Hi All, I'm looking for some help in ridding my fathers computer of an infection. Basically what happens is this, the desktop wallpaper has been taken over by a bogus warning (text of warning follows) and the browser ( ie7) opens various pages randomly. I've ran various programs suggested in other forums to no avail. Hope someone here can help .

This Warning screen takes over my desktop and has a blue background and
> Red Lettering
>
>
>
>
>
>
>
> "Warning you're in danger! Your computer is infected with spyware!
>
>
>
> All you do with your computer is stored forever on your hard disk. When
> you visit sites, send emails...
> All your actions are logged. And it is impossible to remove them with
> standard tools. Your data is still
> available for forensics. And in some cases for your boss, your wife, your
> children.
>
> Every site you or somebody or even something like spyware, opened in your
> browsers, with all images and
> all downloaded and maybe later removed movies or mp3 songs- ARE STILL
> THERE and could broke your life!
>
>
>
> SECURE YOURSELF RIGHT NOW!
>
> REMOVE ALL SPYWARE FROM YOUR PC! "
>
>
>
>
>
> This infection also opens browser windows with the address
> theonlybookmark.com/in.cgi?13
>
>
>
> Then a window pops up that says: "Security Monitor Warning!! Attention!
> System detected a potential
> hazard (TrojanSPM/LX) on your computer that may infect executable files.
> Your private information and PC
> safety is at risk. To get rid of unwanted spyware and keep your safe you
> need to update your current
> security software. Click yes to download official intrusion detection
> system (IDS Software)."
>
>
>
> Hijackthis Log File:
>
> Logfile of Trend Micro HijackThis v2.0.2
> Scan saved at 9:48:57 PM, on 3/12/2008
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v7.00 (7.00.6000.16608)
> Boot mode: Normal
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
> C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
> C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
> C:\WINDOWS\system32\spoolsv.exe
> C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
> C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
> C:\Program Files\Bonjour\mDNSResponder.exe
> C:\WINDOWS\System32\drivers\CDAC11BA.EXE
> C:\WINDOWS\system32\LxrJD31s.exe
> C:\WINDOWS\System32\nvsvc32.exe
> C:\WINDOWS\System32\HPZipm12.exe
> C:\WINDOWS\System32\svchost.exe
> C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
> C:\WINDOWS\Explorer.EXE
> C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
> C:\Program Files\Common Files\Symantec Shared\ccApp.exe
> C:\WINDOWS\sysockeu.exe
> C:\WINDOWS\sysodkcs.exe
> C:\WINDOWS\sysoghcx.exe
> C:\WINDOWS\sysokuaw.exe
> C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
> C:\WINDOWS\system32\ctfmon.exe
> C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
> C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
> C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
> C:\Program Files\Internet Explorer\iexplore.exe
> C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
> C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
> C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
>
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
> http://www.yahoo.com/
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
> http://go.microsoft.com/fwlink/?LinkId=69157
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
> http://go.microsoft.com/fwlink/?LinkId=54896
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
> http://go.microsoft.com/fwlink/?LinkId=54896
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
> http://go.microsoft.com/fwlink/?LinkId=69157
> R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings,ProxyOverride = *.local;localhost
> O2 - BHO: (no name) - 8?È - (no file)
> O2 - BHO: (no name) - p>È - (no file)
> O2 - BHO: (no name) - rsion - (no file)
> O2 - BHO: (no name) - `@È - (no file)
> O2 - BHO: Adobe PDF Reader Link Helper -
> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
> Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
> O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program
> Files\Common Files\Symantec
> Shared\coShared\Browser\1.0\NppBho.dll
> O2 - BHO: Spybot-S&D IE Protection -
> {53707962-6F74-2D53-2644-206D7942484F} -
> C:\PROGRA~1\SPYBOT~1\SDHelper.dll
> O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
> C:\Program
> Files\Java\jre1.6.0_05\bin\ssv.dll
> O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
> c:\program
> files\google\googletoolbar4.dll
> O2 - BHO: Google Toolbar Notifier BHO -
> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program
> Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
> O2 - BHO: (no name) - ¨È - (no file)
> O2 - BHO: (no name) - °@È - (no file)
> O2 - BHO: (no name) - à@È - (no file)
> O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} -
> C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
> O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
> Files\MSN Apps\MSN Toolbar\MSN
> Toolbar\01.02.5000.1021\en-us\msntb.dll
> O3 - Toolbar: Show Norton Toolbar -
> {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common
> Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
> O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
> c:\program
> files\google\googletoolbar4.dll
> O4 - HKLM\..\Run: [Dell|Alert] C:\Program
> Files\Dell\Support\Alert\bin\DAMon.exe
> O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
> Shared\ccApp.exe"
> O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet
> Security\osCheck.exe"
> O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common
> Files\Symantec
> Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m
> "C:\Program Files\Common
> Files\Symantec
> Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
> O4 - HKLM\..\Run: [1029BB4B-16A9-4E77-AA3D-96930BD68EEC]
> "C:\WINDOWS\sysockeu.exe"
