wmiprvse.exe

[Guest]

I'm using Microsoft's AntiSpyware product.
I've recently noticed a new entry in the running processes panel ...
wimprvse.exe.
When I click on this entry it sometimes displays Microsoft details and other
times displays nothing.
I ran a check on the web for this process and found some sites which
mentioned that a known worm, W32/Sonebot-B, masquerades as this process.
I've found it installed in C:\windows\system32\wbem.
When I try to kill it, by clicking on stop process, nothing happens.
Does anybody have any ideas about this process?
Thanks for your help,
Nick

 

[Dave M]

Hi Nick..
What AntiVirus are you running? These AVs can detect that one... by these
names. So try a free online scan with Symantec if your AV isn't listed below:
Symantec Online Virus Scan http://tinyurl.com/dggwh

vgrep W32/Sonebot-B
ALWIL AVAST! LGUARD 7.70-94 17-Aug-2005 : Win32:SdBot-378 [Trj]
H+BEDV AntiVir/DOS32 6.31.1.0 17-Aug-2005 : Worm/SdBot.176640
GRISoft AVG 7.0/718 17-Aug-2005 : Worm/Agobot.7.BS
Kaspersky Lab KavCon 1.0.0.48 17-Aug-2005 : Backdoor.Win32.Agobot.dr
SOFTWIN BDC 7.0 17-Aug-2005 : Backdoor.Agobot.DR
Doctor Web DrWebWCL 4.32b 17-Aug-2005 : Win32.HLLW.Scanbot.11
Frisk Software FPCMD 3.15b 17-Aug-2005 : security risk named
W32/Agobot.BPG
McAfee Scan 4.40.0 17-Aug-2005 : W32/Sdbot.worm.gen
IKARUS PSCAN 2.27 17-Aug-2005 : Backdoor.Win32.Agobot.DR
MkS MkS_vir 2004.08 01-Aug-2005 : Worm.Gaobot
Symantec SAVCLS 1.0.0.1 17-Aug-2005 : W32.HLLW.Gaobot.gen
Norman NVCC 5.80.02 17-Aug-2005 : W32/Gaobot.CSQ
Panda Antivirus 6.0 PAVCL 17-Aug-2005 : W32/Gaobot.NG.worm
Trend Micro VSCANTM 1.0/790 17-Aug-2005 : WORM_AGOBOT.TW
Sophos SAV32CLI 3.96 17-Aug-2005 : W32/Sonebot-B
CA VET RESCUE 10.60.0.43 16-Aug-2005 : Win32.Sumbot
CA InoculateIT INOCMD32 23.70.13 17-Aug-2005 :
Win32/SDBot!Backdoor!Server
VirusBuster VirusBuster 1.12.004 7.1490 17-Aug-2005 : Backdoor.Agobot.HP
[1 282506]

 

[Guest]

Try ending the process the old-fashioned way: ALT+CTRL+DELETE. If the process
still doesn't end, then run Windows in Safe Mode. To run Windows in Safe Mode
go to: Start >> Run... >> type in "msconfig" and click "OK" >> click on the
"BOOT.INI" tab >> under "Boot Options" check the box that says "/SAFEBOOT"
and click "OK". Then try running a spyware scan or delete the file manually.

 

[Guest]

Sebastian,
Thanks for your message.
I did try the "old fashioned" way and manage to kill it ... but it kept on
popping up again.
I noticed that it's not always running, it just seems to run every now and
then.
I was more interested in finding out if it is a virus, worm, whatever as
opposed to how to kill it.
Any further advice is greatly appreciated.
Thanks,
Nick

 

[Guest]

Hi Nick

Dave M send this but something is wrong with the feeds for this group, he
used NNTP transfer.

Every antivirus program detects this one, do you have one installed ?

This one is for free:
http://free.grisoft.com/doc/1


"Hi Nick..
What AntiVirus are you running? These AVs can detect that one... by these
names. So try a free online scan with Symantec if your AV isn't listed
below: Symantec Online Virus Scan http://tinyurl.com/dggwh

