# Is wmiprvse.exe a virus?



## Czub

Just happened to notice it pop up in task manager while it was running then it was gone. So I did a file search and it found 6 wmiprvse.exe files. I've had no error messages or anything like that, I just happened to notice it and saw it close out of task manager by itself. Should I worry about this kind of file?
................Thanks


----------



## rummer

Gor answer from here http://www.answersthatwork.com/Tasklist_pages/tasklist.htm

Windows Management Instrumentation Provider Service first introduced in Windows XP, and then in Windows 2003. WMIPRVSE is a host process for WMI provider services. It is a new Windows architecture intended to eliminate the previous problems in Windows 2000 where the failure of a WMI provider service would make the whole WMI service fail as, then, WMI provider services were loaded in-process with the WMI Service (a new request to WMI would restart the WMI Service). With the new WMIPRVSE model, failure of a single WMI provider service affects that service only rather than the entire WMI Service. For the layman : this is an essential Windows XP/2003 service which will start whenever a specific piece of software requires its facilities.

Recommendation : 
Essential  leave alone. Note that, as with SVCHOST, there may be more than one instance of WMIPRVSE running in your Task List : this is normal. Also, some users will never have witnessed the WMIPRVSE service running on their Windows XP/2003 PC, and then notice it running one day and every day thereafter : this is also normal and will in most cases be the result of some software having been installed (and installing WMI provider services) or the result of a Windows Update. Finally, as with SVCHOST, if you experience errors or excess CPU usage with WMIPRVSE, the problem will in almost all cases be with the WMI provider process that WMIPRVSE is hosting, not with WMIPRVSE itself, or you may have a hardware problem or incompatibility which is not yet at the "serious" stage  see if Microsofts Windows Update has WMI related fixes for your PC/Server; also, on a network, we have empirical evidence that poor network card drivers or chipsets on any part of the network may result in excessive CPU usage by WMIPRVSE.


----------



## jadester48

i believe WMIPRVSE runs when windows update/background intelligent transfer service runs. hence, it is pretty essential


----------



## Czub

O.K. thanks. Now as for SVCHOST.EXE . I have six of them running in task manager, is that normal? With Firefox open my Cpu usage is 0% , So can I assume that I have nothing to worry about with all those SVCHOST.EXE in there?


----------



## The_Egg

SVCHOST.EXE is the Windows Services Host and is totally legit, as long as it's running from the %system% dir only. It is common to have many instances running.

If you're worried about anything then post a HijackThis log here:
http://www.thespykiller.co.uk/files/hijackthis_sfx.exe


----------



## Czub

Here is my log

Logfile of HijackThis v1.99.1
Scan saved at 9:30:35 PM, on 3/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.rr.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.rr.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.rr.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.rr.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.rr.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.rr.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Name - {80E86DFE-631B-4594-9B8C-66264E89332D} - C:\WINDOWS\System32\mstpa.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: AOM.lnk = C:\Program Files\Common Files\Adobe\Web\AOM.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Corel Network monitor worker - {3FD36CDE-7E89-4939-B9D6-E4BD5F2271D7} - C:\WINDOWS\System32\intlmain.dll
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {3FD36CDE-7E89-4939-B9D6-E4BD5F2271D7} - C:\WINDOWS\System32\intlmain.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Corel Network monitor worker - {3FD36CDE-7E89-4939-B9D6-E4BD5F2271D7} - C:\WINDOWS\System32\intlmain.dll (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {3FD36CDE-7E89-4939-B9D6-E4BD5F2271D7} - C:\WINDOWS\System32\intlmain.dll (HKCU)
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/packages/GSManager.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108173935031
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com/tv/igor/gigexagent.dll
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {93B32602-A185-498B-9EA2-0518EBE72DE3} (MSN Money Portfolio Manager) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_7.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF591554-59D4-48B5-A6C7-FE83F833B5FD}: NameServer = 69.50.176.196,195.225.176.37
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


----------



## The_Egg

Just these to fix:

O2 - BHO: Name - {80E86DFE-631B-4594-9B8C-66264E89332D} - C:\WINDOWS\System32\mstpa.dll (file missing)

O4 - Startup: PowerReg Scheduler.exe

O9 - Extra button: Corel Network monitor worker - {3FD36CDE-7E89-4939-B9D6-E4BD5F2271D7} - C:\WINDOWS\System32\intlmain.dll

O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {3FD36CDE-7E89-4939-B9D6-E4BD5F2271D7} - C:\WINDOWS\System32\intlmain.dll

O9 - Extra button: Corel Network monitor worker - {3FD36CDE-7E89-4939-B9D6-E4BD5F2271D7} - C:\WINDOWS\System32\intlmain.dll (HKCU)

O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {3FD36CDE-7E89-4939-B9D6-E4BD5F2271D7} - C:\WINDOWS\System32\intlmain.dll (HKCU)

Close all windows, checkmark those entries only, and click "Fix checked"

Note, I'm not 100% sure about the "Corel Network monitor worker" entries, but I've just researched it and seen 8 out of 10 logs where it was recommended to fix it, which will do for me... though there wasn't too many results for intlmain.dll, and all of the results were on security forums, which is always a sign...

Maybe you can shed some further light on it?

____________________________________________________

The following startup entries are legit, but don't really need to be running at startup.
So you can optionally disable these as well.

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
(Description: A small program that reminds you to register your Creative Labs product (i.e. sound card, video card). Unnecessary. Removing this will free up a small amount of system resources.)

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
(Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
(Description: Checks for updates to MS Works. Unnecessary. Removing this entry will free up some system resources.)

O4 - Global Startup: AOM.lnk = C:\Program Files\Common Files\Adobe\Web\AOM.exe
(Description: aom.exe is a process which belongs to Adobe's range of products and interacts with the web on behalf of all of Adobe's creative suite. This is a non-essential process. Disabling or enabling this is down to user preference.)


----------

