnk = C:\Program Files\ChromeData\AutoBook\AUS.exe O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmtrans.html O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/12b61d2da5adad3fe905/netzip/RdxIE601.cab O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

Hi I would try CWShredder to check for cool web search hijacker/trojan. Msupdate.exe included in one of the cool web search varients. You can download it here: (direct download) CWShredder.exe Download the prog, close all browser windows, click "fix", next, exit. If you get a warning about smartsearch...dont worry about it...the program will run fine with the "random string" it talks about It does not mean you have it. (I would let it run with the random string...the hijack attempt may be what is shutting off your tools.) Next put hijackthis in its own folder because it does create backups and will make a mess of your desktop. (You can put the hijack folder in program files if you like just to keep desktop clean) Start hijackthis, scan, check the following entries: O1 - Hosts: 203.161.127.141 www.dcsresearch.com (if still there) O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe (I am not sure why this is in your startups) O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/12b61d2da5adad3fe905/netzip/RdxIE601.cab O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab Close all browser windows and click "fix checked" If you are not using the "mywebsearch" toolbar that can be removed through add/remove programs in control panel. (it will likely take you to a website for removal) Empty out all your temporary internet files including "offline content" Control panel> internet options (brings up properties window) Reboot the computer. Next (if you havn't already) download Spybot search and destroy (spyware detection and removal prog.), install, update, run scan and remove all marked in red. Reboot the computer again and post fresh hijack log. Spybot download: Spybot S&D

Hello, last suggestion, but probably the easiest !!! donwload and install Trojan Remover 6.15 this freeware is a trial for one month, but fully updated... Read well the "helpme" file in order to use correctly the two scans of the program: one to check your memory statut, second one to hunt, detect and eradicate the worm hidden into your hard drive...