wmiclisv.exe removal

Quickheal: Worm.AInfBot.p
Avira: BDS/IRCBot.592384S
McAfee: Generic BackDoor!yx

Discovered in the September of 2009, this piece of malware usually enters the target's system with the help of other Trojan-droppers. It is also activated when the User visits unknown websites that contain infected javascripts. Such viruses normally store themselves in the %temp% folder but this one thinks a bit differently. When activated, this worm drops a copy of itself in the "C:\WINDOWS\System32" folder which is the target for most viruses. As soon as this is done, it modifies and creates some entries in the Registry such that it is launched at the system startup. It registers itself as a service with the name "MiniPort Driver Hub" so that whenever the process "services.exe" is launched, it launches along with it. It also edits the registry to overcome the Windows Firewall and adds itself to the authorized applications list. In addition to all these effects, the worm also edits the hosts file in order to prevent the user to have the access to the anti-virus websites from his system. Starting from virus removal sites to the Windows update ip addresses, all the sites are blocked just to stop the user from getting the worm removed from the system. Thanks to the creator of the worm, virusdaddy.com isn't one of them. Here are the removal instructions to the worm.

Manual instructions to remove wmiclisv.exe:

  1. Lets begin with restoring the registry. To do this, you'll need to reboot your system in the Safe mode.
  2. Now go to Start --> Run and type "regedit" to open your registry. Navigate to the following entry


    Look for the key consisting the following value
    %System%\wbem\wmiclisv.exe = "%System%\wbem\wmiclisv.exe:*:Microsoft Enabled"
    This is the key which was made by the worm in order to overcome the Windows Firewall.

  3. As mentioned earlier, the worm adds itself as a service. Hence you'll have to open the Services.exe and remove the application from it. Go to Start --> Run and type "services.msc". A window will open showing the several services that run at every startup along with this process. Look for the following services and stop them.
    Group = "SST miniport drivers"
    DisplayName = "MiniPort Driver Hub"
    ImagePath = "\??\%System%\drivers\minidrv32.sys"

    DisplayName = "WMI Client Service"
    Description = "Manages WMI data for client applications."
    ImagePath = ""%System%\wbem\wmiclisv.exe""

    This will stop the worm from running in the computer.
  4. You are almost done. All that is left is deleting the files created by the worm. Now using the windows explorer, delete the following files from their respected directories.


  5. You'll also need to re-edit the hosts file in order to get the access to the blocked websites. Just go to "C:\WINDOWS\System32\Drivers\etc" and open the file "hosts" with the notepad. Clean it such that it doesn't contain any website at al. When you do that, you're done with getting rid of the worm and its side effects completely.

  6. Just don't forget to reboot your computer for the changes to take effect.

Posts that might help you here:

Enable Safe Mode booting, Enable Registry editing tools, Enable Hidden files and folders option.
Get the best security software for your compter here!

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme