I have a trojan horse (whatever that is) on my computer. I'm running XP and tried to use Norton 5.0 to remove it or quarantine it but it failed to do so. Next I downloaded Moosoft The Cleaner but that didn't do anything. I ran an update for both anti virus programs so they are up to date. The winserv.exe file will not remove from the Windows folder either. There was a total of 3 Trojan Horse virus and it failed to fix all of the but it did quarantine 2 of them. So now ther is that one left. What do I do? The winserv.exe file is right protected and doesn't wnt to be removed or cleaned up if ya know what I mean. Anyone else have this problem? Help!!!! :) Thanks!

Run Regedit

Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

In the right panel you should see NetApp = C:\windows\system\winserv.exe

Right click on 'NetApp' and choose Delete.
Close regedit and reboot your PC.

You should now be able to delete winserv.exe (which is the trojan)

Also, since you may have had an intruder inside your pc using the trojan, change all passwords, everywhere.

And, install a firewall. www.zonelabs.com
And, start running your virus software all the time. Then the trojan "should" be detected on the way in.

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
there is a folder underneath that called "Run-"

it als has all thatstuff in the folder as the Run folder. hould i delete it there as well?

The items in the RUN- and RUNSERVICES- are programs that you have UNselected. This will NOT start when the PC boots.
From MSCONFIG > Startup tab, these are the ones that are UNselected.

Ok well I ran the trojan remover program first and all it did was rename the extension to .ex$ but I wasn't sure if this really worked so I followed your directions as well as deleting the one in the RUN- folder too. It WORKED!!!! Thank you so much. I have been working at this for days installing al kinds of antivirus stuff. So what do you recommend since you sem to be a guru at this. I have Norton V5. Again, thank you!

Whitphil - I've been battling the same problem since 7 April. Using McAffee, which does not detect the virus in a scan, but does alert me that it is trying to access the Internet illegally..like every 30 seconds. I could not delete it, or edit it, or rename it. Would not let me restart in safe mode or MSDOS mode. Could not delete from DOS screen in Windows. Found reference to "winserve.exe" in registry and tried modifiying command to a different file name, but that did not stop it. Very tenacious. I'll try your registry fix and file delete process tonight.

I also had warnings about other viruses and infected files inclduing Troj-SUA.A, Winobj.dll, IMI Serv, and one other. A bogus toolbar ("newtool" showed up on Explorer with a space for "Netsearch" and buttons for "free date" and "divorce". Can't get rid of it. Hoping the winserve fix will delete this also.

Im running 98 Se and my winserv.exe is not reposnding ..and everything else locks up until I end the winserv task ..but then not everything works , what should i do ?

I have the same trojan and have battled it since mid April. I'm surpised and disappointed that neither Mcafee or Norton even have this listed in their data base. The McAffee scan with the latest data shows no virus, but it is obviously there. I was frustrated because I knew the winserv.exe was the offending file, but the system would not let me delete it, even in the DOS screeen. System would not let me start in DOS mode or Safe mode. The trojan is apparently under constant update. I could find no "NetApp in my registry. The winserve.exe file is assigned to "WinServer in my registry. I deleted this key and was then able to re-boot and delete the winserve.exe file. There is also a key called WinServer Updt tied to C:\WINDOWS\wupdt.exe. I have not deleted it, but think I should, as it might be one of the programs that allows this trojan to update itself every time you go on the Internet. I just learned that SysScan, tied to C:\windows\bvt.exe, is somehow involved with this trojan and I think it all stems from soemthing called TROJ_SUA.A (a.k.a. Backdoor.Autoupder). All of this allows the guy at the other end to have total access to your machine. He can crash it, delete files, steal info, or just play games (like make your start button disappear) at the click of mouse. The trojan apparenty goes out and loads new trojans every time you log on. Nasty stuff.

Anyway- Thanks to WhitPhil for insight into the problem. I think I'm on the road to getting it under control (with little/no help from anti-virus software). I still don't know here it came from. Only that I got it 7 April. I'm surpised there is so little info out there.

heyal,

wow i just found this on my system too and I never get viruses does anyone for sure how or where it came from?

i noticed that the same "end task" problem coming up last few times I was on. i was thinking it was from this email that mcafee detected saying the ".pif" file was infected there was an attachment and i don't open anything usually won't accept any attachments and didn't this one either and mcafee kept asking if i wanted to download file..NO NO NO then i "ALT-DEL" perm delete.

but realized that the email came in today since i've been having probs with my email server [host hadn't switched email to new server] havent been able to even get email without it erroring out..

same 3 files does anyone know where it came from? ....and where they live? {lol, we can all go there just walk in take they're frickin computer from them!}

please feel free to email me at the :

sobelle@ureach.com

with any info,

thank yal for the info supplied very very useful!

southern belle

i also got this trojan horse. it came as an enclosure to an email. you don't have to run the enclosure , just opening the email is enough to launch the virus.
**ANOTHER WAY TO DELETE THE FILE: boot the machine from a safe disk like the Norton antivirus disk, then at the DOS level delete the file. It works!!!

