Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Are These Always Bad?


  • Please log in to reply
13 replies to this topic

#1 dmoney101

dmoney101

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 10 August 2007 - 10:29 PM

I just rebooted and checked my processes, and wuaudit.exe is running under svchost and when i looked it up on here, it said it was bad. wmiprvse.exe also ran, but it went away.

Edited by dmoney101, 10 August 2007 - 10:38 PM.


BC AdBot (Login to Remove)

 


#2 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:03:11 PM

Posted 10 August 2007 - 10:47 PM

The file appears to be a trojan, but I wish to make sure.

I would like you to check the file at these two web sites:Virus Total and Jotti's Online Virus Scan.

If it comes up as a virus, do not attempt to remove it until I have exact directions on how to accomplish this without messing up the machine.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#3 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:03:11 PM

Posted 11 August 2007 - 02:04 AM

Both of these files appear to be backdoor irc bots. The CA webscan should be able to eliminate them safely. When it attempts to download the active X program, accept and tell it to install, it will need to download and install the latest signature files, once this is done, the window will give you a mini file browser, you can select the whole C: drive, or just the folder where the files are located. Select what you want to scan in red. Click the Start Scan Button.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#4 buddy215

buddy215

  • Moderator
  • 13,503 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:11 PM

Posted 11 August 2007 - 05:49 AM

wmiprvse.exe http://www.answersthatwork.com/Tasklist_pages/tasklist_w.htm
Windows Management Instrumentation Provider Service first introduced in Windows XP, and then in Windows 2003. WMIPRVSE is a host process for WMI provider services. It is a new Windows architecture intended to eliminate the previous problems in Windows 2000 where the failure of a WMI provider service would make the whole WMI service fail as, then, WMI provider services were loaded in-process with the WMI Service (a new request to WMI would restart the WMI Service). With the new WMIPRVSE model, failure of a single WMI provider service affects that service only rather than the entire WMI Service. For the layman : this is an essential Windows XP/2003 service which will start whenever a specific piece of software requires its facilities.

Recommendation :
Essential – leave alone. Note that, as with SVCHOST, there may be more than one instance of WMIPRVSE running in your Task List : this is normal. Also, some users will never have witnessed the WMIPRVSE service running on their Windows XP/2003 PC, and then notice it running one day and every day thereafter : this is also normal and will in most cases be the result of some software having been installed (and installing WMI provider services) or the result of a Windows Update. Finally, as with SVCHOST, if you experience errors or excess CPU usage with WMIPRVSE, the problem will in almost all cases be with the WMI provider process that WMIPRVSE is hosting, not with WMIPRVSE itself, or you may have a hardware problem or incompatibility which is not yet at the "serious" stage – see if Microsoft’s Windows Update has WMI related fixes for your PC/Server; also, on a network, we have empirical evidence that poor network card drivers or chipsets on any part of the network may result in excessive CPU usage by WMIPRVSE.
--------------------------------------------------------------------------------

wuauclt.exe http://www.neuber.com/taskmanager/process/wuauclt.exe.html
Windows Update AutoUpdate Client. Background process which checks with Microsoft website for updates to the operating system. Shows up on the Task Manager's processes list when it is waiting for a response, e.g. to confirm permission to download an update.

Note: The wuauclt.exe file is located in the folder C:\Windows\System32. In other cases, wuauclt.exe is a virus, spyware, trojan or worm!
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 dmoney101

dmoney101
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 11 August 2007 - 08:45 AM

both files went away a little while after the startup

#6 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:03:11 PM

Posted 11 August 2007 - 02:53 PM

Are you sure about the file names? In your first post you said the first file was wuaudit.exe, not wuauclt.exe
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#7 dmoney101

dmoney101
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 11 August 2007 - 08:23 PM

Are you sure about the file names? In your first post you said the first file was wuaudit.exe, not wuauclt.exe



that may have been it. i have bad eyes

#8 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:03:11 PM

Posted 11 August 2007 - 11:29 PM

Ah, yes just look at my sig, anyhow, did you run the CA scan?, If you have not, it does not take that long, as you can specify the windows folder only. Then you know for sure if you have those trojans.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#9 dmoney101

dmoney101
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 13 August 2007 - 07:16 AM

Ah, yes just look at my sig, anyhow, did you run the CA scan?, If you have not, it does not take that long, as you can specify the windows folder only. Then you know for sure if you have those trojans.



I don't know where the files are located, so i can't upload them. they don't stay for long after startup.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,075 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:11 PM

Posted 13 August 2007 - 10:24 AM

Determining whether wmiprvse.exe or wuauclt.exe is malware or are legitimate Windows processes depends on the location (path) they are running from. The legit wmiprvse.exe file is located in the C:\Windows\System32\WBEM folder and wuauclt is located in the C:\Windows\System32\ folder. If found running from a different location it is malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 dmoney101

dmoney101
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 13 August 2007 - 04:23 PM

Determining whether wmiprvse.exe or wuauclt.exe is malware or are legitimate Windows processes depends on the location (path) they are running from. The legit wmiprvse.exe file is located in the C:\Windows\System32\WBEM folder and wuauclt is located in the C:\Windows\System32\ folder. If found running from a different location it is malware.


i know, and i think they were running from the right places.

#12 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:03:11 PM

Posted 13 August 2007 - 04:34 PM

I don't know where the files are located, so i can't upload them.


They don't need to be uploaded, just click the scan now button after you have selected the folders that you wish to scan.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#13 dmoney101

dmoney101
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 13 August 2007 - 11:17 PM

I'm happy to say that after checking both files' paths, they are legitimate apps and are not malware. they were both in the proper places.

#14 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:03:11 PM

Posted 14 August 2007 - 12:03 AM

Excellent, and thanks for letting us know.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users