The WMIPRVSE.EXE that ships with windows is not spyware. Many spywares though use that name, including the W32/Sonebot-B worm. It acts by copying itself into the system directory as this file so it can run amuck on it's own.

If you have any other copies than the one in WINDOWS\System32\Wbem or if the copy there does not have the right time stamp and file size, your system has probably been infected.

W32/Sonebot-B is a network worm which includes IRC bot and backdoor functionality that allows unauthorised remote access to the infected computer.

This worm copies itself to network shares with weak passwords, initiates a remote background process, connects to a remote IRC server and joins a specific channel.

W32/Sonebot-B drops a copy of itself to the Windows System32 folder with the filename WMIPRVSE.EXE and sets the following registry entries to run the copy on system restart: