Saturday, October 4, 2014

How To remove Wmiprvse.exe?

First off, let’s take a look at what Wmiprvse.exe actually is:

Wmiprvse.exe is a component of the Microsoft® Windows® operating system and is the executable for the Windows® Management Instrumentation that controls management information. By using industry standards, managers can call WMI to query and set default information on desktop systems, applications, networks and other enterprise components. Software developers use WMI to create event monitoring applications that can alert users when important actions have occured.

NOTE: Wmiprvse.exe file is located by default in the “C:\Windows\System32\Wbem” folder.

However, there is also a known worm that uses the same process name called “W32/Sonebot-B” and drops a copy of itself in the “C:\Windows\System32″ folder with the filename WMIPRVSE.EXE and can set Windows registry entries to run the copy whenever your reboot your computer:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Kernel_check = wmiprvse.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Kernel_check = wmiprvse.exe

W32/Sonebot-B also attempts to terminate a number of processes and delete a number of files from the infected computer.

Sonet-B worm may also set the registry entries listed below:

HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\
AutoShareServer = <value>
AutoShareWks = <value>

HKLM\System\CurrentControlSet\Control\lsa\
RestrictAnonymous = <value>
RestrictAnonymousSam = <value>

Most Common Wmiprvse.exe Error

The most common error that has been reported is the “reference memory” error message. See example below:

“Wmiprvse.exe-Application error

The instruction at “0x7c911e58″ reference memory at “0x000000000″

Lesser Wmiprvse.exe Errors

Once installed,  Wmiprvse.exe reports sharing violations
Uses up alot of RAM memory (90%+) and caused Windows main services to fail
Known to spike CPU processor to 100% usage under Windows 2003, XP and Vista
Locks the task bar and quick launch icons, blocking access to the hard drive
Restarts the system every 5 to 10 minutes
Possible Wmiprvse.exe Solutions

Wmiprvse.exe loads and unloads itself automatically in Windows because it is a separate process used to handle system requests. The real executable file is 100% safe.  If it seems to be eating alot of your memory or CPU processes, then the version of wmiprvse is probably not the original Microsoft version and the file has been replaced by the  W32/Sonebot-B virus.

Here are some steps that have been reported to work for some users: USE AT YOUR OWN RISK! Some of these methods could cause system instability.

Blocking the file in your Windows firewall settings.
Disable it in Windows services.msc control panel.
Terminating any process in Task Manager that starts with HP and wmiprvse.exe will stop hogging CPU resoruces.

No comments:

Post a Comment