We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
WMIPRVSE.EXE running at 99-100% - Help
Troubleatmill_2
Posts: 252 Forumite
in Techie Stuff
Any ideas on how to treat....
Thanks in advance
Troubleatmill
Thanks in advance
Troubleatmill
0
Comments
-
W32/Sonebot-B is a network worm which includes IRC bot and backdoor functionality that allows unauthorised remote access to the infected computer.
This worm copies itself to network shares with weak passwords, initiates a remote background process, connects to a remote IRC server and joins a specific channel.
W32/Sonebot-B drops a copy of itself to the Windows System32 folder with the filename WMIPRVSE.EXE and sets the following registry entries to run the copy on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Kernel_check = wmiprvse.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Kernel_check = wmiprvse.exe
W32/Sonebot-B also attempts to terminate a number of processes and delete a number of files from the infected computer.
This worm may also set the following registry entries:
HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\
AutoShareServer = <value>
AutoShareWks = <value> HKLM\System\CurrentControlSet\Control\lsa\
RestrictAnonymous = <value>
RestrictAnonymousSam = <value>
Recovery
Summary- Description
Recovery
Please follow the instructions for removing worms.
Check your administrator passwords and review network security.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Kernel_check = wmiprvse.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Kernel_check = wmiprvse.exe
and delete them if they exist. Close the registry editor.
http://www.sophos.com/virusinfo/analyses/w32sonebotb.html
have you done a virus scan with your Anti virus ??Ex forum ambassador
Long term forum member0 -
Is windows up to date? What security software are you running?"She is quite the oddball. Did you notice how she didn't even get excited when she saw this original ZX-81?"
Moss0 -
I would follow this thread if you suspect you are infected
http://forums.moneysavingexpert.com/showthread.html?t=133269Ex forum ambassador
Long term forum member0 -
I have TrendOffice Microscan installed. ( It's a company laptop )
Windows XP - It should be up to date as it frequently does automatic downloads.
I've tried running Crapcleaner, Adaware etc.
I'll try Browntoa's advice and post back
Thanks
Troubleatmill0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.7K Banking & Borrowing
- 253.4K Reduce Debt & Boost Income
- 454K Spending & Discounts
- 244.7K Work, Benefits & Business
- 600.2K Mortgages, Homes & Bills
- 177.3K Life & Family
- 258.4K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards