wmiprvse.exe question(me again)

fangy · May 17, 2005

I recently had a HJT log checked out and all was well but i've one more question. I've had something called WMI C:\WINDOWS\system32\wbem\wmiprvse.exe trying to connect through my firewall. I've looked at Pacman's start up list but can't find an exact match (WMI\wbem).. But i did find wmiprvse.exe and it doesn't look good, possibly a sonebot-b worm. Could someone give me some advice on whether or not this is a worm and if so what to do with it.I'm using XP.
Once again thanks,
Fangy.

chaslang · May 17, 2005

It is a valid Windows OS process. See http://www.liutilities.com/products/wintaskspro/processlibrary/wmiprvse/

fangy · May 17, 2005

Thank you
Fangy.

chaslang · May 17, 2005

You're welcome. Are you having any malware problems that you need help with?

fangy · May 18, 2005

I've got 3 profiles on my computer, the main one is clean when i use spybot and adaware se, but recently i run these programs on the other 2 profiles and found, BT grab,P2P networking, when i try to delete them they just re appear again on the next scan. I've tried to get to get my head around HJT, but i'm still not sure enough to start deleting things. When i done HJT on one of (not main profile) the profiles i found things like www.popupsearches.com and searchscout.com among other things. I'm going to delete 2 of the profiles and just keep the main one, would this get rid of my problems or would they still be there?
Thanks for taking the time to help.
Fangy.

chaslang · May 18, 2005

The files will still be on your PC! You need to run our cleanup procedures on each profile. The procedure is below. If the user profiles are not admin accounts you will not be able to boot into safe mode with them so just run all steps in normal boot mode.

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus RemovalMake sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

fangy · May 19, 2005

I followed your advice, when i done Trend Micro Virus scan it found 3 things, TROJ RBLAST.DLL"non cleanable" C:\Program Files\Norton System....
TROJ EH.A "non cleanable" C:\Windows\Downloaded Pro...
TROJ ISTBAR.GEN "non cleanable" C:\Program Files\Yahoo!\YPSR..
At the end of the scan i deleted these items,rescanned and found nothing. Everything was secure with the Symantec Security check but the Symantec Virus detection test found 10 files infected..

1..C:\windows\system32\dsktrf.dll is infected with adware.Begin 2 search
2..C:\ " " " \vciewer.ocx is infected with Dialer.Holistyc
3..C:\Program Files\Yahoo!\Ypsr\Quarantine\ppq12f.tmp infected with ISTBAR
4..C:\ " " " " " \ppqEF.tmp " " ISTBAR
5..C:\ " " " " " \ppqFO.tmp " " ISTBAR
6..C:\ " " " " " \ppq130.tmp\sfbho.dll " " ISTBAR
7..C:\ " " \Internet Explorer\bg2.exe is infected with Better Internet
8..C:\ " " " " \bg3.exe is " " Better Internet
9..C:\ " " \gamespy arcade\Aphex.exe is " " gamespy arcade
10.C:\ " " " " \ArcRes.dll is " " gamespy arcade

I done the test above on Internet Explorer but because I use FireFox I done the Trend Micro online scan with Java. This found a..
TROJ_RBLAST.DLL C:\Program Files\Norton Systemworks\Norton Cleansweep.I couldn't remove this as Trend Micro was asking for a Ticket Code?
I ran all the programs Stinger, C/Cleaner,etc and found nothing although H.S. Remove, removed 8 items but didn't say what they were.
I've attached a HJT log for this profile but as I mentioned in an earlier post there is three profiles on this computer will I need to do these scans on each profile?
Thanks for all your help,
Fangy.

chaslang · May 20, 2005

It is a good idea to run the steps on each user account. Each user has there own registry locations and some private folders so it is good to check them. It takes time, but it is the only safe way to be sure they are clean.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://results.searchscout.com/content/429/32914-0/content26782-0.html?b=28259&m=NTA1OTEzNDg2&t=1000093614&d=0&c=32914

Now exit HJT.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

fangy · May 20, 2005

I followed your advice but everything I done was not in safe mode because it was not the Admin profile, is this ok? I've attached the new HJT log. Would it be ok to post the other HJT logs from the other profiles on my computer once I've done all the scans and clean up programs?
Thanks again,
Fangy.

chaslang · May 20, 2005

Okay the last log you posted was clean. Let's work on the next log. Only post one at a time as it gets confusing to work on too many at the same time. How many other accounts are there?

Post the next one you want to work on?

fangy · May 21, 2005

After this profile there's just one more. I've done all the on line scans and clean up programs, The Trend Micro on line Java test (using FireFox) found a TROJ_RBLAST.DLL which I removed.
The Trend Micro on line Virus scan for Internet Explorer found nothing.The Symantec security check showed everything to be safe.Their virus scan found the same 10 things as it did for the last profile you checked for me. I've listed them all in an earlier post. Stinger, CCleaner etc all found nothing although Kill2 Me opened "My Documents Folder" for some reason? and H.S Remove, removed 8 items again,but didn't say what. Will cleaning up with HJT sort out the 10 items found by Symantec's on line scan?or is this nothing to worry about?
Thanks,
Fangy.

chaslang · May 21, 2005

There is no reason for you to be running HSremove (or About:Buster either). They are for special problems as mentioned in the READ ME FIRST.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
Is this next R1 line valid? If so, skip it.
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.utarget.co.uk/redir.aspx?id=1550&t=subsite&hostid=121&url=http%3a%2f%2fad.uk.doubleclick.net%2fjump%2fN2121.UTarget.caratuk.int%2fB1472397%3bsz%3d1x1%3bord%3d%5btimestamp%5d%3f&img=http%3a%2f%2fad.uk.doubleclick.net%2fad%2fN2121.UTarget.caratuk.int%2fB1472397%3bsz%3d1x1%3bord%3d%5btimestamp%5d%3f&ts=2133395485
R3 - Default URLSearchHook is missing

Now exit HJT.

Now double check your log to make sure each of the above has been fixed. Is this account having any other problems? If not, more on to the next account.

fangy · May 22, 2005

I done what you said and checked the log, all seems well, but do you know why Kill2 me opened the "my documents folder" on each profile? And is the 10 items found with the Symantec on line virus scan nothing to worry about? I'm using Norton 2003 anti virus, is this an ok one to use? I've got Norton 2005 (not installed) would this be better protection and is this safe to run with Spyware Blaster?Or what anti virus would you recommend? This is the last one now,I thing this one is quite clean, I was running About Buster and H S Remove because I have no idea what kind of problem I have, I had done everything for this account yesterday but I've already removed the HSremove from the HJT log.
Thanks for all the Help.
Fangy.

chaslang · May 22, 2005

You're welcome. This last log is clean!

It is always best to use the most current version of any piece of software (unless there is a comaptibility issue), so upgrading is a good idea. However one downside of some of the more recent version of Norton (McAfee has similar issues) is that they are becoming very resource hungry which can impact the performance of your PC.

SpywareBlaster uses no system resources because it is not a running program. You just install it and have it apply its protection schemes. Nothing remains running. Its is also not a scanning tool and does not remove any bad items that may exist. Its is just a blocking tool. You need a program like Microsoft Antispyware, SpySweeper, etc. All of the recommended things to do are in the below link:

How to Protect yourself from malware!

fangy · May 23, 2005

Thanks again for all your help.
Fangy.

chaslang · May 23, 2005

You're welcome! Surf safely!

Log in or Sign up

wmiprvse.exe question(me again)

fangy Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

fangy Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

fangy Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

fangy Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

fangy Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

fangy Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

fangy Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

fangy Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member