winprot.exe

d14n · 09-27-2007, 02:08 AM

hi all..

yesterday my pc infected by so many virus.....because i was disable my antivir...after i restart my pc, suddenly when log into windows, there are two pop up came.....

1. mention that winprot.exe missing...
2. desktop can't load winprot.exe

note: winprot.exe is one of the virus infected my pc.

After I knew that I can't open almost program installed in my pc, so I decide to scan online using www.windowsecurity.com....got many virus inside n deleted already. Then I scan again using trojan remover from safe mode.
After that, know I can use all my program, but the 2 pop up (winprot missing) still coming when I on my pc.

Is my pc still infected by virus? n how to solve it?

tq

**Cromewell** · 09-27-2007, 03:02 AM

It's probably just not cleaned up entirely. Be very careful when following the below steps. If you are unsure about something don't do it, if you delete the wrong thing you can screw up your computer.

Make a backup copy of C:\windows\win.ini then open it in notepad.

Find the lines:
run=winprot.exe
load=winprot.exe

and delete the part that says winprot.exe so it looks like this:
run=
load=

Start regedit and make a backup of the following entries:
HKEY_LOCAL_MACHINE\SOFTWARE\MicroSoft\Windows\Curr entVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\MicroSoft\Windows\Curr entVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\MicroSoft\Windows\Curre ntVersion\Run
HKEY_USERS\.Default\SOFTWARE\MicroSoft\Windows\Cur rentVersion\Run

You can make backups by right clicking on them and picking export.

Click on each of those entries you backed up, find the key called 'System Protect' (it's value will be winprot.exe) and delete it (right click on it and pick delete).

Finally, just to be sure in the C:\windows\system\ make sure winprot.exe is deleted.

John McKenna · 09-27-2007, 08:44 AM

Alternatively, post a HijackThis log if you're not happy about delving into your registry. HijackThis will display the registry keys highlighted above by Cromewell if still present and is far safer at removing them than manual registry editing.

If you've never used HijackThis before:

Download HJTInstall.exe to your desktop.

Double-click HJTInstall.exe icon on your desktop to start the installation.
By default it will install to C:\Program Files\Trend Micro\Hijack This.
Click the Install button and HijackThis will launch automatically.
Click the Scan button to generate a HijackThis log and then click Save Log to open it as a text file.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back to this thread and Paste the log (Ctrl+V) in your next reply.

09-27-2007, 02:08 AM	#1 (permalink)
d14n Bronze Member Join Date: Sep 2007 Posts: 59	winprot.exe hi all.. yesterday my pc infected by so many virus.....because i was disable my antivir...after i restart my pc, suddenly when log into windows, there are two pop up came..... 1. mention that winprot.exe missing... 2. desktop can't load winprot.exe note: winprot.exe is one of the virus infected my pc. After I knew that I can't open almost program installed in my pc, so I decide to scan online using www.windowsecurity.com....got many virus inside n deleted already. Then I scan again using trojan remover from safe mode. After that, know I can use all my program, but the 2 pop up (winprot missing) still coming when I on my pc. Is my pc still infected by virus? n how to solve it? tq

09-27-2007, 03:02 AM	#2 (permalink)
Cromewell Moderator Join Date: Dec 2004 Location: Canada Age: 25 Posts: 10,206	It's probably just not cleaned up entirely. Be very careful when following the below steps. If you are unsure about something don't do it, if you delete the wrong thing you can screw up your computer. Make a backup copy of C:\windows\win.ini then open it in notepad. Find the lines: run=winprot.exe load=winprot.exe and delete the part that says winprot.exe so it looks like this: run= load= Start regedit and make a backup of the following entries: HKEY_LOCAL_MACHINE\SOFTWARE\MicroSoft\Windows\Curr entVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\MicroSoft\Windows\Curr entVersion\RunServices HKEY_CURRENT_USER\SOFTWARE\MicroSoft\Windows\Curre ntVersion\Run HKEY_USERS\.Default\SOFTWARE\MicroSoft\Windows\Cur rentVersion\Run You can make backups by right clicking on them and picking export. Click on each of those entries you backed up, find the key called 'System Protect' (it's value will be winprot.exe) and delete it (right click on it and pick delete). Finally, just to be sure in the C:\windows\system\ make sure winprot.exe is deleted. __________________ You know what the chain of command is? It's the chain I go get and beat you with 'til ya understand who's in ruttin' command here. I must plug a couple comics because they are good :D: www.ctrlaltdel-online.com www.userfriendly.org

09-27-2007, 08:44 AM	#3 (permalink)
John McKenna Silver Member Join Date: May 2007 Location: Liverpool, UK Posts: 106	Alternatively, post a HijackThis log if you're not happy about delving into your registry. HijackThis will display the registry keys highlighted above by Cromewell if still present and is far safer at removing them than manual registry editing. If you've never used HijackThis before: Download HJTInstall.exe to your desktop. Double-click HJTInstall.exe icon on your desktop to start the installation. By default it will install to C:\Program Files\Trend Micro\Hijack This. Click the Install button and HijackThis will launch automatically. Click the Scan button to generate a HijackThis log and then click Save Log to open it as a text file. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. Come back to this thread and Paste the log (Ctrl+V) in your next reply. __________________ I remove malware in my sleep.....

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode