wmiprvse.exe - threat?

HI,

Today I was on the internet and a Zone Alarm warning came up saying that wmiprvse.exe was wanting internet access. The alert said that it wanted to go to IP 169.254.56.228 on port 3581. I went on ws.aris.net to try to find out who that IP address belonged to. Not being too experienced I'm not really sure what I'm looking at to be able to tell whether it's legitimate or not.
This has never happened before and I was alarmed. Needless to say I did not grant access.
I googled wmiprvse.exe and found one link to these forums. I've read the posts but nothing I've read makes me feel any better. Especially the part about it being associated with various viruses.
I'm vigilant about virus and spyware protection and have run scans since this incident with no results. I've also downloaded and run S-T-I-N-G-E-R and nothing was detected.

I did a file search and found 2 instances of a file with this in the name. One was wmiprvse.exe in "C:\WINDOWS\SYSTEM32\WBEM" (which I gather to be legitimate) and one file called wmiprvse.exe-28f301a9.pf in "C:windows\prefetch"

I guess my fundamental question is - why all of a sudden would this occur and do I have anything to be concerned about?

 

Legitimate location and to help confirm....check the properties of that file. The file should belong to Microsoft....Windows Management Instrumentation Provider Service first introduced in Windows XP

Related thread @ Wilders---> wmiprvse.exe?

Also---> TASK LIST PROGRAMS — W

 

wmiprvse - wmiprvse.exe - Process Information

Process File: wmiprvse or wmiprvse.exe
Process Name: Microsoft Windows Management Instrumentation
Please read this it is some info i have collected, hope this helps
Description:
wmiprvse.exe is a part of the Microsoft Windows Operating System and deals with WMI operations thourgh the WinMgmtexe process. This program is important for the stable and secure running of your computer and should not be terminated.
For More Information About wmiprvse.exe - Get WinTasks 5 Pro No

--------------------------------------------------------------
Sophos - Purpose built for business, education and government

HomeContact www.sophos.comwww.sophos.deesp.soph....co.jpcn.sophos.comtw.sophos.comkr.sophos.com
Products Support Virus info

Virus analyses Hoaxes Best practice Viruses explained Articles White papers Top ten viruses Email notification Info feed

Spam info Company info Press office Partners


Sophos
Home > Virus info > Virus analyses
Virus information
W32/Sonebot-B
Summary
Summary Description Recovery
Profile
Name W32/Sonebot-B
Type

* Worm

Aliases

* Backdoor.Agobot.dr
* W32/Sdbot.worm
* W32.HLLW.Gaobot.gen

Protection
Protection available since 5 April 2004 16:11:43 (GMT)
Included in our products from May 2004 (3.81)
Staying up to date

EM Library provides fully automated updating of Sophos Anti-Virus on a wide range of platforms. If you're using one of our enterprise solutions and aren't already using EM Library, check it out now. Users of our small business solutions are automatically updated by Sophos AutoUpdate.
Description
Summary Description Recovery
This section helps you to understand how it behaves

W32/Sonebot-B is a network worm which includes IRC bot and backdoor functionality that allows unauthorised remote access to the infected computer.

This worm copies itself to network shares with weak passwords, initiates a remote background process, connects to a remote IRC server and joins a specific channel.

W32/Sonebot-B drops a copy of itself to the Windows System32 folder with the filename WMIPRVSE.EXE and sets the following registry entries to run the copy on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Kernel_check = wmiprvse.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Kernel_check = wmiprvse.exe

W32/Sonebot-B also attempts to terminate a number of processes and delete a number of files from the infected computer.

This worm may also set the following registry entries:

HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\
AutoShareServer = <value>
AutoShareWks = <value>

HKLM\System\CurrentControlSet\Control\lsa\
RestrictAnonymous = <value>
RestrictAnonymousSam = <value>
Recovery
Summary Description Recovery
This section tells you how to disinfect.

Please follow the instructions for removing worms.

Check your administrator passwords and review network security.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Kernel_check = wmiprvse.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Kernel_check = wmiprvse.exe

and delete them if they exist.

Close the registry editor.


Sophos © 1997-2005 Sophos Plc. All rights reserved. Legal | Privacy

 

Uninstall ZoneAlarm. The threat is gone.

 

So not true? ZoneAlarm has nothing to do with this exe file running.