For the last few months I have been noticing that the amount of free space on my hard drive has been dropping for no reason at all (anywhere from around 500mb to 1gb). Every time I have noticed this, I have not recently downloaded or created any files that would use up even remotely close to that amount of space. Also, I'm not sure if this is related or not, but I have two files in my windows directory called winserv.exe and winserv0.exe so are these supposed to be there or not? This is leading me to think that I may have a virus or trojan, but when I run my virus scanner (InnoculateIT, most recent update) it finds no viruses anywhere. Any help would be appreciated. Oh yeah and I'm using Windows 98 SE. Thanks.

Winserv is a trojan. See this link. http://www.computing.net/security/wwwboard/forum/385.html Also you should install a firewall. www.zonealarm.com And, I guess, an antivirus program.

Hi Derek, Yes! you have a trojan. Please follow Whitphil's plan and also download a 30 day trial of anti-trojan prog trojan hunter or purchase Boclean. Here's some info on the Trojan horse you've got-----Name: SoftWAR Aliases: Shadow Thief, Softwarst, Softwar ShadowThieft, Ports: 1207 (???) Files: Softwar.zip - 327,765 bytes Soft-war.zip - 266,469 bytes Softwar.exe - 228,352 bytes Softwarst.exe - 357,738 bytes Trojan.exe - 60,928 bytes Swizard.exe - 79,872 bytes Winserv.exe - Infect1.exe - 16,896 bytes Infect2.exe - 21,504 bytes Sample1.exe - 4,096 bytes Sample2.exe - 8,192 bytes Pkzip.exe - 42,166 bytes Pegraft.exe - 72,192 bytes Mspr.dll - Server - 8,192 bytes Client - 94,720 bytes Created: Oct 1999 Requires: Actions: Remote Access / Keylogger Versions: Registers: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Notes: Works on Windows 95 and 98. English and French versions. Password= Country: written in France Program: Written in Assembler (Win32asm). You can get more info on trojans from www.thepublicworks.com security section and click on simovits consulting. to remove it click on trojan removal to find out how to manually remove it, but i suggest downloading a copy of the progs i mentioned. cheers, murve

When I went to follow Whitphil's instructions, I did not have NetApp = C:\windows\system\winserv.exe in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ But I did see Win Server = C:\windows\winserv.exe so do I need to remove this entry from the registry? I also downloaded Trojan Hunter and ran full virus scans with both HouseCall and InnoculateIT and none of these found anything. Also, it wouldnt hurt anything if I just deleted winserv.exe and winserv0.exe from my windows directory would it? Any ideas? Thanks.

Derrick, Go to http://www.vbuster.com. Dr. Looi has one of the best anti-virus programs that can detect any virus. Read all about it on that site. Cheers Herman.

Addendum Once you clear the keylogger from your system, CHANGE all your passwords. If you use the net for banking or buying, check your statements for any fraudulent transactions. Your ID info MAY have been stolen.

"But I did see Win Server = C:\windows\winserv.exe so do I need to remove this entry from the registry?" YES