wmiprvse.exe - threat?

Discussion in 'malware problems & news' started by PDM, Jul 14, 2005.

Thread Status:
Not open for further replies.
  1. PDM

    PDM Registered Member

    Jul 14, 2005

    Today I was on the internet and a Zone Alarm warning came up saying that wmiprvse.exe was wanting internet access. The alert said that it wanted to go to IP on port 3581. I went on ws.aris.net to try to find out who that IP address belonged to. Not being too experienced I'm not really sure what I'm looking at to be able to tell whether it's legitimate or not.
    This has never happened before and I was alarmed. Needless to say I did not grant access.
    I googled wmiprvse.exe and found one link to these forums. I've read the posts but nothing I've read makes me feel any better. Especially the part about it being associated with various viruses.
    I'm vigilant about virus and spyware protection and have run scans since this incident with no results. I've also downloaded and run S-T-I-N-G-E-R and nothing was detected.

    I did a file search and found 2 instances of a file with this in the name. One was wmiprvse.exe in "C:\WINDOWS\SYSTEM32\WBEM" (which I gather to be legitimate) and one file called wmiprvse.exe-28f301a9.pf in "C:windows\prefetch"

    I guess my fundamental question is - why all of a sudden would this occur and do I have anything to be concerned about?
  2. Bubba

    Bubba Updates Team

    Apr 15, 2002
    Legitimate location and to help confirm....check the properties of that file. The file should belong to Microsoft....Windows Management Instrumentation Provider Service first introduced in Windows XP

    Related thread @ Wilders---> wmiprvse.exe?

  3. tom772

    tom772 Guest

    wmiprvse - wmiprvse.exe - Process Information

    Process File: wmiprvse or wmiprvse.exe
    Process Name: Microsoft Windows Management Instrumentation
    Please read this it is some info i have collected, hope this helps:)
    wmiprvse.exe is a part of the Microsoft Windows Operating System and deals with WMI operations thourgh the WinMgmtexe process. This program is important for the stable and secure running of your computer and should not be terminated.
    For More Information About wmiprvse.exe - Get WinTasks 5 Pro No

    Sophos - Purpose built for business, education and government

    HomeContact www.sophos.comwww.sophos.deesp.soph....co.jpcn.sophos.comtw.sophos.comkr.sophos.com
    Products Support Virus info

    Virus analyses Hoaxes Best practice Viruses explained Articles White papers Top ten viruses Email notification Info feed

    Spam info Company info Press office Partners

    Home > Virus info > Virus analyses
    Virus information
    Summary Description Recovery
    Name W32/Sonebot-B

    * Worm


    * Backdoor.Agobot.dr
    * W32/Sdbot.worm
    * W32.HLLW.Gaobot.gen

    Protection available since 5 April 2004 16:11:43 (GMT)
    Included in our products from May 2004 (3.81)
    Staying up to date

    EM Library provides fully automated updating of Sophos Anti-Virus on a wide range of platforms. If you're using one of our enterprise solutions and aren't already using EM Library, check it out now. Users of our small business solutions are automatically updated by Sophos AutoUpdate.
    Summary Description Recovery
    This section helps you to understand how it behaves

    W32/Sonebot-B is a network worm which includes IRC bot and backdoor functionality that allows unauthorised remote access to the infected computer.

    This worm copies itself to network shares with weak passwords, initiates a remote background process, connects to a remote IRC server and joins a specific channel.

    W32/Sonebot-B drops a copy of itself to the Windows System32 folder with the filename WMIPRVSE.EXE and sets the following registry entries to run the copy on system restart:

    Kernel_check = wmiprvse.exe

    Kernel_check = wmiprvse.exe

    W32/Sonebot-B also attempts to terminate a number of processes and delete a number of files from the infected computer.

    This worm may also set the following registry entries:

    AutoShareServer = <value>
    AutoShareWks = <value>

    RestrictAnonymous = <value>
    RestrictAnonymousSam = <value>
    Summary Description Recovery
    This section tells you how to disinfect.

    Please follow the instructions for removing worms.

    Check your administrator passwords and review network security.

    You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

    At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

    Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

    Locate the HKEY_LOCAL_MACHINE entries:

    Kernel_check = wmiprvse.exe

    Kernel_check = wmiprvse.exe

    and delete them if they exist.

    Close the registry editor.

    Sophos © 1997-2005 Sophos Plc. All rights reserved. Legal | Privacy
  4. pffft

    pffft Guest

    Uninstall ZoneAlarm. The threat is gone.
  5. Tom772

    Tom772 Guest

    So not true? ZoneAlarm has nothing to do with this exe file running.
Thread Status:
Not open for further replies.