Yet Another Fake Anti-Virus/Malware

After a Windows update, My client's Dell with XP Media Center was crashing (bsod with stop errors - no  files listed)  - I uninstalled the most recent  updates but it didn't help;
Then I disabled all unnecessary startup items in msconfig and the bsod stopped;
When I re-enabled the SpySweeperUI.exe/startintray the bsod came back - right after logging in to the desktop

Tried to uninstall Spysweeper - only got a bsod, BUT then the red circle with an X (bogus) warning came up in systray saying my "system was infected"
System Restore had Restore points listed but nothing happened when I tried the Restore wizard - clicking Next to initiate Restore did nothing!
Then I knew I had to run SDFix & Combofix to try to fix it

The computer had other problems - bsod whenever I right-clicked on anything or even Edit/Copy from the Explorer menu; or Alt/Enter to get Properties on an object.

I've run SDFix & ComboFix - I forgot to run HijackThis before those, but I ran it afterward and attached all 3 log files.

SpySweeper runs fine now, and the other crashing problems seem to have disappeared . . .

Where do these infections come from?
I've had 3 clients get similar ones now - 2 running Trend Micro and now this one running SpySweeper with Anti-Virus 6.0

Who is Participating?
rpggamergirlConnect With a Mentor Commented:
>>>I then ran MalwareBytes and have attached that log - it found things related to MyWebSearch but "took no action"?<<<

You need to let Malwarebytes quarantine what it finds. The MyWebSearch that MBAM found are just leftover reg entries (which you can remove) not physical files.
And those beep.sys files that are infected SDFix supposedly replaced them, I don't know why MalwareBytes still flagging them, did Kaspersky found those beep.sys files as infected?, combofix didn't flag those so could be MBAM false positive.

I would have thought these infections are coming from something you are running on your machine's which are infected or a website which is getting infected content onto your devices.

If your anti virus is up to date, it should notice the infected files before they cause harm, as I believe should spysweeper.

There are some things I use which have always spotted any dodgy infections before they can act.
Spybot,, windows defender and avast.
Of course you don't really want 4/5 programs running, so maybe on the 3 machines mix and match the programs?.

Also worth delete the temp profile under your profile, as that where dodgy content from the internet first resides. Also worth doing a full virus scan with latest defintions.
Hijackthis log and combofix logs are fine.
SDfix failed to delete one bad file, but combofix deleted it.
If you think the system is still infected, you might like to try running an online scan with Kaspersky, save the log becasue it won't delete the threats that it finds and attach the log here for us to look at.

Kaspersky online scanner:

You can get infected these days just by being connected online if the system has a vulnerability that allowed the infection. You can also get infected just by visiting a site without even clicking on anything on that site.
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

David-HowardConnect With a Mentor Commented:
It sounds as if you have the XP Antivirus 2009 malware on your system.
I recommend downloading and updating malwarebytes.
You can get it free from
Once updated, reboot into Safe Mode (F8 at startup) and run a scan.
You should do this with your current antivirus product as well.
You may also need to download and run HiJackThis from
Once you run the utility save the log file.
You can post it for free analysis here or at
You are primarily looking for items marked with red X's.
samsteridAuthor Commented:
Ok - thanks everyone so far

I ran Kaspersky and it only found things already quarantined by ComboFix & SDFix, plus the AskSBar thing which I think I uninstalled ok
(I then uninstalled Combofix and deleted the SDFix zipfile)

I then ran MalwareBytes and have attached that log - it found things related to MyWebSearch but "took no action"?

I don't see any thing in Add/Remove programs for MyWebSearch - maybe its an IE extension that I should disable?

(I'm telling this client to switch to Firefox anyway)
samsteridAuthor Commented:
I ran MalwareBytes again today with the /developer switch - the beep.sys did not show up so I guess it was a fake positive.
I'm not sure I need to do anything about the Trojan.Downloader it just found in a System Resotre folder (log attached)

Thanks again to all!
samsteridAuthor Commented:
Thanks all - I guess I have to start adding MalwareBytes to other packages like Trend Micro or Spysweeper to my clients' setup
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.