****Question: Do you think it is wise to remove the winserv update software also i.e the file:C:\WINDOWS\wupdt.exe??

I just found I also have this problem (with win98 se). I deleted winserv.exe and winserv0.exe and removed the registry entries, but when I reboot I still have the Net Search toolbar in my IE that Clark mentioned. My remaining hard drive space is still down to 500 mb (it keeps dropping to around this much even when I delete 1 gb or more of files, which lead me to find the problem in the first place).

I have run full scans with Trojan Hunter, InnoculateIT, and Housecall and none of them find anything. Does anyone know how to fix this and what is wrong? Thanks.

I just rebooted and checked my registry and the winserv.exe entry is back again under the Win Server key but the winserv.exe file is still gone from my windows directory. Also, my hard drive space is still down to 500 mb when I should have at least 1.5 gb free.

This sucker just popped up on my system. Appears as wupdt.exe and winserv.exe. Zone Alarm detected it trying to access 64.58.76.228, which lies in the exodus.com/yahoo.com blackhole. Grisoft AV does not seem to detect it. Also found a new search bar in Windows Explorer. Possible sources for infecton would be the only 2 downloads I've made for a week... Panicware's Popup Stopper or TaskInfo2002, both downloaded from download.com (never gonna trust cnet again!). Thanks for the tips.

Is this "winserv" connected to the "winserv" that is part of this download?

http://www.ieplugin.com/

It comes from a IE Plugin named Net Search, it includes 4 files and the instructions for removal follow:

Manual Uninstall

1. Close Internet Explorer
2. Click Start
3. Click Run
4. type "regsvr32 systb.dll /u" (without the ")
5. Press "enter" OR "return"
6. type "regsvr32 winobject.dll /u" (without the ")
7. Press "enter" OR "return"
8. Type "msconfig" (without the ", msconfig is usually located in your windows/system directory)
9. Click on "Start Up"
10. "untick" Win Server
11. "untick" Win Server Updt
12. Restart your computer
== once computer restarted ==
13. Click Start
14. Click Search
15. Click For Files or Folders
16. Search for "systb.dll" (without the ")
17. Click on systb.dll on your right once it's found
18. Right mouse click and click on delete
19. Search for "winserv.exe" (without the ")
20. Click on winserv.exe on your right once it's found
21. Right mouse click and click on delete
22. Search for "wupdt.exe" (without the ")
20. Click on wupdt.exe on your right once it's found
21. Right mouse click and click on delete
20. Search for "winobject.dll" (without the ")
21. Click on winobject.dll on your right once it's found
22. Right mouse click and click on delete

I have also delete winserv.exe and wupdt.exe from my registry.

How do I get rid of the Netsearch extra space in IE? After the space it has Go!,

cont.

after the space it has Go!, ,!-, dating, sports, love, and school
Thanks
Gene

The Wop's instructions seem to have cleansed my computer both of winserv and the annoying extra toolbar in Internet Explorer. Time will only tell to see if it reappears, but for now, it seems to be fixed.

Thanks,
Tyler

I also used the instructions from The Wop for removal and my system seems to work fine also. Thanks for these posts.

Gene, just follow the instructions I sent and you will cleanse yourself of this nasty you got me whether you want me or not program!!!

If you start your program in safe mode, you can erase the winserv.exe file.

This a message to WOP ... Thanx! I followed your instructions and that horrible little beast has been slain.

Another nasty thing it does (what alerted me), is that I wasn't able to get on the net 'cause the trojan was trying to get past our firewall ... so, the firewall blocked my computer completely! Nice firewall LOL

Anyway ... thanx again WoP

I'm just glad to see so many people have had such good luck removing this critter!!! About using safe mode, yes, you can get rid of the .EXE but the wupdt.exe, and the systb.dll, and the winobject.dll will still be there!!! You can also delete these from safe mode but then the registry entries are still there!!! I went to a site and got this d..n NetSearch thing again but this time I got the URL for the company
using this To anyone interested here's the

URL: http://www.ieplugin.com/?10655638

Once again let's REALLY complain and get this thing off the 'Net

I was being rather facetious when I suggested removing it from the 'Net

HELP!!!!!!!!!! I've tried the Wop's instructions and still have the dumb toolbar. When I run the regsvr32 I get this message : Loadlibrary("systb.dll/u"}failed.GetLastError returns 0x00000485.

