Remove wmiadap.exe & wmiapres.dll !

Discussion in 'other security issues & news' started by yankinNcrankin, Mar 16, 2007.

Thread Status:
Not open for further replies.
  1. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    How ever these files got created on my box is still unknown to me but I never had it before. I have sucessfully removed them. Process Guard alerted me of this file wanting to start so I blocked it and did an immediate scan with Tiny Watcher and it flagged it as a new file created. Afterwards did a search and found the files that were connected and also cleaned the registry entries related. Went into safe mode and deleted files accordingly. Now I can only guess that some kind of scripting built into XPproS2 was responsible, but I really don't know. However after getting rid of these files my system functions normally as it did before. I'm wondering wtf a WMI reverse performance adapter resources dll needs to be analysing my apps etc. Well porblem solved for my end any one else experienced something like this? :)
     
    yankinNcrankin, Mar 16, 2007
    #1
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    SSM and ProSecurity both caught wmiadap.exe executing (for the first time) after applying the latest group of Windows updates on my XP SP2 partitions, and rebooting:

    WMIADAP.EXE
    [EXECUTE] 2007.03.11 19:08:51
    [ALLOW] \\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
    Command Line:wmiadap.exe /R /T
    [FROM] C:\WINDOWS\System32\svchost.exe
    Command Line:C:\WINDOWS\System32\svchost.exe -k netsvcs

    and my event logs showed the following (which correspond to the registry change alerts I saw):

    Event Type: Information
    Event Source: LoadPerf
    Event Category: None
    Event ID: 1001
    Date: 3/11/2007
    Time: 7:12:31 PM
    User: N/A
    Computer: ****
    Description:
    Performance counters for the WmiApRpl (WmiApRpl) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: ea 11 00 00 eb 11 00 00 ê...ë...
    0008: 17 07 00 00 ....

    Event Type: Information
    Event Source: LoadPerf
    Event Category: None
    Event ID: 1000
    Date: 3/11/2007
    Time: 7:12:42 PM
    User: N/A
    Computer: ****
    Description:
    Performance counters for the WmiApRpl (WmiApRpl) service were loaded successfully. The Record Data contains the new index values assigned to this service.

    I have not seen wmiadap.exe execute since.

    Nick
     
    nick s, Mar 16, 2007
    #2
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...