> O4 - HKLM\..\Run: [852EBF20-A95D-4F1F-B9C2-B2CD24350F3E]
> "C:\WINDOWS\sysodkcs.exe"
> O4 - HKLM\..\Run: [756349DC-6D9E-4F2A-9B24-269661F073C3]
> "C:\WINDOWS\sysoghcx.exe"
> O4 - HKLM\..\Run: [2177F056-0AA6-4D6C-A944-13F71F341C29]
> "C:\WINDOWS\sysokuaw.exe"
> O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
> Files\Java\jre1.6.0_05\bin\jusched.exe"
> O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG
> Anti-Spyware 7.5\avgas.exe"
> /minimized
> O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
> O4 - HKCU\..\Run: [swg] C:\Program
> Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
> O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program
> Files\Microsoft Works\WkDetect.exe
> O4 - Global Startup: APC UPS Status.lnk = ?
> O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program
> Files\NETGEAR\WG111v2\WG111v2.exe
> O8 - Extra context menu item: E&xport to Microsoft Excel -
> res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
> O8 - Extra context menu item: Show All Original Images - res://C:\Program
> Files\Juno\qsacc\appres.dll/228
> O8 - Extra context menu item: Show Original Image - res://C:\Program
> Files\Juno\qsacc\appres.dll/227
> O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
> C:\Program
> Files\Java\jre1.6.0_05\bin\ssv.dll
> O9 - Extra 'Tools' menuitem: Sun Java Console -
> {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
> Files\Java\jre1.6.0_05\bin\ssv.dll
> O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} -
> C:\Program
> Files\Bonjour\ExplorerPlugin.dll
> O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -
> C:\WINDOWS\bdoscandel.exe
> O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -
> {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
> O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
> (no file)
> O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
> C:\PROGRA~1\SPYBOT~1\SDHelper.dll
> O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -
> {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
> O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
> C:\WINDOWS\Network
> Diagnostic\xpnetdiag.exe
> O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
> {e2e2dd38-d088-4134-82b7-f2ba38496583} -
> C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
> C:\Program
> Files\Messenger\msmsgs.exe
> O9 - Extra 'Tools' menuitem: Windows Messenger -
> {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
> Files\Messenger\msmsgs.exe
> O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
> Advantage Validation Tool) -
> http://go.microsoft.com/fwlink/?linkid=39204
> O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan
> Control) -
> http://downloads.ewido.net/ewidoOnlineScan.cab
> O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -
> http://download.bitdefender.com/resources/scan8/oscan8.cab
> O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download
> Manager) -
> https://webdl.symantec.com/activex/symdlmgr.cab
> O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
> http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174243604250
> O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime
> Environment 1.6.0) -
> http://javadl-esd.sun.com/update/1.6.0/jinstall-6u5-windows-i586-jc.cab
> O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program
> Files\Lavasoft\Ad-Aware
> 2007\aawservice.exe
> O23 - Service: APC UPS Service - American Power Conversion Corporation -
> C:\Program Files\APC\APC
> PowerChute Personal Edition\mainserv.exe
> O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation -
> C:\Program
> Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
> O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program
> Files\Grisoft\AVG Anti-Spyware
> 7.5\guard.exe
> O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program
> Files\Bonjour\mDNSResponder.exe
> O23 - Service: C-DillaCdaC11BA - Macrovision -
> C:\WINDOWS\System32\drivers\CDAC11BA.EXE
> O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
> C:\Program Files\Common
> Files\Symantec Shared\ccSvcHst.exe
> O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec
> Corporation - C:\Program Files\Common
> Files\Symantec Shared\ccSvcHst.exe
> O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) -
> Symantec Corporation - C:\Program
> Files\Common Files\Symantec Shared\ccSvcHst.exe
> O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program
> Files\Common Files\Symantec
> Shared\VAScanner\comHost.exe
> O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
> Files\Google\Common\Google
> Updater\GoogleUpdaterService.exe
> O23 - Service: HP Port Resolver - Hewlett-Packard Company -
> C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
> O23 - Service: HP Status Server - Hewlett-Packard Company -
> C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
> O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec
> Corporation - C:\Program
> Files\Norton Internet Security\isPwdSvc.exe
> O23 - Service: LiveUpdate - Symantec Corporation -
> C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
> O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) -
> Symantec Corporation - C:\Program
> Files\Common Files\Symantec Shared\ccSvcHst.exe
> O23 - Service: LiveUpdate Notice Service - Symantec Corporation -
> C:\Program Files\Common Files\Symantec
> Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
> O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner -
> C:\WINDOWS\SYSTEM32\LxrJD31s.exe
> O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA
> Corporation -
> C:\WINDOWS\System32\nvsvc32.exe
> O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
> O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common
> Files\Symantec
> Shared\CCPD-LC\symlcsvc.exe
> O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec
> Corporation - C:\Program Files\Common
> Files\Symantec Shared\AppCore\AppSvc32.exe
>
> --
> End of file - 10891 bytes
>
>
>
>

