possible infection

Hey,

I am following a lead that I might have one of the following viruses:
W32/Sonebot-B
trojan.gletta.a

I attempted to search the Avast VPS and am not seeing it in the list. Could these viruses be under a different name? Does Avast scan for those?

Event viewer error-
Faulting application wmiprvse.exe, version 5.1.2600.2180, faulting module wmiprvse.exe, version 5.1.2600.2180, fault address 0x00021a18.

According to other sites, those viruses may take the form of wmiprvse.exe. I just want to verify that isnt the case.

Thanks1

Since there are no virus naming conventions there is no way to directly compare so I couldn’t say if avast scans for them or its equivalent virus name.

A google search for wmiprvse.exe returns many hits, so you should be able to compare if it is the same location and file, etc.
http://www.liutilities.com/products/wintaskspro/processlibrary/wmiprvse/
http://www.neuber.com/taskmanager/process/wmiprvse.exe.html

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can’t do this with the file in the chest, you will need to move it out.

There isn’t an international convention for virus names.
Some ‘translation’ list of virus names you can find here: http://www.virusbtn.com/resources/vgrep/index.xml

Unfortunately there is a delay from a new virus being detected to being included in this database.

Other possibility is going to www.av-test.org page and download the virus in-the-wild correspondence between the antivirus softwares.

Hi apryan,

The one is described here, with aliases:
http://www.sophos.com/virusinfo/analyses/w32sonebotb.html

the other here: http://secunia.com/virus_information/9989/win32.wessy/

Both are known malware, against which a good AV should protect.

polonus

wmiprvse here seems to be clean; maybe it is a Virus, but malware of Virus type is known to any AV. :slight_smile:

I guess we will have to wait for ‘apryan’ to get back to us before we can decide if this is clean or not. As in why they think it is either of the two viruses they indicated.

The fact that the error “Faulting application wmiprvse.exe, version 5.1.2600.2180” seems to be indicating the windows version of wmiprvse.exe and not a fake (although that could be subject to code injection) it is more likely that it is a simple error in that module. However, if there are any symptoms that ‘apryan’ hasn’t given us we can’t say one way or the other if it is a virus or not.