Spyware, Viruses, & Security forum

General discussion

wmiprv

by danawenco / October 19, 2008 3:56 AM PDT

A couple of weeks ago when I started my machine Spybot poped up a message saying that "mscorsvw.exe has been changed", and then something about wmiprv that I do remember the details about. It was after a windows update so I assumed that it's normal.

Last night I came across a site on the internet about wmiprv being a spyware, so I scanned my machine with Malwarebytes' anti-malware (full scan), hijack-this (regular mode and safe mode), AVG free, Spybot (Safe mode), but couldn't find any spyware or wmiprv. Is there anything else I can try? I don't think wmiprv will go away itself so I am afraid that it's hiding somewhere.

Many thanks.

Discussion is locked
You are posting a reply to: wmiprv
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: wmiprv
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Why don't you run an on-line scan......
by Marianna Schmudlach / October 19, 2008 5:59 AM PDT
In reply to: wmiprv

Please perform this online scan: F-Secure Online Scanner
The online scanner is on the bottom right of the page.
Follow the directions in the F-Secure page for proper Installation.

* You may receive an alert on the address bar at this point to install the ActiveX control.
* Click on that alert and then click "Install ActiveX component".
* Read the license agreement and click "Accept".
* Click "Full System Scan" to download the scanning components and begin scan and cleaning.
* When the scan completes, click the "I want to decide item by item" button.
* For each item found, Select "Disinfect" and click "Next".

...

Please run the Housecall online virus scan located at:
http://housecall.trendmicro.com/
Follow the prompts to scan your hard drive for viruses. Select the "Autoclean" option so that Housecall will remove any viruses from your system.
When the scan is finished, please restart your computer.

Do the scans find anything?

Collapse -
Couldn't scan
by danawenco / October 19, 2008 10:02 AM PDT

Thanks a lot Marianna.

After I started a scan at housecall.trendmicro.com (once I finished the system checking step), a message poped up saying that there's error in transferring the data, do you want trendmicro to resend it. I clicked Ok, the same message poped up. I retried a few times and clicked cancel to stop.

I followed the directions to do the F-Secure scan, it downloaded some files and installed some exe, then it says "preparing to scan..." on the scan pop up screen, and I waited for 20 minutes and nothing changed (ie/ still preparing to scan). I closed the window, started another scan from f-secure.com, then "an error has occurred, please close the browser and the scanner and try again (Id: 15)". I repeated a few times but kept getting the same message. So I tried starting from firefox, but f-secure doesn't support it.

I don't know if it has to do with my OS. I am using Vista Home (sorry I should've mentioned it in my initial post).

Is there anyway to uninstall/remove the f-secure exe and database files that I had installed? I haven't been able to find them via control panel nor in the c:/program files directory.

Is there anything else I can do to look for the possible malware (wmiprv) on my system? Thanks again for your help!

Collapse -
Strange........
by Marianna Schmudlach / October 19, 2008 2:50 PM PDT
In reply to: Couldn't scan

How could users completely remove HouseCall 6.5?

1. Close all open browsers.

2. Depending on the operating system used, delete the folder that contains the HouseCall installation files from the home directory:

o Windows XP/2000/2003/MCE2005:C:\Documents and Settings\UserName\.housecall

Note: Deleting these folders also removes all the quarantined files and backup files from previous scans or cleans, as well as log files.

If deleting the ActiveX Object, refer to How could users remove the HouseCall 6.5 Internet Explorer ActiveX Plug-in.

back to top

How could users remove the HouseCall 6.5 Internet Explorer ActiveX Plug-in?

1. Stop HouseCall scanning, if enabled.

2. Open the browser and then click Tools >Internet Options.

3. Click the General tab and then click Settings under the Temporary Internet files section.

4. Click View Objects and then right-click HouseCall ActiveX 6.5.

5. Click Remove.

http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-127429&id=EN-127429#P30_1418

...

How do I uninstall F‑Secure Online Scanner from my computer.

A: Usually you do not uninstall ActiveX controls. This is, however, possible.

1. In Windows Explorer, open the "Downloaded Program Files" folder under the Windows folder.

2. Right-click on "F‑Secure Online Scanner" and select "Remove".

3. Delete the anti-virus definitions files from your %TEMP%\OnlineScanner folder.

http://support.f-secure.com/enu/home/ols-faq.shtml

Did you try running Super AntiSpyware?

Download and scan with SUPERAntiSpyware Free for Home Users

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):

Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.

* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".


Please download Malwarebytes Anti-Malware or alternate download link

* Make sure you are connected to the Internet.
* Double-click on Download_mbam-setup.exe to install the application.
* When the installation begins, follow the prompts and do not make any changes to default settings.
* When installation has finished, make sure you leave both of these checked:
* - Update Malwarebytes' Anti-Malware
* - Launch Malwarebytes' Anti-Malware
* Then click Finish.
* MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
* If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

* On the Scanner tab:
* - Make sure the "Perform Quick Acan" option is selected.
* - Then click on the Scan button.
* The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
* The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
* When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
* Click OK to close the message box and continue with the removal process.
* Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
* Make sure that everything is checked, and click Remove Selected.
* When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
* The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

* -- Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

**If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

Collapse -
Thanks so much
by danawenco / October 20, 2008 2:05 AM PDT
In reply to: Strange........

Thanks a lot, Marianna.

I've scanned with Malware bytes, but I will try Superantivirus as well when I get home tonight.

Actually I found the following keys in my registry (which seem to be valid... I hope), so I am starting to wonder if what I saw was wmiprvsd or wmiprvse instead of the malicious wmiprv... Thanks again for your help. Really appreciate it.

f!wmiprvsd.dll
f!wmiprvsd.tmf
f!wmiprvse.exe
f!wmiprvse.tmf
f256!wmiprvsd.dll
f256!wmiprvsd.tmf
f256!wmiprvse.exe

Collapse -
wmiprvsd.dll
by Marianna Schmudlach / October 20, 2008 2:12 AM PDT
In reply to: Thanks so much

wmiprvsd.dll is a WMI from Microsoft Corporation belonging to Microsoft

Collapse -
Thank you
by danawenco / October 20, 2008 9:16 AM PDT
In reply to: wmiprvsd.dll

Marianna, thanks again for the info. Superantivirus doesn't find anything, so let's hope that it was indeed wmiprvse/wmiprvsd that I was seeing. Sorry about that.

Collapse -
NO problem........ better SAFE than sorry :)
by Marianna Schmudlach / October 20, 2008 9:18 AM PDT
In reply to: Thank you

You Are Very Welcome !

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?