No virus found in this incoming message.
Checked by AVG.
Version: 7.5.518 / Virus Database: 269.21.7 - Release Date: 3/8/2008 12:00 AM

Wow, theonlybookmark.com/in.cgi?13 is very suspicious. It redirects to
http://systemerrorfixer.com/clean/?cmpname=swpges31&eai=swp_ges&eli=3948&eaf=pp_207717501&eu=http%3A%2F
%2Fadvancedcleaner.com%2F.cleaner%2Findex.php%3Ftmn%3Dadctmp%26clone_name%3Dswpadcex%26led%3D3948%
26afr%3Dpp_207717501&ed=0&ex=0&h=10&cmpname=null&420e5-20053&mt_info=4141_0_1559 That has an animation that looks like a download progress monitor window. The animation pauses, says the download is incomplete and says that you need to click "Continue"

If you do, you will download "installer.php" which appears to be poorly detected malware:

VirusTotal:
Antivirus Version Last Update Result
AhnLab-V3 2008.3.14.0 2008.03.14 -
AntiVir 7.6.0.73 2008.03.13 -
Authentium 4.93.8 2008.03.13 -
Avast 4.7.1098.0 2008.03.13 -
AVG 7.5.0.516 2008.03.13 Downloader.Zlob.XB
BitDefender 7.2 2008.03.14 -
CAT-QuickHeal 9.50 2008.03.13 -
ClamAV 0.92.1 2008.03.14 -
DrWeb 4.44.0.09170 2008.03.13 Trojan.Fakealert.origin
eSafe 7.0.15.0 2008.03.09 -
eTrust-Vet 31.3.5613 2008.03.13 -
Ewido 4.0 2008.03.13 -
FileAdvisor 1 2008.03.14 -
Fortinet 3.14.0.0 2008.03.14 -
F-Prot 4.4.2.54 2008.03.13 -
F-Secure 6.70.13260.0 2008.03.14 -
Ikarus T3.1.1.20 2008.03.14 -
Kaspersky 7.0.0.125 2008.03.14 -
McAfee 5251 2008.03.13 -
Microsoft 1.3301 2008.03.13 -
NOD32v2 2946 2008.03.14 -
Norman 5.80.02 2008.03.13 -
Panda 9.0.0.4 2008.03.13 Suspicious file
Prevx1 V2 2008.03.14 LocusSoftware:Spyware-a
Rising 20.35.32.00 2008.03.13 -
Sophos 4.27.0 2008.03.14 -
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.14 -
TheHacker 6.2.92.245 2008.03.14 -
VBA32 3.12.6.2 2008.03.13 -
VirusBuster 4.3.26:9 2008.03.13 -
Webwasher-Gateway 6.6.2 2008.03.13 -
Additional information
File size: 1111304 bytes
MD5: 1970cd4c79733b34b1ec1cca7ecde1fa
SHA1: 76ed728add76e08f83203944e6ebe8f0a25ca83a
PEiD: -
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=6A5A72070845124EF5251017C24070009E38E875