vgrep W32/Sonebot-B
ALWIL AVAST! LGUARD 7.70-94 17-Aug-2005 : Win32:SdBot-378 [Trj]
H+BEDV AntiVir/DOS32 6.31.1.0 17-Aug-2005 : Worm/SdBot.176640
GRISoft AVG 7.0/718 17-Aug-2005 : Worm/Agobot.7.BS
Kaspersky Lab KavCon 1.0.0.48 17-Aug-2005 : Backdoor.Win32.Agobot.dr
SOFTWIN BDC 7.0 17-Aug-2005 : Backdoor.Agobot.DR
Doctor Web DrWebWCL 4.32b 17-Aug-2005 : Win32.HLLW.Scanbot.11
Frisk Software FPCMD 3.15b 17-Aug-2005 : security risk named
W32/Agobot.BPG
McAfee Scan 4.40.0 17-Aug-2005 : W32/Sdbot.worm.gen
IKARUS PSCAN 2.27 17-Aug-2005 : Backdoor.Win32.Agobot.DR
MkS MkS_vir 2004.08 01-Aug-2005 : Worm.Gaobot
Symantec SAVCLS 1.0.0.1 17-Aug-2005 : W32.HLLW.Gaobot.gen
Norman NVCC 5.80.02 17-Aug-2005 : W32/Gaobot.CSQ
Panda Antivirus 6.0 PAVCL 17-Aug-2005 : W32/Gaobot.NG.worm
Trend Micro VSCANTM 1.0/790 17-Aug-2005 : WORM_AGOBOT.TW
Sophos SAV32CLI 3.96 17-Aug-2005 : W32/Sonebot-B
CA VET RESCUE 10.60.0.43 16-Aug-2005 : Win32.Sumbot
CA InoculateIT INOCMD32 23.70.13 17-Aug-2005 :
Win32/SDBot!Backdoor!Server
VirusBuster VirusBuster 1.12.004 7.1490 17-Aug-2005 : Backdoor.Agobot.HP
[1 282506]

 

[Dave M]

Oh geeeeh... Thanks plun... is it Black Wednesday at Ms today? Maybe we go back
to passing paper notes...

 

[Guest]

I would recommend ewido if you don't have any anti-virus software installed:
www.ewido.com. It detects viruses along with spyware.

 

[AndyManchesta]

Hi Guys , The http sites down so Im using a newsreader, I apologize if
Ive missed a post that explains this, Are we sure its not the genuine
Microsoft wmiprvse.exe file ?? It could start up for alot of different
reasons and doesnt run for very long.

To Make it appear in task manager and MSAS under running processes
(Advanced Tools), Goto Start Menu and right click My Computer, Next
choose Manage , Click the Plus (+) next to 'Services and Applications'
then Left click WMI Control then Right click and choose 'Properties'

It will then show in task manager and in running processes of MS Antispy

Microsoft Antispyware shows it as Microsoft WMI for the name and
wmiprvse.exe (C:WINDOWS\System32\wbem\wmiprvse.exe) as the path to the
file.

It only runs for about 1 minute then stops and Microsoft Antispy will
display the details while its running and say its a known process plus
you can stop it with MSAS,

After about 1 minute it will stop running which you can see that by
using Task Manager, It will be showing as a Network Service (Right click
a empty space on the system tray and choose Task Manager) but it doesnt
automatically remove itself from MS Antispy's running processes if you
stay on the runnings processes screen, If you click on it when its not
running then MSAS will not display any details about it and pressing
"Stop The Process From Running Now" will not do anything. If you go back
to "System Explorers" then open "Running Processes" again you will then
see its not listed.

Here's the locations you will find this file in and the sizes are based
on my XP SP2 machine(To view the size right click and choose properties)


C:\WINDOWS\$NtServicePackUninstall$\wmiprvse.exe 199 KB (203,776 bytes)
C:\WINDOWS\Prefetch\WMIPRVSE.EXE 26.7 KB (27,362 bytes)
C:\WINDOWS\ServicePackFiles\i386\wmiprvse.exe 213 KB (218,112 bytes)
C:\WINDOWS\system32\wbem\wmiprvse.exe 213 KB (218,112 bytes)

On Mine under Version is shows (Version 5.1.2600.2180)


To find out more about what it does follow the same path we used to make
it show up :

Goto Start Menu and right click My Computer, Next choose Manage , Click
the Plus (+) next to 'Services and Applications' then Left click WMI
Control then Right click and choose 'Help'

Here you find alot of details and different explanations for why it starts.

If you want a second opinion then upload the file at jotti's site and
have it checked for malware but it sounds like it's the genuine
Microsoft file and with it staying in running processes untill you leave
and reopen the page plus losing its details when it stops It maybe is
causing some confusion.

http://virusscan.jotti.org/


Hope That Helps


Andy

 

[dread]

Wmiprvse.exe is a legit application part of windows xp.
http://www.liutilities.com/products/wintaskspro/processlibrary/wmiprvse/
http://www.neuber.com/taskmanager/process/wmiprvse.exe.html. If you av
is not finding nothing don't worry its part of windows xp. If in doubt
about viruses on your computer and want to double check run
http://housecall.trendmicro.com/.