WMI Error

I keep getting an Error, the one with "Send" "Dont Send "

but this time its related to WMI..how can I fix that ? it sometimes continuously keeps popping every couple of seconds.

Thanks!

 

that dialog should point you to a more information and a link to the DMP file, which you can run through the tool in my signature

For immediate (and temporary) relief, you can go into the services control panel (start->run-> services.msc) and disable the Windows Management Instrumentation service. Note that this is not a long term solution, as many windows features need that service.

 

These are the files affected:

C:\DOCUME~1\Tom\LOCALS~1\Temp\WERC.tmp.dir00\wmiprvse.exe.mdmp
C:\DOCUME~1\Tom\LOCALS~1\Temp\WERC.tmp.dir00\appcompat.txt

Thanks!

 

feed this file into the tool: C:\DOCUME~1\Tom\LOCALS~1\Temp\WERC.tmp.dir00\wmiprvse.exe.mdmp

 

hmm..didnt get you hehe..run it in CMD ?

 

which instruction did you get stuck on?

 

Lol, the Feed This File into the Tool.. Not much of an expert with windows... =)

 

Follow the instructions in this post:
http://www.windowsbbs.com/showthread.php?t=33471

 

Got this:

Opened log file 'c:\debuglog.txt'

Microsoft (R) Windows Debugger Version 6.4.0007.2
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\DOCUME~1\Tom\LOCALS~1\Temp\WERC.tmp.dir00\wmipr vse.exe.mdmp]
Could not open dump file [C:\DOCUME~1\Tom\LOCALS~1\Temp\WERC.tmp.dir00\wmipr vse.exe.mdmp], Win32 error 2
"The system cannot find the file specified. "

 

did you search your hard drive for *.DMP files that matched the time/date of this crash occurance?

 

That file somehow doesnt exist, but i keep getting errors :/

 

PHP:

Opened log file 'c:\debuglog.txt'

Microsoft (R) Windows Debugger  Version 6.4.0007.2
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Documents and Settings\Tom\Local Settings\Temp\WERDB.tmp.dir00\wmiprvse.exe.mdmp]
User Mini Dump File: Only registers, stack and portions of memory are available

Windows XP Version 2600 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
Debug session time: Wed Mar  2 01:11:49.000 2005 (GMT+0)
System Uptime: not available
Process Uptime: not available
Symbol search path is: SRV*c:\symbols*[url]http://msdl.microsoft.com/download/symbols[/url]
Executable search path is: C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\system32\drivers
..........................
(e34.a9c): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=80070000 ecx=694519bc edx=00000000 esi=000000c0 edi=00000000
eip=7ffe0304 esp=00069ff8 ebp=0006a05c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
SharedUserData!SystemCallStub+0x4:
7ffe0304 c3               ret
0:000> !analyze -v;r;kv;lmtn;.logclose;q
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** ERROR: Module load completed but symbols could not be loaded for wmiprvse.exe

FAULTING_IP: 
kernel32!OpenFile+22
77e72b85 f3a5             rep     movsd

EXCEPTION_RECORD:  ffffffff -- (.exr ffffffffffffffff)
.exr ffffffffffffffff
ExceptionAddress: 77e72b85 (kernel32!OpenFile+0x00000022)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000000
Attempt to read from address 00000000

DEFAULT_BUCKET_ID:  APPLICATION_FAULT

PROCESS_NAME:  wmiprvse.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at  "0x%08lx" referenced memory at  "0x%08lx ". The memory could not be  "%s ".

READ_ADDRESS:  00000000 

BUGCHECK_STR:  ACCESS_VIOLATION

THREAD_ATTRIBUTES: 
LAST_CONTROL_TRANSFER:  from 00601f4e to 77e72b85

STACK_TEXT:  
0006fe10 00601f4e 00000006 00000000 01003dc0 kernel32!OpenFile+0x22
WARNING: Stack unwind information not available. Following frames may be wrong.
0006fe30 0100d762 00000006 00000000 01003dc0 kqqDA!AttachHook+0x92
0006fe7c 0100bc7a 77e7acd9 00082396 00000000 wmiprvse+0xd762
0006ff18 0100bf38 010213f6 01000000 00000000 wmiprvse+0xbc7a
0006ffc0 77e8141a c0000034 77f944cb 7ffdf000 wmiprvse+0xbf38
0006fff0 00000000 01034000 00000000 00000000 kernel32!BaseProcessStart+0x23


FOLLOWUP_IP: 
kqqDA!AttachHook+92
00601f4e ??               ???

