WMIPRVSE trying to TFTP a lot! Why?

M

MrBeatnik

Hi all,

Not sure if this is the right place to post...

C:\WINDOWS\system32\wbem\wmiprvse.exe is trying to use C:\WINDOWS
\system32\tftp.exe to send data somewhere on all my machines in an
enterprise environment.


We use McAfee with rules to block any TFTP use, so the action is blocked. If
it were not, I wouldn't even know that it was trying to do this. I'm sure the
machines do not have a virus, and not compromised in any other way. It seems
that WMIPRVSE is trying to do this "legitimately".

Can anyone tell me:
1) Why it is trying to TFTP?
2) How I can configure it to STOP trying to TFTP?


Thanks!
 
D

David H. Lipman

From: "MrBeatnik" <[email protected]>

| Hi all,

| Not sure if this is the right place to post...

| C:\WINDOWS\system32\wbem\wmiprvse.exe is trying to use C:\WINDOWS
| \system32\tftp.exe to send data somewhere on all my machines in an
| enterprise environment.


| We use McAfee with rules to block any TFTP use, so the action is blocked. If
| it were not, I wouldn't even know that it was trying to do this. I'm sure the
| machines do not have a virus, and not compromised in any other way. It seems
| that WMIPRVSE is trying to do this "legitimately".

| Can anyone tell me:
| 1) Why it is trying to TFTP?
| 2) How I can configure it to STOP trying to TFTP?


| Thanks!

There is a strong possibility the PC is infected.



Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Then post the contents of the HJT log in your post with a full explanation of your problem
and what you have done to date in one of the below expert forums...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/index.php?showforum=7

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13
 
M

MrBeatnik

Hi,

I can evaluate HJT logs myself, and there is nothing unusual.
Indeed, just a clean machine (VM) with XP SP3 and AV installed also shows
the issue.

From your reply are you suggesting that wmiprvse should NOT be trying to
take this action?

Thanks.
 
T

Thee Chicago Wolf (MVP)

Hi all,
Not sure if this is the right place to post...

C:\WINDOWS\system32\wbem\wmiprvse.exe is trying to use C:\WINDOWS
\system32\tftp.exe to send data somewhere on all my machines in an
enterprise environment.


We use McAfee with rules to block any TFTP use, so the action is blocked. If
it were not, I wouldn't even know that it was trying to do this. I'm sure the
machines do not have a virus, and not compromised in any other way. It seems
that WMIPRVSE is trying to do this "legitimately".

Can anyone tell me:
1) Why it is trying to TFTP?
2) How I can configure it to STOP trying to TFTP?


Thanks!
Click to expand...

Have you run a spybot scan of the affected machine? What A/V is
running on this and is it current?

- Thee Chicago Wolf (MVP)
 
M

MrBeatnik

Spybot is happy, HJT shows nothing unusual running.
McAfee VSE 8.5 Fully up to date.

The system seems fine, and symptoms are dispalyed in a clean VM.
 
D

Don Phillipson

Spybot is happy, HJT shows nothing unusual running.
McAfee VSE 8.5 Fully up to date.
Click to expand...
The system seems fine, and symptoms are dispalyed in a clean VM.
Click to expand...

If there is still doubt about the status of wmiprvse.exe
surely the simple test is:
1. rename it wmiprvse.DUD (wherever found);
2. reboot and run as normal.

If Windows (or some authentic app) requires this file
it will be called and you will see an error message
"file not found." (Or if you find any new copies of
wmiprvse.exe you will know they were written by
some other malware.)
 
T

Thee Chicago Wolf (MVP)

Spybot is happy, HJT shows nothing unusual running.
McAfee VSE 8.5 Fully up to date.

The system seems fine, and symptoms are dispalyed in a clean VM.
Click to expand...

Hm, then it could be a 3rd party app trying to do something or some
service tied into another app that's running this TFTP as a matter of
maintenance or some kind of proactive behavior. Have you looked
through your services? Perhaps try turning off WMI service, reboot,
and observe the behavior.

Try this also, go grab Autoruns, fire it up, when it finishes it's
scan, do a ctrl-F and look for that TFTP.exe and see if it turns up as
some kind of startup item. Let me know what you find.

- Thee Chicago Wolf (MVP)
 
M

MrBeatnik

Thanks Don, that's a simple test. Will check it out.

On that notion, I did a MD5 check on the file.
This confirmed the file seems OK compared to a clean installed VM.

0ffae66e6d5b1c87cbd22d1f3b6079fd
(Note: XP SP3; file date = 30 June 2008 - unsure when this was updated via
KB/etc).

Of course, another application could be calling WMIPRVSE, which in turn is
calling TFTP, so I will continue to remove it for now and see what happens.
If there is something here, it's damn sneaky as there is no trace of it in
the usual checks.
 
D

David H. Lipman

From: "MrBeatnik" <[email protected]>

| Hi,

| I can evaluate HJT logs myself, and there is nothing unusual.
| Indeed, just a clean machine (VM) with XP SP3 and AV installed also shows
| the issue.

| From your reply are you suggesting that wmiprvse should NOT be trying to
| take this action?

| Thanks.

Damn straight !

HJT does NOT show everything. In fact Trend Micro has pinged the anti malware community
for input to add to HJT to add more ares to look at.

I believe a trojan has been injected into the WMI service.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

WMI using TFTP, but why? 0
TFTP is Trying to Access Internet 14
tftp trying to access internet. Should it? 9
unknown TFTP server running 0
wintftp 0
RIS Error - TFTP Open Timeout 0
wmiprvse sucking up cpu at startup 11
TFTP 15

Top