cancel
Showing results for 
Search instead for 
Did you mean: 

systemerrorfixer

Community Veteran
Posts: 1,699
Registered: 30-07-2007

systemerrorfixer

Hi
My son has managed to get this on his computer.  It's a particularly malignant little b***ger.  It tries to install itself, but it has burrowed so deeply into the registry, that just doing an uninstall doesn't seem to get rid of it.  It's method is to pop up warning messages to say that system is at risk etc etc.  These are designed to look like M$ warnings, so the unsuspecting 14 year old clicks the buttons, and you're away.
Also, everytime he opens an internet browser, it periodically tries to open url 82. 98. 235. 210 which I believe is also connected to this program.
I've uninstalled the main programme, run a full AVG scan, deleted all the system restore points, but the last one, run a full adaware scan, and am currently installing and running SpyBot S&D (incidentally, the immunize button sas that it may not work, because he isn't an adminstrator.  Is this another clever ploy by the program to detect itself?)
Any ideas on how to get of it?
John
18 REPLIES
Community Veteran
Posts: 1,699
Registered: 30-07-2007

Re: systemerrorfixer

OK.  I started Windows in safe mode, and ran Spy Bot there, and it's cleaned it, but the computer still doesn't recognise my son's login as an administrator, although the account setting says he is Huh
How can I get his admin rights back please - anyone?
John
Community Veteran
Posts: 1,574
Thanks: 3
Registered: 13-04-2007

Re: systemerrorfixer

It may have corrupted his profile but try removing him from admin reboot and logon as him. reboot to another account and set him back as admin this may force a refresh
Community Veteran
Posts: 1,699
Registered: 30-07-2007

Re: systemerrorfixer

Thanks
I'll give that a try
John
Community Veteran
Posts: 1,699
Registered: 30-07-2007

Re: systemerrorfixer

Didn't work.  Okay desparate times ...
I went into regedit and did a search for "systemerrorfixer", and deleted all references to it.  One of them was "run as admin", which I suppose may have been what was highjacking the admin rights for the computer.
If it all goes belly up, I suppose I'll have to do a restore, but if I could get my hands around the throat of the evil $%^&*£$ who wrote this piece of malware, I would happily pay the consequences.
John
Community Veteran
Posts: 1,699
Registered: 30-07-2007

Re: systemerrorfixer

Thanks for the help Samuria, but it still didn't work.  Vista says he's an administrator, but when I try to set the immunisation in Spybot S&D it says it can't because he isn't an administrator.  I set up a second account as an administrator, and it's the same, and whenever he goes on to the internet, it still has windows opening and trying to open various sites (even with popup blocker set at high)
AVG comes up clean, but he regularly gets notification of a virus (lop?) which it moves to the virus vault for him to delete.
Spybot comes up clean as well, and so does Adaware, but somethings trying to direct him to sites!
Anything else to be done, before a system recovery?
John
Community Veteran
Posts: 6,735
Thanks: 12
Registered: 02-02-2008

Re: systemerrorfixer

Disable add-ons in IE? It might just give you a chance to get in and fix it.
Prod_Man
Grafter
Posts: 286
Registered: 04-08-2007

Re: systemerrorfixer

Yeah,
I've encountered similar problems to this before.
9/10 times as HPsauce says (Smiley), when it's a reoccuring thing like this,
it's usually a Browser Extension affecting Explorer &/ Iexpore.
Usually will try and replicate it's self if destoyed.
Just incase, if you don't know where to find the Browser Extension Box it's under
"Tools -> Manage Add-ons -> Enable or Disable add-ons..."
Usually once I find the files related, I give them a dissassemble to see
if they hold any of the specific Registry Entries, Strings etc and run some searches (File System / Regedit) with what ever necessary.
Something which is probably of more help is a utility called 'Security Task Manager'.
This is particularly useful as it will scan Active Memory of running Applicaitons, checking thier "maliciousness" of Modules (DLL's or similar loaded embedded in application memory) and Executables by what functions they use.
(Not always accurate, but a fair indicator by rule of thumb).
From that you then know the location of the file and if you're dealing with more than one, so you can delete them.
If you need something to completely obliterate files which you find are suspicious try this (I don't know of any equivilants of this) "Dr Delete"
Strait "Deletes" in Windows hardly ever work with things like this, as they've already been loaded and running active memory, the kernel protects the file system.
Dr Delete
Hope this was of some use Smiley
Good luck with teaching your kid how to keep safe of that stuff.
I've done the same myself a few times.
Jim,
Community Veteran
Posts: 1,699
Registered: 30-07-2007

Re: systemerrorfixer

Hi  I've had a look at the add-ons, but I can't see anything that may be causing this.
I've attached the screnshot.  It's almost as if pop-ups are enabled, even though I've set the pop-up blocker to high.
I've now gone back to my own computer, because his is driving me up the wall.  Every few seconds a web page opens, gambling, spywear downloader, or something else
John
Community Veteran
Posts: 1,699
Registered: 30-07-2007

Re: systemerrorfixer

I could, but I've never used the software.  Is there somewhere (safe) I can download it from?
I've also installed Firefox, and told my son to use it and see if the pop-ups stop.  If they do, I'll uninstall Internet Explorer, and either re-install it, or if he likes Firefox just let him use that.
John
minkey
Grafter
Posts: 386
Registered: 22-07-2007

Re: systemerrorfixer

Here is a good as place as any
http://www.filehippo.com/download_hijackthis/
pierre_pierre
Grafter
Posts: 19,757
Registered: 30-07-2007

Re: systemerrorfixer

If you are using Bill Gates, you cant remove IE, just stop using it
Community Veteran
Posts: 1,699
Registered: 30-07-2007

Re: systemerrorfixer

Thanks.  here's the log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:37:45, on 06/04/2008
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\hp\KBD\KbdStub.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=Pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=Pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [lifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\Windows\vVX3000.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Chris\AppData\Local\Temp\efcDtrOe.dll,c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BMaf740efe] Rundll32.exe "C:\Users\Chris\AppData\Local\Temp\estvjcuo.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O13 - Gopher Prefix:
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

John
--
End of file - 8837 bytes
minkey
Grafter
Posts: 386
Registered: 22-07-2007

Re: systemerrorfixer

Hi,
First of all, make sure you have backed up and created a restore point, as I can't be responsible for anything that goes wrong!  Smiley
Start computer in safe mode and run Hijack This
Remove the following lines:
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Chris\AppData\Local\Temp\efcDtrOe.dll,c
O4 - HKCU\..\Run: [BMaf740efe] Rundll32.exe "C:\Users\Chris\AppData\Local\Temp\estvjcuo.dll",s
Delete the dll's from your Temp folder. Its possible that they may come back, if that's the case then see this webpage to run SmitFraudFix
http://forums.techguy.org/malware-removal-hijackthis-logs/668153-how-remove-systemerrorfixer.html

Regards
Jeff
Prod_Man
Grafter
Posts: 286
Registered: 04-08-2007

Re: systemerrorfixer

Yeah,
both of those files are prime suspects,
piggy-backing off rundll32 which is yet-another classic.
Kock them out with a decent utillity.
Check out what that last thing showed
Quote
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

See related here -
Neowin Forums - Error Protector Pop-ups

I wouldn't be surprised if simply deleting those doesn't to solve it strait off,
but that you at least know if/when it replicates and that you're 1/2 to clearing it.
Good luck!
Jim,