SYMBOL_STACK_INDEX:  1

FOLLOWUP_NAME:  MachineOwner

SYMBOL_NAME:  kqqDA!AttachHook+92

MODULE_NAME:  kqqDA

IMAGE_NAME:  kqqDA.tmp

DEBUG_FLR_IMAGE_TIMESTAMP:  3bbfac4e

STACK_COMMAND:  .ecxr ; kb

FAILURE_BUCKET_ID:  ACCESS_VIOLATION_kqqDA!AttachHook+92

BUCKET_ID:  ACCESS_VIOLATION_kqqDA!AttachHook+92

Followup: MachineOwner
---------

eax=00000000 ebx=80070000 ecx=694519bc edx=00000000 esi=000000c0 edi=00000000
eip=7ffe0304 esp=00069ff8 ebp=0006a05c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
SharedUserData!SystemCallStub+0x4:
7ffe0304 c3               ret
ChildEBP RetAddr  Args to Child              
00069ff4 77f5c534 77e7a580 000000c0 00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
00069ff8 77e7a580 000000c0 00000000 0006a020 NTDLL!NtWaitForSingleObject+0xc (FPO: [3,0,0])
0006a05c 77e7ab74 000000c0 0001d4c0 00000000 kernel32!WaitForSingleObjectEx+0xa8 (FPO: [Non-Fpo])
0006a06c 6945d692 000000c0 0001d4c0 0006c320 kernel32!WaitForSingleObject+0xf (FPO: [2,0,0])
0006a0d4 69454472 0006a118 0006c328 0000007c FAULTREP!MyCallNamedPipe+0x15b (FPO: [Non-Fpo])
0006e34c 69456d2c 0006f924 0006e6c0 ffffffff FAULTREP!StartManifestReport+0x163 (FPO: [Non-Fpo])
0006f3b0 77e99dfb 0006f924 ffffffff c0000005 FAULTREP!ReportFault+0x49e (FPO: [Non-Fpo])
0006f8dc 77c313c8 0006f924 01005988 00000000 kernel32!UnhandledExceptionFilter+0x321 (FPO: [Non-Fpo])
0006f8f8 01021420 00000000 0006f924 77c33efb MSVCRT!_XcptFilter+0x15f (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
0006ffc0 77e8141a c0000034 77f944cb 7ffdf000 wmiprvse+0x21420
0006fff0 00000000 01034000 00000000 00000000 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])
start    end        module name
00600000 00673000   kqqDA    kqqDA.tmp    Sun Oct 07 02:13:50 2001 (3BBFAC4E)
01000000 01035000   wmiprvse wmiprvse.exe Thu Aug 29 09:15:13 2002 (3D6DD811)
4fec0000 4fff6000   ole32    ole32.dll    Fri Jan 14 05:33:52 2005 (41E759C0)
5ad70000 5ada4000   UXTHEME  UXTHEME.DLL  Thu Aug 29 11:39:22 2002 (3D6DF9DA)
5f770000 5f77e000   NCOBJAPI NCOBJAPI.DLL Thu Aug 29 11:39:51 2002 (3D6DF9F7)
69450000 69463000   FAULTREP FAULTREP.DLL Thu Aug 29 11:40:09 2002 (3D6DFA09)
71aa0000 71aa8000   WS2HELP  WS2HELP.DLL  Sat Aug 18 06:33:38 2001 (3B7DFE32)
71ab0000 71ac5000   WS2_32   WS2_32.DLL   Sat Aug 18 06:33:37 2001 (3B7DFE31)
71ad0000 71ad8000   WSOCK32  WSOCK32.DLL  Sat Aug 18 06:33:37 2001 (3B7DFE31)
71b20000 71b31000   MPR      MPR.DLL      Sat Aug 18 06:33:37 2001 (3B7DFE31)
75290000 752c8000   WBEMCOMN WBEMCOMN.DLL Thu Aug 29 11:40:21 2002 (3D6DFA15)
75690000 7571d000   FASTPROX FASTPROX.DLL Thu Aug 29 11:40:23 2002 (3D6DFA17)
75a70000 75b15000   USERENV  USERENV.DLL  Thu Aug 29 11:40:26 2002 (3D6DFA1A)
76360000 7636f000   WINSTA   WINSTA.DLL   Thu Aug 29 11:40:29 2002 (3D6DFA1D)
76670000 76757000   SETUPAPI SETUPAPI.DLL Thu Aug 29 11:40:30 2002 (3D6DFA1E)
76f50000 76f58000   WTSAPI32 WTSAPI32.DLL Thu Aug 29 11:40:34 2002 (3D6DFA22)
77120000 771ab000   OLEAUT32 OLEAUT32.DLL Thu Aug 29 11:40:34 2002 (3D6DFA22)
77340000 773cb000   COMCTL32 COMCTL32.DLL Thu Aug 29 11:40:42 2002 (3D6DFA2A)
77c00000 77c07000   VERSION  VERSION.DLL  Sat Aug 18 06:33:03 2001 (3B7DFE0F)
77c10000 77c63000   MSVCRT   MSVCRT.DLL   Thu Aug 29 11:40:39 2002 (3D6DFA27)
77d40000 77dd0000   user32   user32.dll   Wed Dec 29 01:31:44 2004 (41D20900)
77dd0000 77e5d000   ADVAPI32 ADVAPI32.DLL Thu Aug 29 11:40:40 2002 (3D6DFA28)
77e60000 77f46000   kernel32 kernel32.dll Thu Jun 17 18:58:35 2004 (40D1DBCB)
77f50000 77ff7000   NTDLL    NTDLL.DLL    Fri May 02 00:56:10 2003 (3EB1B41A)
78000000 78087000   RPCRT4   RPCRT4.DLL   Sat Mar 06 02:16:11 2004 (4049346B)
7f000000 7f041000   gdi32    gdi32.dll    Thu Jun 17 18:58:35 2004 (40D1DBCB)
Closing open log file c:\debuglog.txt


