Suffering from Muppetitis

  OTT_Buzzard 22:02 22 Apr 2009

I could use some help from anyone with XP Pro and a few minutes to look up some info in the registry....

A little while back I did a virus scan which picked up a virus masquerading as wmiprvse.exe, located in C:\windows\system32\wbem

Since the exe file was active it wouldn't let me delete it, and any attempts to stop the process in task manager resulted in it restarting itself. So, without thinking too much (here's the problem!) i went into regedit, found the first wmiprvse entry and deleted it. That then allowed me to permanently stop the process and delete the offending exe file.

Ooops. I deleted the wrong entry. And, no, i didn't backup the registry before doing anything. I can't now update Windows, although that seems to be the only side effect that i've found so far.

So, if anyone can, could you go into your registry and post back the details for the entry so that I can (attempt) to recreate it? I need to know the location and all details for anything contained inside,

I don't really want to do a system retore as this was a while ago and a lot of stuff has been put on the PC since then. I suspect however that I'm gonna end up doing it anyway :(

  Picklefactory 22:13 22 Apr 2009

Any idea exactly where it resides or how I can search for it?

  OTT_Buzzard 22:15 22 Apr 2009

Go in to regedit, then Edit menu, Find, then type wmiprvse

Hopefully it will be the first entry it finds.

If its in a 'numbered' root then go to the next entry (press F3).

Thanks for your reply!

  phono 22:17 22 Apr 2009

First registry entry on my system is as follows:


String values are:

%systemroot%\system32\wbem\wmiprvse.exe -secured

Have you tried sfc /scannow to replace the file concerned?

  OTT_Buzzard 22:18 22 Apr 2009

oooh. actually, that's a good point! brb....

  Picklefactory 22:23 22 Apr 2009

%systemroot%\system32\wbem\wmiprvse.exe -secured

Next entry is
HKEY_CLASSES_ROOT\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32 with the same string as above

And that is all it finds on mine.

  OTT_Buzzard 22:27 22 Apr 2009

ok, that's good.

Picklefactory: thanks for the response

phono: I'm running scannow at the moment, hopefully it will work

....if it doesn't I'll need the keys that are within those locations if possible? Will know the result of scannow in 10 minutes or so.

  Picklefactory 22:29 22 Apr 2009

I'll hang on till then, but I'm more of a muppet than you where registry is concerned, so you'll have to guide.

  phono 22:33 22 Apr 2009

Should have said that the full string values are as below:

(Default) %systemroot%\system32\wbem\wmiprvse.exe -secured
ServerExecutable %systemroot%\system32\wbem\wmiprvse.exe

Hope this helps.

  OTT_Buzzard 22:43 22 Apr 2009

hmmm. ok. it loos like scannow hasn't fixed the problem. I think it's time to submit to a system restore. Recreating the registry key over a forum is going to be a difficult task at the very least.

phono / picklefactory: thanks for your input!

  Picklefactory 22:44 22 Apr 2009

sorry couldn't be more help.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Dell XPS 13 9370 (2018) review

The art of 'British' pulp fiction

Best password managers for Mac

TV & streaming : comment regarder le Tournoi des Six Nations 2018 ?