• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
Followers 0
smd

Scam.ScanSpyware and wbem folder

7 posts in this topic

At the end of August the above spyware was indentified in scans on each of my 3 networked PCs and I marked it for removal in al cases. A few days later I found that file sharing om my network has stopped working so I tried to open Windows Firewall (runing XP2 Home Service Pack 2, set to autoupdate) to confirm that it was still set to enable file sharing.

 

However, I could not open it because it said *framedyn.dll* was missing. Lacking that file also meant I could not open System Restore to go back to an earlier, working, configuration. I then found, via an error message, that wmi and the repository were needed and downloaded a Microsoft diagnosis tool WMIGIAG (see http://www.microsoft.com/technet/scriptcen...p/wmidiag.mspx). Running this revealed that 63 exe/dll files were misisng plus data files to o with the wmi system of XP. I restored the exe/dll files from another, unaffected, PC, but still don't have a repository.

 

I next found the Adaware archive files for the end of August and noticed that the above spyware file had entries in the following directories: wbem, System Volume Information, and SpywareBot.

 

For 2 of the PCs, I then used the Adaware restore function to undo the spyware removal operations to see if more data were restored. Files then appeared in the Auto Recover folder for both of them (previously empty), but only 1 PC has any file in the *mof* directory, the other one 1 still has no *mof* files. (I have not carried out any changes to the 3rd PC yet).

 

The Microsoft diagnosis tool shows there are still problems with the *wmi* part of XP and the next set of fixes suggested are a bit complex adn will not resore all the system data, (the repository seems a bit like the registry). I therefore have two PCs partially restored but with problems and they now have the Scam.ScanSpyware files on them again. The 3rd PC is more broken, but doesn't have the spywre.

 

I'd appreciate any suggestions as to how to try fixing the PCs, restoring the repository (including retaining static entries if I rebuild it?) and removng the spyware? (I've emailed Microsoft but am not holding my breath!).

Share this post


Link to post
Share on other sites

Interim update - I've been contacted by Microsoft :( with some further tests to run to try to restore WMI. I'll post any successful outcome.

Share this post


Link to post
Share on other sites

I will be very interested in your success. I had the same problem September 5th:

 

Scam.ScanSpyware object Recognized!

Type : File

Data : A0238140.exe

TAC Rating : 3

Category : Malware

Comment

object : C:\System Volume

Information\_restore{682C2336-3DE1-4660-86BC-52475495336E}\RP434\

FileVersion : 1.00

Productversion : 1.00

ProductName : X—Spyware

InternalName : Progress

originalFilename : Progress.exe

 

Scam . ScanSpyware object Recognized!

Type : File

Data : A0238158.exe

TAC Rating : 3

Category : Malware

Comment

object : C:\System Volume

Information\_restore{682C2336-3DE1--4660-86BC-52475495336E}\RP438\

FileVersion : 1.00

ProductVersion : 1.00

ProductName : X-Spyware

InternalName : Progress

originalFilename : Progress.exe

Performing conditional scans.

>>>> >>>>>>>>>> >>>> >>>> >>>>>> >>>>>> >>>>>> >>>>>>>> >>>> >> >> >>>>>>>>>> >>>>>>>>>>

Scam. ScanSpyware Obj ect Recogni zed!

Type : Folder

TAC Rating : 3

Category : Malware

Comment : Scam.ScanSpyware

object : C:\WINDOWS\system32\wbem

Conditional scan result:

>>>> >> >> >>>> >>>>>>>> >>>> >> >> >> >> >> >> >> >> >> >>>>>>>>>> >>>> >>>> >> >> >>>>>>>>>>>>

New critical objects: 1

objects found so far: 15

2:39:59 PM Scan Complete

Summary of This Scan

>> >> >> >>>> >>>>>>>> >>>>>> >> >> >> >> >>>>>>>> >> >> >> >> >> >>>>>>>> >>>> >> >> >>>>>>>>>>

Total scanning time:00:17:05.281

objects scanned:252510

objects identified:8

objects ignored:0

New critical objects:8

 

The above spyware was indentified in a scan on my networked PC and I marked it for removal, and removed it. I also found that file sharing om my network has stopped.

 

the wbem folder was empty, but contained some subfolders.

 

I have gone through the Microsoft diagnosis tool WMIGIAG (see ://www.microsoft.com/technet/scriptcen...p/wmidiag.mspx).

 

I restored the exe/dll files using the WMI diagnostics and also rebuilt the repository, created .mof files, etc. Still have acrippled system. Backing up everything everywhere in case the final solution is a reinstall.

 

I wonder if there was really spyware present, or if, in my zeal, I cut my own throat (or net).

 

I wish you luck and will post anything I find, too. I'm looking forward to several more evenings of diagnosis and failure.

 

Is the reason that Ad-Aware tagged these files/folders verified?

 

Sincrely,

Robert

Share this post


Link to post
Share on other sites

Same thing happen to me. AdAware found the Scam.ScanSpyware and today when I clicked on My Computer|Properties I got an error that told me framedyn.dll was missing. When I went looking for it everything in wbem was missing.

 

If you know of a fix please let me know.

Share this post


Link to post
Share on other sites

A quick Google search got me to a mvps site to repair wmi.

 

http://windowsxp.mvps.org/repairwmi.htm

 

I ended up reinstalling it using the last suggestion of his. I reran the wmidiag and now I'm only missing these four files.

 

11377 21:10:25 (0) ** - CmdEvTgProv.dll

11378 21:10:25 (0) ** - evntrprv.dll

11379 21:10:25 (0) ** - policman.dll

11380 21:10:25 (0) ** - wbemperf.dll

 

Since my Merc keyboard, www.zboard.com, can now finally install without crashing I'm going to play some games.

Share this post


Link to post
Share on other sites

I successfully rebuilt WMI; however, internet connection sharing still failed.

 

Next step for me...

 

I performed a in-place upgrade (reinstallation) of XP. See http://support.microsoft.com/kb/315341/EN-US/

 

Before this, I needed to integrate XP with SP2. See http://support.microsoft.com/kb/900871/

 

Seemed to work fine. Internet sharing is back and Ad-Aware did not find any critical items in the wbem folder this time.

 

Because I had to re-download all the MS updates I am considering making a custom windows installation that includes SP2, MS updates, and drivers and settings. See http://www.nliteos.com

 

 

I hope that Microsoft support comes through with a good solution for you.

 

Sincerely

Robert

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0