PDA

View Full Version : Remove wmiadap.exe & wmiapres.dll !

yankinNcrankin
March 16th, 2007, 08:35 PM
How ever these files got created on my box is still unknown to me but I never had it before. I have sucessfully removed them. Process Guard alerted me of this file wanting to start so I blocked it and did an immediate scan with Tiny Watcher and it flagged it as a new file created. Afterwards did a search and found the files that were connected and also cleaned the registry entries related. Went into safe mode and deleted files accordingly. Now I can only guess that some kind of scripting built into XPproS2 was responsible, but I really don't know. However after getting rid of these files my system functions normally as it did before. I'm wondering wtf a WMI reverse performance adapter resources dll needs to be analysing my apps etc. Well porblem solved for my end any one else experienced something like this? :)
nick s
March 16th, 2007, 10:03 PM
SSM and ProSecurity both caught wmiadap.exe executing (for the first time) after applying the latest group of Windows updates on my XP SP2 partitions, and rebooting:

WMIADAP.EXE
[EXECUTE] 2007.03.11 19:08:51
[ALLOW] \\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
Command Line:wmiadap.exe /R /T
[FROM] C:\WINDOWS\System32\svchost.exe
Command Line:C:\WINDOWS\System32\svchost.exe -k netsvcs

and my event logs showed the following (which correspond to the registry change alerts I saw):

Event Type: Information
Event Source: LoadPerf
Event Category: None
Event ID: 1001
Date: 3/11/2007
Time: 7:12:31 PM
User: N/A
Computer: ****
Description:
Performance counters for the WmiApRpl (WmiApRpl) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: ea 11 00 00 eb 11 00 00 ê...ë...
0008: 17 07 00 00 ....

Event Type: Information
Event Source: LoadPerf
Event Category: None
Event ID: 1000
Date: 3/11/2007
Time: 7:12:42 PM
User: N/A
Computer: ****
Description:
Performance counters for the WmiApRpl (WmiApRpl) service were loaded successfully. The Record Data contains the new index values assigned to this service.

I have not seen wmiadap.exe execute since.

Nick