Jump to content


Photo

Scam.ScanSpyware and wbem folder


  • Please log in to reply
6 replies to this topic

#1 smd

smd

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 02 September 2006 - 06:42 PM

At the end of August the above spyware was indentified in scans on each of my 3 networked PCs and I marked it for removal in al cases. A few days later I found that file sharing om my network has stopped working so I tried to open Windows Firewall (runing XP2 Home Service Pack 2, set to autoupdate) to confirm that it was still set to enable file sharing.

However, I could not open it because it said *framedyn.dll* was missing. Lacking that file also meant I could not open System Restore to go back to an earlier, working, configuration. I then found, via an error message, that wmi and the repository were needed and downloaded a Microsoft diagnosis tool WMIGIAG (see http://www.microsoft...p/wmidiag.mspx). Running this revealed that 63 exe/dll files were misisng plus data files to o with the wmi system of XP. I restored the exe/dll files from another, unaffected, PC, but still don't have a repository.

I next found the Adaware archive files for the end of August and noticed that the above spyware file had entries in the following directories: wbem, System Volume Information, and SpywareBot.

For 2 of the PCs, I then used the Adaware restore function to undo the spyware removal operations to see if more data were restored. Files then appeared in the Auto Recover folder for both of them (previously empty), but only 1 PC has any file in the *mof* directory, the other one 1 still has no *mof* files. (I have not carried out any changes to the 3rd PC yet).

The Microsoft diagnosis tool shows there are still problems with the *wmi* part of XP and the next set of fixes suggested are a bit complex adn will not resore all the system data, (the repository seems a bit like the registry). I therefore have two PCs partially restored but with problems and they now have the Scam.ScanSpyware files on them again. The 3rd PC is more broken, but doesn't have the spywre.

I'd appreciate any suggestions as to how to try fixing the PCs, restoring the repository (including retaining static entries if I rebuild it?) and removng the spyware? (I've emailed Microsoft but am not holding my breath!).

#2 smd

smd

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 07 September 2006 - 05:51 PM

Interim update - I've been contacted by Microsoft :( with some further tests to run to try to restore WMI. I'll post any successful outcome.

#3 RobertX

RobertX

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 07 September 2006 - 10:51 PM

I will be very interested in your success. I had the same problem September 5th:

Scam.ScanSpyware object Recognized!
Type : File
Data : A0238140.exe
TAC Rating : 3
Category : Malware
Comment
object : C:\System Volume
Information\_restore{682C2336-3DE1-4660-86BC-52475495336E}\RP434\
FileVersion : 1.00
Productversion : 1.00
ProductName : X—Spyware
InternalName : Progress
originalFilename : Progress.exe

Scam . ScanSpyware object Recognized!
Type : File
Data : A0238158.exe
TAC Rating : 3
Category : Malware
Comment
object : C:\System Volume
Information\_restore{682C2336-3DE1--4660-86BC-52475495336E}\RP438\
FileVersion : 1.00
ProductVersion : 1.00
ProductName : X-Spyware
InternalName : Progress
originalFilename : Progress.exe
Performing conditional scans.
>>>> >>>>>>>>>> >>>> >>>> >>>>>> >>>>>> >>>>>> >>>>>>>> >>>> >> >> >>>>>>>>>> >>>>>>>>>>
Scam. ScanSpyware Obj ect Recogni zed!
Type : Folder
TAC Rating : 3
Category : Malware
Comment : Scam.ScanSpyware
object : C:\WINDOWS\system32\wbem
Conditional scan result:
>>>> >> >> >>>> >>>>>>>> >>>> >> >> >> >> >> >> >> >> >> >>>>>>>>>> >>>> >>>> >> >> >>>>>>>>>>>>
New critical objects: 1
objects found so far: 15
2:39:59 PM Scan Complete
Summary of This Scan
>> >> >> >>>> >>>>>>>> >>>>>> >> >> >> >> >>>>>>>> >> >> >> >> >> >>>>>>>> >>>> >> >> >>>>>>>>>>
Total scanning time:00:17:05.281
objects scanned:252510
objects identified:8
objects ignored:0
New critical objects:8

The above spyware was indentified in a scan on my networked PC and I marked it for removal, and removed it. I also found that file sharing om my network has stopped.

the wbem folder was empty, but contained some subfolders.

I have gone through the Microsoft diagnosis tool WMIGIAG (see ://www.microsoft.com/technet/scriptcen...p/wmidiag.mspx).

I restored the exe/dll files using the WMI diagnostics and also rebuilt the repository, created .mof files, etc. Still have acrippled system. Backing up everything everywhere in case the final solution is a reinstall.

I wonder if there was really spyware present, or if, in my zeal, I cut my own throat (or net).

I wish you luck and will post anything I find, too. I'm looking forward to several more evenings of diagnosis and failure.

Is the reason that Ad-Aware tagged these files/folders verified?

Sincrely,
Robert

#4 CoffeeKid

CoffeeKid

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 08 September 2006 - 04:34 AM

Same thing happen to me. AdAware found the Scam.ScanSpyware and today when I clicked on My Computer|Properties I got an error that told me framedyn.dll was missing. When I went looking for it everything in wbem was missing.

If you know of a fix please let me know.

#5 CoffeeKid

CoffeeKid

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 08 September 2006 - 05:29 AM

A quick Google search got me to a mvps site to repair wmi.

http://windowsxp.mvp...g/repairwmi.htm

I ended up reinstalling it using the last suggestion of his. I reran the wmidiag and now I'm only missing these four files.

11377 21:10:25 (0) ** - CmdEvTgProv.dll
11378 21:10:25 (0) ** - evntrprv.dll
11379 21:10:25 (0) ** - policman.dll
11380 21:10:25 (0) ** - wbemperf.dll

Since my Merc keyboard, www.zboard.com, can now finally install without crashing I'm going to play some games.

#6 RobertX

RobertX

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 11 September 2006 - 03:17 AM

I successfully rebuilt WMI; however, internet connection sharing still failed.

Next step for me...

I performed a in-place upgrade (reinstallation) of XP. See http://support.micro...b/315341/EN-US/

Before this, I needed to integrate XP with SP2. See http://support.micro....com/kb/900871/

Seemed to work fine. Internet sharing is back and Ad-Aware did not find any critical items in the wbem folder this time.

Because I had to re-download all the MS updates I am considering making a custom windows installation that includes SP2, MS updates, and drivers and settings. See http://www.nliteos.com


I hope that Microsoft support comes through with a good solution for you.

Sincerely
Robert

#7 moldyolddoh

moldyolddoh

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 16 September 2006 - 11:00 AM

Spooky I had the same issue today but must have beedn luckier as I merely replaced the file by following these steps and it worked again;

http://support.micro...kb;en-us;319114




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users