TechSpot

Critical System Erorr Pop-UPs!

By RMN
Dec 9, 2007
  1. hello ppl..
    sry to be troubling with my first post itself!

    i have these pop ups saying "Critical System Error" and asking me to clear the registry and the name of the window is "Messenger Service".
    i followed the " Viruses/Spyware/Malware, preliminary removal instructions" thread and here are my logs.

    1.HJT
    2.CombooFix
    3.AVG Anti Spyware

    Note-I scanned my PC on Safe Mode with Kaspersky Anti Virus 7(Updated,Trial ver.)but in did not find anything.
    and i had to reinstall my PC with Win XP twice this week coz it started to hang all the time.

    tq
     
  2. Rik

    Rik Banned Posts: 3,814

    There is nothing nasty in your logs at all.

    Did panda antirootkit find anything?

    The only problems I can see is that windows isn't up to date and there is no visible process for a firewall.
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, this is the unethical use of the Windows Messenger Service. This Service is for the Administrator of the network to monitor and contact the other computers on the network. Unfortunately, some rogue programs are using a look-alike box to scare the user into clicking somewhere to get their program.

    Here's how to shut this service down:

    Control Panel> Administrative Tools> Services> scroll down to 'Messenger> right click> Properties> change the dialog box to Disable> Stop the Service> Apply> OK.

    I did find this in your Report Scan:
    HKU\S-1-5-21-1960408961-1580436667-839522115-1003\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).

    This is installed and used by EbatesMoeMoneyMaker. It needs to be removed if it has not already been.

    On your hijack log, this entry needs to be deleted:
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab

    Possibly it was missed in the review.

    This will take care of that problem.
     
  4. Rik

    Rik Banned Posts: 3,814

    Well spotted Bobbye, i missed that one. One for the memory banks.:)

    It would also be a good idea to locate and delete the bold file - C:\TempEI4\EI40_\msxml4.cab
     
  5. momok

    momok TS Rookie Posts: 2,265

    The O16 unique number ID is displayed as legit on castlecops though.
    http://www.castlecops.com/atxlist-545.html
    Why do you suggest it be deleted?

    RMN: Please update your Windows to SP2 for your own sake.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The O16 unique number ID is displayed as legit on castlecops though.
    http://www.castlecops.com/atxlist-545.html
    Why do you suggest it be deleted?

    Look closely. It's not the same entry. You need to include the string TempEI4\EI40_\msxml4.cab

    Rik, that one was kind of tucked away. I just happened to see it.

    "Why do you suggest it be deleted"

    Look closely. It's not the same entry. You need to include the string TempEI4\EI40_\msxml4.cab

    Rik, that one was kind of tucked away. I just happened to see it.[/QUOTE]
     
  7. momok

    momok TS Rookie Posts: 2,265

    That isn't enough reason to declare an entry as malicious. We should only remove malicious entries or entries that the user explicitly states he/she does not require.

    The ID is a globally unique identifier (GUID), which means it is unique in any context. The folder is a temporary folder meaning it is safe to delete anything in it, therefore there was no harm in your instructions. The installation files are there just in case the program did not install properly on the user's computer.

    However, the main point is that we should identify O2, O3, O16, O18, O21 and O22 entries by their CLSID, not the file path.

    Regards,
    momok
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    momok, please see this for information on the DOM Document:

    http://en.wikipedia.org/wiki/Document_Object_Model

    The TempEI4\EI40_\msxml4.cab is an Active X Object. I noted several sites running the hijack logs to remove it. I will stay with that suggestion.

    It is unidentified- an 'unidentified' Active X object should not remain on the system.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...