Author Topic: Possible virus alert  (Read 3559 times)

0 Members and 1 Guest are viewing this topic.


  • Guest
Possible virus alert
« on: May 08, 2004, 09:59:29 AM »
I found the result of a trojan horse on my system recently which Avast did not pick up. It should be fairly easy to find on the net, though. All I noticed that it did was change your startpage and add links (lewd) to your favorites in IE.

The rundown is such:
Executing a trojaned program places a file called winproc32.exe in your Windows\system32 folder and a corresponding entry is made in the registry to start the program. In the registry, the program is described as the "Windows Internet Protocol." Of course, when I found that entry, I knew something was up because I'm not the average fearful user. There is no such thing as a "Windows Internet Protocol" besides TCP/IP. The program starts as a service and will regenerate links and start pages if you delete them. The program will also regenerate itself on your hard drive if you do not shut it down before deleting it. You can tell if you have this "trojan" if you see your start page change to a address and links to various porn sites (namely animal sex and incest) start appearing in your links. This also may be a modifiable and redistributable program, so your mileage may vary. The solution to your problem is to delete Windows\system32\winproc32.exe after shutting it down in the task manager, and then searching the registry for the filename and deleting the entire value. (It should be in one of the Windows\Run keys). I had already deleted all the links and the file itself permanently before I thought of warning anyone, unfortunately, but it should turn up again (or, if necessary, I think I can find it again if I need to).