Thats what I got, I found the file and did what you said All done now ?

 

yup. good job. You are infected with malware. you have a file called kqqDA.tmp that is loading. Its trying to hook into it somehow, and is blowing up. This is probable rootkitish behavior, since its trying to detour openfile.

You need to run through a good virus scanner or two, then post a hijackthis log, as seen in this post for followup if that doesnt clean you up. Please start a new thread over in that removal forum so you get the attention of the local security experts, and reference this thread.

 

In reference to this post..

http://www.windowsbbs.com/showthread.php?t=41963

I was wondering which anti-virus is capable of cleaning this worm ? and if its possible the it is a free version ? Thanks

 

I may be guessing but If I do understand that correctly I think maybe we should be helping Sanshiro get SP2 installed along with the cleanup ?

BillyBob

 

I merged your post with this thread.
You can try AVG AV for free.
For online scans:
Housecall, online AV scan
Online Trojan Scan
RAV Online Scan

 

Thanks and Sorry Joe =(

and Last time i tried SP2 it messed up my pc =/

I installed AVG it healed some files ? but then It messed up the PC so went into Safe mode and removed it, but keep getting error, will keep u updated when I see a result from other AVs.

 

Nope didnt work =/

 

it healed some files
Did you make a note of what was found? It would be helpful to know if we have to get a hijackthis.

My recommendation would be to scan with each of the free web based scanners lonny points out. After that, move on to the next post and follow his directions for running spybot and adaware. If its still having problems after all that. Follow the next posts instructions for collecting and posting a hijack this log, and start your new thread with that log.

 

PS: Microsoft has a free support line to assist with infections of this nature. you can reach it in the US via: 1-866-PCSafety