Critical System Erorr Pop-UPs!

[RMN]

hello ppl..
sry to be troubling with my first post itself!

i have these pop ups saying "Critical System Error" and asking me to clear the registry and the name of the window is "Messenger Service".
i followed the " Viruses/Spyware/Malware, preliminary removal instructions" thread and here are my logs.

1.HJT
2.CombooFix
3.AVG Anti Spyware

Note-I scanned my PC on Safe Mode with Kaspersky Anti Virus 7(Updated,Trial ver.)but in did not find anything.
and i had to reinstall my PC with Win XP twice this week coz it started to hang all the time.

tq

 

[Rik]

There is nothing nasty in your logs at all.

Did panda antirootkit find anything?

The only problems I can see is that windows isn't up to date and there is no visible process for a firewall.

 

[Bobbye]

Okay, this is the unethical use of the Windows Messenger Service. This Service is for the Administrator of the network to monitor and contact the other computers on the network. Unfortunately, some rogue programs are using a look-alike box to scare the user into clicking somewhere to get their program.

Here's how to shut this service down:

Control Panel> Administrative Tools> Services> scroll down to 'Messenger> right click> Properties> change the dialog box to Disable> Stop the Service> Apply> OK.

I did find this in your Report Scan:
HKU\S-1-5-21-1960408961-1580436667-839522115-1003\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).

This is installed and used by EbatesMoeMoneyMaker. It needs to be removed if it has not already been.

On your hijack log, this entry needs to be deleted:
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab

Possibly it was missed in the review.

This will take care of that problem.

 

[Rik]

Well spotted Bobbye, i missed that one. One for the memory banks.

It would also be a good idea to locate and delete the bold file - C:\TempEI4\EI40_\msxml4.cab

 

[momok]

On your hijack log, this entry needs to be deleted:
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab

The O16 unique number ID is displayed as legit on castlecops though.
http://www.castlecops.com/atxlist-545.html
Why do you suggest it be deleted?

RMN: Please update your Windows to SP2 for your own sake.

 

[Bobbye]

The O16 unique number ID is displayed as legit on castlecops though.
http://www.castlecops.com/atxlist-545.html
Why do you suggest it be deleted?

Look closely. It's not the same entry. You need to include the string TempEI4\EI40_\msxml4.cab

Rik, that one was kind of tucked away. I just happened to see it.

"Why do you suggest it be deleted"

Look closely. It's not the same entry. You need to include the string TempEI4\EI40_\msxml4.cab

Rik, that one was kind of tucked away. I just happened to see it.[/QUOTE]

 

[momok]

That isn't enough reason to declare an entry as malicious. We should only remove malicious entries or entries that the user explicitly states he/she does not require.

The ID is a globally unique identifier (GUID), which means it is unique in any context. The folder is a temporary folder meaning it is safe to delete anything in it, therefore there was no harm in your instructions. The installation files are there just in case the program did not install properly on the user's computer.

However, the main point is that we should identify O2, O3, O16, O18, O21 and O22 entries by their CLSID, not the file path.

Regards,
momok

 

[Bobbye]

momok, please see this for information on the DOM Document:

http://en.wikipedia.org/wiki/Document_Object_Model

The TempEI4\EI40_\msxml4.cab is an Active X Object. I noted several sites running the hijack logs to remove it. I will stay with that suggestion.

It is unidentified- an 'unidentified' Active X object should not remain on the system.