Yet Another Fake Anti-Virus/Malware

Posted on 2008-11-13
Last Modified: 2013-12-06
After a Windows update, My client's Dell with XP Media Center was crashing (bsod with stop errors - no  files listed)  - I uninstalled the most recent  updates but it didn't help;
Then I disabled all unnecessary startup items in msconfig and the bsod stopped;
When I re-enabled the SpySweeperUI.exe/startintray the bsod came back - right after logging in to the desktop

Tried to uninstall Spysweeper - only got a bsod, BUT then the red circle with an X (bogus) warning came up in systray saying my "system was infected"
System Restore had Restore points listed but nothing happened when I tried the Restore wizard - clicking Next to initiate Restore did nothing!
Then I knew I had to run SDFix & Combofix to try to fix it

The computer had other problems - bsod whenever I right-clicked on anything or even Edit/Copy from the Explorer menu; or Alt/Enter to get Properties on an object.

I've run SDFix & ComboFix - I forgot to run HijackThis before those, but I ran it afterward and attached all 3 log files.

SpySweeper runs fine now, and the other crashing problems seem to have disappeared . . .

Where do these infections come from?
I've had 3 clients get similar ones now - 2 running Trend Micro and now this one running SpySweeper with Anti-Virus 6.0

Question by:samsterid

    Expert Comment

    I would have thought these infections are coming from something you are running on your machine's which are infected or a website which is getting infected content onto your devices.

    If your anti virus is up to date, it should notice the infected files before they cause harm, as I believe should spysweeper.

    There are some things I use which have always spotted any dodgy infections before they can act.
    Spybot,, windows defender and avast.
    Of course you don't really want 4/5 programs running, so maybe on the 3 machines mix and match the programs?.

    Also worth delete the temp profile under your profile, as that where dodgy content from the internet first resides. Also worth doing a full virus scan with latest defintions.
    LVL 47

    Expert Comment

    Hijackthis log and combofix logs are fine.
    SDfix failed to delete one bad file, but combofix deleted it.
    If you think the system is still infected, you might like to try running an online scan with Kaspersky, save the log becasue it won't delete the threats that it finds and attach the log here for us to look at.

    Kaspersky online scanner:

    You can get infected these days just by being connected online if the system has a vulnerability that allowed the infection. You can also get infected just by visiting a site without even clicking on anything on that site.
    LVL 27

    Assisted Solution

    It sounds as if you have the XP Antivirus 2009 malware on your system.
    I recommend downloading and updating malwarebytes.
    You can get it free from
    Once updated, reboot into Safe Mode (F8 at startup) and run a scan.
    You should do this with your current antivirus product as well.
    You may also need to download and run HiJackThis from
    Once you run the utility save the log file.
    You can post it for free analysis here or at
    You are primarily looking for items marked with red X's.

    Author Comment

    Ok - thanks everyone so far

    I ran Kaspersky and it only found things already quarantined by ComboFix & SDFix, plus the AskSBar thing which I think I uninstalled ok
    (I then uninstalled Combofix and deleted the SDFix zipfile)

    I then ran MalwareBytes and have attached that log - it found things related to MyWebSearch but "took no action"?

    I don't see any thing in Add/Remove programs for MyWebSearch - maybe its an IE extension that I should disable?

    (I'm telling this client to switch to Firefox anyway)
    LVL 47

    Accepted Solution

    >>>I then ran MalwareBytes and have attached that log - it found things related to MyWebSearch but "took no action"?<<<

    You need to let Malwarebytes quarantine what it finds. The MyWebSearch that MBAM found are just leftover reg entries (which you can remove) not physical files.
    And those beep.sys files that are infected SDFix supposedly replaced them, I don't know why MalwareBytes still flagging them, did Kaspersky found those beep.sys files as infected?, combofix didn't flag those so could be MBAM false positive.


    Author Comment

    I ran MalwareBytes again today with the /developer switch - the beep.sys did not show up so I guess it was a fake positive.
    I'm not sure I need to do anything about the Trojan.Downloader it just found in a System Resotre folder (log attached)

    Thanks again to all!

    Author Closing Comment

    Thanks all - I guess I have to start adding MalwareBytes to other packages like Trend Micro or Spysweeper to my clients' setup

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Most PC repair technicians (if not all) always start their cleanup process by emptying the temp folders before running any removal tools. It makes sense because temp folders are common places for malware installers to lurk and removing all the junk …
    It started not too long ago. It was at first annoying. My keystrokes seemed to be randomly generated, not the ones I typed on the keyboard. For some reason this only happened in certain applications (especially browsers such as IE11, Firefox and Chr…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now