Search the Community
Showing results for tags 'wmi'.
For quite some time I had CPU usage issues that appeared to be coming from the WMI service. I figured out a workaround which was to shut down the service called "WMI" but this wasn't ideal as it would need to happen on each reboot. I have also discovered a service called NVU which claims to be NVIDIA driver updater but I suspect it is also fake. Today I figured out that WMI was a Bitcoin Miner virus and I was able to find the associated files. I could have removed them manually but I got Malwarebytes to scan and remove them for me. On reboot now, my CPU is back to normal and those questionable files are gone. However, the WMI and NVU "services" still appear in the list of local services. I can no longer start or stop them (just get an error) I'm just wondering how to remove the fake services.
So I've posted before about some odd happenings and never really found a solution but think I got a little closer. In my event logs, I have several power shell events like pshell console starting a server (among other things), Multiple WMI services starting, and browser redirects. Nothing has ever been found by Win defender or MBAM Premium (I really don't feel like they're working - on the surface they seem to working fine but I think it's an illusion). Hitman Pro did find a file Win32.Droma.abdb (first malicious file I've ever found) and that led me to googling that and found this article. http://niiconsulting.com/checkmate/2014/04/analysis-of-malware-detecting-behavior-anti-reversing-techniques/ ^^Please read! That almost explains my situation to a tee - I've even seen Russian/Chinese sites that will occasionally pop up on google suspiciously. If you look at my Registry or a Driverquery of my windows drivers, there are red flags everywhere. As far as I know I'm on the latest update of Win10 but I'm not sure anymore. I was hoping an expert could read the above article and know immediately what's going on or, if not, help me figure it out in order to get rid of it I've reinstalled windows after nuking it 5 times. I've been careful about any kind of syncing application (I don't even have chrome installed) and have reset the sync of any services I do use. I could go on but will stop here and wait for an experts advice should I run FRST? Oh yeah, some programs think I'm on Windows 8 (including mbam) and I thinks that's due to registry infection. i would LOVE to get a clean bill of health because this has consumed way to much of my life in the past ~8 months off an on. Thanks in advance! Fingers crossed
Hi, I recently was on a site trying to download a textbook online and I did, and it popped up as an application in the E drive. Honestly, the fact that it was a program should've been my first hint, but I was kind of desperate to find the textbook that I tried to open it. WMI Commandline utility popped up and I knew right away it was a virus. I've had this happen before on another computer, and somehow I fixed it, however I do not remember how I did. I downloaded MalwareBytes because I've used it before and it's a good program, and I scanned both the file and the whole drive, both scans turned up clean, however I knew that the program or the program's creators probably found a way around the malware detection. I then scanned it with Virustotal, and got a number of two hits out of 50+. However, the two it showed up on was less than good. I'm sending you photos of where the program is on my drive, the virustotal report and possibly a gif of the program in action. The program keeps popping up with an administrator prompt, and no matter how many times I click no, it keeps popping up. I managed a fix-it so I can get back to my computer, a trick I used before, and now it's on my taskbar but still there. Hope you can help. Thanks! P.S. I'm really late for school so if there's any way this can be resolved quickly I'd be VERY appreciative. Thank you!! Virustotal: https://www.virustotal.com/en/file/96d238a2755e676fb8cb2df1e39deeac4814fe0a5fc77550b9ca2ba497f3bfaf/analysis/ Pictures of the virustotal: https://gyazo.com/3e18146bce16d7db79cdd2fd3ecbad0b https://gyazo.com/7f5a059a36601c3e9dc75adf935258e5 https://gyazo.com/c16bb632a6d3fa70f147ed4cd18bc3de https://gyazo.com/1ea1fa87f094fe3bb6f1f835eed7dd13 ...I think it's pretty safe to assume it's NOT a textbook. Threat scan: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/10/17 Scan Time: 1:01 PM Logfile: Administrator: Yes -Software Information- Version: 220.127.116.119 Components Version: 1.0.43 Update Package Version: 1.0.970 License: Trial -System Information- OS: Windows 10 CPU: x64 File System: NTFS User: 10USER-PC\10 USER -Scan Summary- Scan Type: Hyper Scan Result: Completed Objects Scanned: 2442 Time Elapsed: 0 min, 28 sec -Scan Options- Memory: Enabled Startup: Disabled Filesystem: Disabled Archives: Enabled Rootkits: Disabled Heuristics: Disabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) (end) -- I don't know what to do as this exceeds my knowledge of malware removal. I've never dealt with a program of this threat before. It's completely different than the other WMI commandline utility virus I had, which leads me to think that it's a different program masquerading as another. Maybe I'm wrong. Please help. UPDATE: Scanning whole PC with Malwarebytes reveals two extra programs so I believe it's grabbing things from the internet and installing them. I'm getting on another PC to go on here and turning internet off in a moment so it can't download extra programs.