[sandpines427]

I just got my first computer 2 months ago, and have PC Cillin as my antivirus.
All was well until yesterday. I recieved an alert that said a virus was detected. It was JS_TRAFFICBAR.A
A message from Trend Micro said that is "This malware sets the Start page and adds an Explorer bar in the microsoft internet explorer browser. It attempts to open several browsers until the infected computer is out of memory resuorces and hangs."
I have seen the bar once. But mostly, I get tons of pop up ads, that keeping coming back after I delete them. I also have a very hard time gettting out of websites, I exit, and it just goes back to the same page.
I got a Solution from Trend Micro to go to Run and type REGEDIT, then HKEY_LOCAL_MACHINE>Software>Microsoft>Software>Windows>CurrentVersion>Run. And delete any files with %Windows%\sp.reg

But when I do, there is no files there like that. Then it says to go to HKEY_CLASSES_ROOT\CLSID\{69550BE2-A78-11d2-BA91-00600827878D
But, again, there is no file there by that name.
I have tried to scan with Housecalls.antivirus.com, but when I click on Scan, it says the Trend Micro website is not authorized to scan, and clicking on Tech Support, brings up "Page Not Available"
I have emailed Trend Micro, but haven't recieved a reply yet.
I have A Dell Dimension 4500
Windows XP,
Intel Pentium Processor
1.80 GHZ
256 MB memory

What should I do now?

 

[sandpines427]

By the way....The PC Cillin says it cannot repair the virus. It has it listed as Quarentined.

 

[merlin]

sandpines427, welcome to the forums !!!!
I think what you're running into is a javascript exploit. If you look at the name of the malware/exploit/annoyance it has a js.....most of the time its an applet that either : changes your homepage or something more serious, like do mass mailing and it has to do with illegal use of <applet> tag...or opens up a security hole through which any other malware/trojan, etc can be installed on your system....Reason why pc cilin is saying that its not there is because pc cilin is detecting the exploit itself, and it detects it when its copied to the Temp Int. files. Temp Int.files are deleted as soon as you close the Web page so the exploit wont be found during a regular scan because it is no longer there. What Pc Cilin might of quarantined is something that came through the hole that the actual exploit opened. I have not had any experience with that actual exploit...theres isnt that much sources out there about it either...
... some things that you can do :
visit Microsofts website and patch up your IE
http://support.microsoft.com

microsofts how to

get zone alarm , if you dont already have it....windows xp firewall is weak

HTH, please post back

 

[sandpines427]

The PC Cillin did pick it up in the scan. But the solution to correcting it, led me to files, which doesn't seem to contain it.
The PC Cillin does include a firewall, and I do have it turned on.
(PC Cillin 2002)

 

[sandpines427]

Merlin, This is, exactly what the definition at Trend Micro says.....

Details:
This is a malicious Jscript code that attempts to connect to and then open this Web site:
http:// www.errorpage404.com/hbar/index.php

This malware sleeps for 10 seconds before it attempts to connect to the site. Upon connection, to the Web site, it attempts to open browser Windows with advertisements until the affected computer runs out of memory resources. It also contains script codes to set the Microsoft Internet Explorer menu extension, search page and main page to the following Website:
http://www.znext.com/ie/

It creates this registry entry so that the Explorer bar is created by creating the following registry setting and with subentries:

HKEY_CLASSES_ROOT\CLSID\
{69550BE2-9A78-11d2-BA91-00600827878D}

The malicious code also drops the file SP.REG into your Windows directory and creates the following auto startup registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows\CurrentVersion\Run
“sp=regedit -s %Windir%\sp.reg"

%Windows% is a system variable that expands to your Windows installation directory, e.g., C:\WINDOWS or C:\WINNT.


Description created: Sep. 20, 2002
--------------------------------------------------------------------------------
But when I do all of this, the things it says to delete are not there. Are they only there while the virus is causing problems? The bar that is mentioned has only appeared once. The pop up ads happen all the time, although I've been online for about 1/2 hour now, and it has not been causinga ny problems so far.
When it does, I have to exit allof the pop ups, to get to my START menu to do this.

 

[merlin]

Sandpines,

Are they only there while the virus is causing problems?

yes basically when you visit a website with illegal jscrpit, it gets stored in your temp. inter. folder and then pc cillin sees it and tells you that it found something and it either : got rid of it or quarantined it. when you close the webpage, its removed from the temp int. files and its not there anymore...

The bar that is mentioned has only appeared once

the explanation for this: the script code for the bar was stored on you HD...(registry mods, SP.REG in your win directory)...Pc cillin took care of that...

The pop up ads happen all the time,

...this actually works off of a website...basically you have to visit a certain website, the code is executed...does pc cillin hava active script blocking..I had the same problem and I have zone alarm so I just put my script blocking on highest setting..now I barely get any popups...pay attention to which websites you go to when popups come up and post link here...I want to peek at their source code...

ttyl