Cant remove and NEED to

**QfanatiQ** · 26th April 2004

Fire up girlies PC to find a whole host of probs. To begin with a windows close box was comming up and giving 60 seconds to save before it rebooted... Got adaware and found laods of stuff, then got AVG and also got rid of some serious stuff. BUT i still cant get rid of these

C:\windows\system32\WMIPRVSC . exe &
C:\windows\system32\drivers\SVCHOST . exe

AVG sees these as virus's but i can delete them, they wont let me, through AVG or through explorer.

I thought i would boot up in safe mode but the PC does nto give me an option to.

Any help GREATLY appreciated. Cheers.....Q

**DaveTheRave** · 26th April 2004

what do you mean it wont give you the option too?

**Mr Olympia** · 26th April 2004

It seems like you have the Blaster worm.

First off you need to go to Start>Run and type the following:

shutdown /a

This should stop the pc rebooting giving you time to download a patch.

Then you can go to symantec web site and apply a fix.

http://securityresponse.symantec.com...oval.tool.html.

Hopefully this will work. Let me know how you get on.

**QfanatiQ** · 27th April 2004

Cheers, i wil try that tonight, got some of the way with AVG but there is still something there so will check that out.

I thought there was an option to shutdown in safe mode, but forgot about F8

Cheers.....Q

**MajorFU** · 27th April 2004

svchost.exe is not a virus as far as i am aware, its a networking driver or somat

never heard of WMIPRVSC . exe so it could be bogus

**Mr Olympia** · 27th April 2004

Originally Posted by MajorFU

svchost.exe is not a virus as far as i am aware, its a networking driver or somat

never heard of WMIPRVSC . exe so it could be bogus

Yeah, svchost should be ok. As for WMIPRVSC, if I remember rightly I think it's a trojan or similar. I think that once this file is executed on your pc, it connects itself to an IRC channel and your pc is wide open to people who may nick info from your machine, product keys, personal files etc.

Before you panic, do a search on the net for any info regarding this. I think I'm right about this file but I could be barking up the wrong tree.

**Q-Buster** · 27th April 2004

WMIPRVSC . exe seems to be 'malware', created by BKDR_SDBOT.RC.

Installation and Autostart Techniques

Upon execut1on, this malware drops a copy of itself as WMIPRVSC.EXE in the Windows system folder.

It then creates the following autorun registry entries to enable its automatic execut1on at every system startup

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
Windows Update Process="wmiprvsc.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices
Windows Update Process="wmiprvsc.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
Windows Update Process="wmiprvsc.exe"

HERE

Q-Buster

**flipper321** · 27th April 2004

There was an issue with svchost (I believe) as part of the welchia/nichi trojan, although not in that location as far as I am aware.

**QfanatiQ** · 28th April 2004

Cheers for all the help and pointers. Got it all sorted now and all the updates. Nice and stable.

Cheers.....Q

ABCMan · 30th April 2004

ok, svchost can be hijacked there is also a couple of trojans that create false versions of that file in alternate locations

http://www.liutilities.com/products/...brary/svchost/ (scroll towards the bottom, i've no idea on the quality of the program, but the site give LOADS of details of tasks that various programs use as well as details of almost all windows files, its very usefull for tracking what is what.

there are detals of the first one and how to remove it here http://www.us.sophos.com/virusinfo/a...32sdbotcb.html