Yet Another Fake Anti-Virus/Malware

After a Windows update, My client's Dell with XP Media Center was crashing (bsod with stop errors - no  files listed)  - I uninstalled the most recent  updates but it didn't help;
Then I disabled all unnecessary startup items in msconfig and the bsod stopped;
When I re-enabled the SpySweeperUI.exe/startintray the bsod came back - right after logging in to the desktop

Tried to uninstall Spysweeper - only got a bsod, BUT then the red circle with an X (bogus) warning came up in systray saying my "system was infected"
System Restore had Restore points listed but nothing happened when I tried the Restore wizard - clicking Next to initiate Restore did nothing!
Then I knew I had to run SDFix & Combofix to try to fix it

The computer had other problems - bsod whenever I right-clicked on anything or even Edit/Copy from the Explorer menu; or Alt/Enter to get Properties on an object.

I've run SDFix & ComboFix - I forgot to run HijackThis before those, but I ran it afterward and attached all 3 log files.

SpySweeper runs fine now, and the other crashing problems seem to have disappeared . . .

Where do these infections come from?
I've had 3 clients get similar ones now - 2 running Trend Micro and now this one running SpySweeper with Anti-Virus 6.0

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I would have thought these infections are coming from something you are running on your machine's which are infected or a website which is getting infected content onto your devices.

If your anti virus is up to date, it should notice the infected files before they cause harm, as I believe should spysweeper.

There are some things I use which have always spotted any dodgy infections before they can act.
Spybot,, windows defender and avast.
Of course you don't really want 4/5 programs running, so maybe on the 3 machines mix and match the programs?.

Also worth delete the temp profile under your profile, as that where dodgy content from the internet first resides. Also worth doing a full virus scan with latest defintions.
Hijackthis log and combofix logs are fine.
SDfix failed to delete one bad file, but combofix deleted it.
If you think the system is still infected, you might like to try running an online scan with Kaspersky, save the log becasue it won't delete the threats that it finds and attach the log here for us to look at.

Kaspersky online scanner:

You can get infected these days just by being connected online if the system has a vulnerability that allowed the infection. You can also get infected just by visiting a site without even clicking on anything on that site.
It sounds as if you have the XP Antivirus 2009 malware on your system.
I recommend downloading and updating malwarebytes.
You can get it free from
Once updated, reboot into Safe Mode (F8 at startup) and run a scan.
You should do this with your current antivirus product as well.
You may also need to download and run HiJackThis from
Once you run the utility save the log file.
You can post it for free analysis here or at
You are primarily looking for items marked with red X's.
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

samsteridAuthor Commented:
Ok - thanks everyone so far

I ran Kaspersky and it only found things already quarantined by ComboFix & SDFix, plus the AskSBar thing which I think I uninstalled ok
(I then uninstalled Combofix and deleted the SDFix zipfile)

I then ran MalwareBytes and have attached that log - it found things related to MyWebSearch but "took no action"?

I don't see any thing in Add/Remove programs for MyWebSearch - maybe its an IE extension that I should disable?

(I'm telling this client to switch to Firefox anyway)
>>>I then ran MalwareBytes and have attached that log - it found things related to MyWebSearch but "took no action"?<<<

You need to let Malwarebytes quarantine what it finds. The MyWebSearch that MBAM found are just leftover reg entries (which you can remove) not physical files.
And those beep.sys files that are infected SDFix supposedly replaced them, I don't know why MalwareBytes still flagging them, did Kaspersky found those beep.sys files as infected?, combofix didn't flag those so could be MBAM false positive.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
samsteridAuthor Commented:
I ran MalwareBytes again today with the /developer switch - the beep.sys did not show up so I guess it was a fake positive.
I'm not sure I need to do anything about the Trojan.Downloader it just found in a System Resotre folder (log attached)

Thanks again to all!
samsteridAuthor Commented:
Thanks all - I guess I have to start adding MalwareBytes to other packages like Trend Micro or Spysweeper to my clients' setup
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.