WMIPRVSE.EXE multiple instances running/crashing pc

Hi Folks,

be gentle with me as im a newbie

Have a p4 3.06 running xp sp1 with all latest updates, its running ZA pro firewall and Networks ass AV both of which up to date.

Everything was fine and dandy untill i rebooted this morning.
Shortly after booting i am getting multiple instances of WMIPRVSE.EXE running, each one taking approx 80k, currently i have 65 of them running and my machine is running like a DOG.

I have ran ad-aware (latest version with all updates) nothing found.
I have ran stinger from network ass (virus killer) nothing found.
Done a full system scan with my normal network ass av nothing found.
cwshredder reports nothing found.
webroot spy sweeper full scan finds nothing.

I have searched around on google and found several references to virii using the above file, but having checked the registry for the keys it alters, they are not present... (hence why av is not finding anything im guessing).

i have two instances of this file on my pc, one in my windows\prefetch folder -
WMIPRVSE.EXE-28F301A9.pf 64kb
and one in system32\wbem folder -
wmiprvse.exe 199kb

Has anyone got ANY idea whats causing this and more interestingly how on earth i get rid of it!!

thanks.

 

65 instances! Sounds like WMI has gone cukoo.

The problem described here:
http://support.microsoft.com/?kbid=319101
doesn't sound like yours, but I'm thinking that if you try the resolution it just might fix it.

 

According to this article it seems there is a virus that attaches to the file.
Looks like if found anywhere else but win32 location it probably is a baddie. Are we sure that there's no software conflicts between ZA and Nort. -- like, maybe, is Norton firewall trying to run simultaneously with ZA thus causing the multiple editions of WMI to show up?

 

ptholt, if your antivirus isn't catching this possible virus try scanning with these 2 free, online scanners:

Panda Active Scan:

http://www.pandasoftware.es/activescan/activescan-com.asp

TrendMicro's Housecall:

http://housecall.antivirus.com/housecall/start_corp.asp

 

Well im currently running Networks associates viruscan 7.0.0 with definitions last updated on the 15th July. (no further updates current'y available).

The above has been running fine with Zone Alarm for the last 12 months, so unless a roguw windows update has triggered the problem i see no reason for wmi to suddenly go mad.

I have read several threads about the wmi being used as a keylogger for bank detail grabbing worms, but on all the posts i have read it asks you to look for entries in the registry, this i have done and none of those entires have been present, so its either a different virus to the ones ive read about so far, or its something else.......

I will try the other av programs and see if they can detect anything.

 

Ran the panda active scan, nothing detected.

 

I've tried all the suggestions mentioned so far.

I cannot delete the contents of the wbem\prefetch repository folder (as the microsoft link alanc had posted suggested) as all the files are in use as soon as the pc starts although the tasks are not started.

Is it safe to delete the prefetch folder? what does it do?

I have also ran the other programs mentioned here, nothing detected and nothing has cured it.

I have also ran pest patrol (which found a lot of things that adaware, spy sweeper, cw shredder didnt) but it has still not fixed the problem.

Interesting that you mention Svchost.exe as since sunday morning (my first reboot in a week was on sunday morning and that's when the problems started) i have 5 instances of Svchost.exe running currently as well, 3 of them 'system' one network service and one local service. I don't remember there being five of them running normally.......

 

Did you stop the WMI service first?

I would also try the fix in Safe Mode.

 

Process Explorer may be of some use, you can see every single program (ALL OF THEM) that are currently running, hidden or not, with this proggy.
Process Explorer download page. go to the bottom of the page to get it.

It worked for me, I stopped Worm_RBOT.CU from killing my comp. Maybe worm is causing the program to initiate itself 60+ times to give you grief. Just a thought.