• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1105
  • Last Modified:

Yet Another Fake Anti-Virus/Malware

After a Windows update, My client's Dell with XP Media Center was crashing (bsod with stop errors - no  files listed)  - I uninstalled the most recent  updates but it didn't help;
Then I disabled all unnecessary startup items in msconfig and the bsod stopped;
When I re-enabled the SpySweeperUI.exe/startintray the bsod came back - right after logging in to the desktop

Tried to uninstall Spysweeper - only got a bsod, BUT then the red circle with an X (bogus) warning came up in systray saying my "system was infected"
System Restore had Restore points listed but nothing happened when I tried the Restore wizard - clicking Next to initiate Restore did nothing!
Then I knew I had to run SDFix & Combofix to try to fix it

The computer had other problems - bsod whenever I right-clicked on anything or even Edit/Copy from the Explorer menu; or Alt/Enter to get Properties on an object.

I've run SDFix & ComboFix - I forgot to run HijackThis before those, but I ran it afterward and attached all 3 log files.

SpySweeper runs fine now, and the other crashing problems seem to have disappeared . . .

Where do these infections come from?
I've had 3 clients get similar ones now - 2 running Trend Micro and now this one running SpySweeper with Anti-Virus 6.0

 
SDFixReport.txt
ComboFix.log
hijackthis.txt
0
samsterid
Asked:
samsterid
2 Solutions
 
sandyringCommented:
I would have thought these infections are coming from something you are running on your machine's which are infected or a website which is getting infected content onto your devices.

If your anti virus is up to date, it should notice the infected files before they cause harm, as I believe should spysweeper.

There are some things I use which have always spotted any dodgy infections before they can act.
Spybot, http://www.anvir.com/, windows defender and avast.
Of course you don't really want 4/5 programs running, so maybe on the 3 machines mix and match the programs?.

Also worth delete the temp profile under your profile, as that where dodgy content from the internet first resides. Also worth doing a full virus scan with latest defintions.
0
 
rpggamergirlCommented:
Hijackthis log and combofix logs are fine.
SDfix failed to delete one bad file, but combofix deleted it.
If you think the system is still infected, you might like to try running an online scan with Kaspersky, save the log becasue it won't delete the threats that it finds and attach the log here for us to look at.

Kaspersky online scanner:
http://www.kaspersky.com/virusscanner


You can get infected these days just by being connected online if the system has a vulnerability that allowed the infection. You can also get infected just by visiting a site without even clicking on anything on that site.
0
 
David-HowardCommented:
It sounds as if you have the XP Antivirus 2009 malware on your system.
I recommend downloading and updating malwarebytes.
You can get it free from www.malwarebytes.org
Once updated, reboot into Safe Mode (F8 at startup) and run a scan.
You should do this with your current antivirus product as well.
You may also need to download and run HiJackThis from
http://www.merijn.org/programs.php
Once you run the utility save the log file.
You can post it for free analysis here or at
www.hijackthis.de
You are primarily looking for items marked with red X's.
David
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
samsteridAuthor Commented:
Ok - thanks everyone so far

I ran Kaspersky and it only found things already quarantined by ComboFix & SDFix, plus the AskSBar thing which I think I uninstalled ok
(I then uninstalled Combofix and deleted the SDFix zipfile)

I then ran MalwareBytes and have attached that log - it found things related to MyWebSearch but "took no action"?

I don't see any thing in Add/Remove programs for MyWebSearch - maybe its an IE extension that I should disable?

(I'm telling this client to switch to Firefox anyway)
MalwareBytesLog.txt
0
 
rpggamergirlCommented:
>>>I then ran MalwareBytes and have attached that log - it found things related to MyWebSearch but "took no action"?<<<

You need to let Malwarebytes quarantine what it finds. The MyWebSearch that MBAM found are just leftover reg entries (which you can remove) not physical files.
And those beep.sys files that are infected SDFix supposedly replaced them, I don't know why MalwareBytes still flagging them, did Kaspersky found those beep.sys files as infected?, combofix didn't flag those so could be MBAM false positive.

 
0
 
samsteridAuthor Commented:
I ran MalwareBytes again today with the /developer switch - the beep.sys did not show up so I guess it was a fake positive.
I'm not sure I need to do anything about the Trojan.Downloader it just found in a System Resotre folder (log attached)

Thanks again to all!
mbam-log-2008-11-20.txt
0
 
samsteridAuthor Commented:
Thanks all - I guess I have to start adding MalwareBytes to other packages like Trend Micro or Spysweeper to my clients' setup
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now