Any ideas?

lisakprp, it looks to me like you forgot to put a space between the .dll and the switch /u, your command line should look like this regsvr32 systb.dll /u Go ahead and copy and paste this. It'll work I'm sure. Unless you are missing a windows component. I doubt that cause the damn toolbar works in IE

Thank you the Wop! I used your instructions and it worked fine.

Can anyone tell me in detail how to stop this from ever happening again. I have a cable modem and use IE. I also have the latest Norton AntiVirus but obviosly thats not good enough.

To avoid this critter, you may want to try Agnitum Outpost Firewall, it has ad blocking as a plugin and the price is right FREE!!! I'm not 100% sure this will block NetSearch but I'm betting it will. go here to try it out http://www.agnitum.com/products/outpost/

i know where my copy of this came from. it downloaded with a popup stopper from panicware. i downloaded it from cnet.

The program "Ad-Aware" from www.lavasoftusa.com detected this spy-ware and removed it for me, but I had chosen not to remove the "winserv.dll" beacause I thought it was part of windows. When I started Win XP I was told "the file winserv is corrupt, run checkdisk etc.. So I searched for "winserv.exe" and found this forum for help. Thanks to "The wop" for the great instruction for removing the last .dll, But YOU SHOULD ALL get Ad-Aware as it worked flawlessly in finding and removing the "spy-ware", So I guess its maybe NOT a trojan horse after all.

I have tried all of these postings and winserv.exe and wupdt.exe all reappear in my registery after I reboot. Anyone with any ideas.

Thank you!

Thanks Wop for that info..Im an XP user. Im finally rid of that netsearch toolbar. It kept messing with my hotbar also. Glad to have it fixed. Damn Google is the shiznitty.

Here is another fine FREE spyware program, use it in place with Ad-Aware and you will be SPY safe, if you can be spy safe that is!!!
URL: http://patrick.kolla.de/spybotsd.html

By the way it's called Spybot S&D

Almost forgot, here's the website of that nasty NetSearch toolbar, if anyone is interested, give 'em a piece of your mind!
URL: http://www.ieplugin.com/?10655638

ok, I got this darn thing out. I also had recently downloaded PopUp-Stopper from PanicWare as well. My system is running fine again. Should I still uninstall the popup stopper?

ok i'm running windows 98, and i got this stupid bug. the problem is that i only have the wupdt file and not the winserv.

the good news is that if i press control alt delete and end task the program wupdt, my computer works fine

the bad news is that i cant get rid of it via antivirus like everyone else, but i do not have the registry key or anything like that that i can find.

april 15 when i got it, as soon as i accidently let a program called test module 1 connect to the internet (firewall by zonelabs asks me this)

problems include a variety of programs that freeze or just don't load up, and files keep on appering in my windows file that are .tmp. first time i found these files there were 2000+ of them.

tell me if these are the same problems your having, and tell me how to get rid of this thing please! i'm looking your direction wop

These instructions were in an earlier post, and they worked for me. I'm running Win98SE, and IE 6. If you have any questions, or can't figure out what to do, feel free to e-mail me at ch1xxx@cox.net

1. Close Internet Explorer
2. Click Start
3. Click Run
4. type "regsvr32 systb.dll /u" (without the ")
5. Press "enter" OR "return"
6. type "regsvr32 winobject.dll /u" (without the ")
7. Press "enter" OR "return"
8. Type "msconfig" (without the ", msconfig is usually located in your windows/system directory)
9. Click on "Start Up"
10. "untick" Win Server
11. "untick" Win Server Updt
12. Restart your computer
== once computer restarted ==
13. Click Start
14. Click Search
15. Click For Files or Folders
16. Search for "systb.dll" (without the ")
17. Click on systb.dll on your right once it's found
18. Right mouse click and click on delete
19. Search for "winserv.exe" (without the ")
20. Click on winserv.exe on your right once it's found
21. Right mouse click and click on delete
22. Search for "wupdt.exe" (without the ")
20. Click on wupdt.exe on your right once it's found
21. Right mouse click and click on delete
20. Search for "winobject.dll" (without the ")
21. Click on winobject.dll on your right once it's found
22. Right mouse click and click on delete

Ah,how glad I was with this forum!!tried to get rid of it and so many people struggling before me with the fact ,finding out what going on.Think I got it from a webring website ,cannot imaging which one.True is that it crossed the ocean for I am Dutch,thanks everybody especially Wop..miep