Jotti:
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found Downloader.Zlob.XB
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found Trojan.Fakealert.origin
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

When I went to the site I downloaded

Malware listserv - /p1065710-MD5_1970cd4c79733b34b1ec1cca7ecde1fa_setup_sbd_en_exe.html

SiteAdvisor - http://www.siteadvisor.com/sites/systemerrorfixer.com

MIRT Report - I'll finish it tomorrow

Sorry, I forgot the important part

Gaetano, the best thing to do is to follow this http://wiki.castlecops.com/MRP

After following the link above if you think you may still be infected with malware please post a Hijackthis log in this forum.

/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html

I'd also suggest you install Windows Defender (if you use Windows XP), which is free and is available from http://www.microsoft.com/athome/security/spyware/software/default.mspx

Malware Name: SystemErrorFixer

Malware Link: hxxp://archive.easydownloadsoft.com/systemerrorfixer.com/SystemErrorFixer/setup_sbd_en.exe

When the Malware executable is running, it opens the below mentioned ports:

Pid Process Port Proto Path
1452 setup_sbd_en 1125 TCP E:\setup_sbd_en.exe
1452 setup_sbd_en 4500 UDP E:\setup_sbd_en.exe

Doing a netstat shows the below network connection:

Active Connections

Proto Local Address Foreign Address State
TCP 192.168.1.3:1125 66.244.254.201:80 ESTABLISHED

Active Connections

Proto Local Address Foreign Address State
TCP 192.168.1.3:1125 66.244.254.201:80 ESTABLISHED

After the application is installed, it adds the following files and registry entries:

File System Activity
setup_sbd_en.ex:1452 QUERY INFORMATION C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ProductPath\sysrep.exe SUCCESS
setup_sbd_en.ex:1452 WRITE C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ProductPath\sysrep.exe SUCCESS
setup_sbd_en.ex:1452 FLUSH C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ProductPath\sysrep.exe SUCCESS
setup_sbd_en.ex:1452 WRITE C:\$ConvertToNonresident SUCCESS

Registry Activity
setup_sbd_en.ex:1452 CreateKey HKLM\Software\SystemErrorFixerDownloader SUCCESS
setup_sbd_en.ex:1452 SetValue HKLM\Software\SystemErrorFixerDownloader\TotalSize SUCCESS
setup_sbd_en.ex:1452 SetValue HKLM\Software\SystemErrorFixerDownloader\SeekPos SUCCESS
setup_sbd_en.ex:1452 CloseKey HKLM\Software\SystemErrorFixerDownloader SUCCESS

Monitored with FileMon & RegMon, here are the applications Registry and File System Activities:

Adds the files/Folder
C:\Documents and Settings\Administrator\Local Settings\Temp\ProductPath
C:\Documents and Settings\Administrator\Local Settings\Temp\ProductPath\sysrep.exe 5,971KB
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GRYNOTA7\SystemErrorRepairFreeSetup_en[1].exe

Deletes the System Volume Information from all drives

Registry Values Added
HKEY_CURRENT_USER\Software\SystemErrorFixerDownloader SeekPos dword:005b1950
HKEY_CURRENT_USER\Software\SystemErrorFixerDownloader
HKEY_CURRENT_USER\Software\SystemErrorFixerDownloader TotalSize dword:005b1950
HKEY_LOCAL_MACHINE\SOFTWARE\SystemErrorFixerDownloader
HKEY_LOCAL_MACHINE\SOFTWARE\SystemErrorFixerDownloader TotalSize dword:005b1950
HKEY_LOCAL_MACHINE\SOFTWARE\SystemErrorFixerDownloader SeekPos dword:005b1950
HKEY_LOCAL_MACHINE\SOFTWARE\SystemErrorFixerDownloader EulaShowed dword:00000001
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\SystemErrorFixerDownloader
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\SystemErrorFixerDownloader TotalSize dword:005b1950
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\SystemErrorFixerDownloader SeekPos dword:005b1950

Copies the path of the installer in the Registry Run (autostart)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SBI "<Path where the installer was>\setup_sbd_en.exe"

Attached is the analysis report.