Have you been getting these stange errors as well lately?
Internal System Error
Errors in system registry were found.
KL0x010013DB SYSC: 1f SYSLVL 0xe615025 NTKernel error 7645 (unhandled exception)
A system is unstable An error has been detected and Windows has been shutdown buggy
application to prevent damage to your computer. [sic]
NTLDR - Address C8D460BA base at D00010, DS 76a032B3 KDbg: COM1 (Port 0x38f, Baud rate 192000)
Critical error occured SEGFAULT: 0x100B05E (0xA502D4, 0x00100, 0xBC0D36)
Inaccesible handler or device.
IEXPLORER.EXE - Application Error
The instruction at 0x02b52a37 referenced memory at 0x0a554d67. The memory could not be read.
Click on OK to terminate
...
Posts alike are appearing on many usenetgroups as we speak. Everytime, a sympathetic support employee from Saliar will reply on the message telling you should install the SaliarAR software.
Strange thing is, google for any of these errors, and all results you get point to Saliar related sites.
At first, there were netsend like messages, asking you to install the software. Then there came direct pop-unders. Then you got these fake error message. And now, we
get balloons in the systray.
There generated by an executable located in your personal \Local Settings\Temp directory, random name, icon from Windows Update.
They are downloaded from this IP address: 88.214.208.31, the www.saliar.com resolves to 88.214.200.140, registered to the "Real International Business Corporation", real name: Soldatov Maxim.
Oh my, isn't that the same name I read checking out the source of the downloaded executable? Yes it is! And indeed, the address and phone number is also the same.
Must be a very trustworthy software, that SaliarAR thing, and it's advertised on all major download sites...
inetnum: 88.214.192.0 - 88.214.255.255
netname: UK-UAONLINE-20060118
descr: Real International Business Corp.
country: GB
org: ORG-RIBC1-RIPE
admin-c: MS9776-ripe
tech-c: MS9776-ripe
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: uaonline
mnt-domains: uaonline
mnt-routes: uaonline
source: RIPE # Filtered
organisation: ORG-RIBC1-RIPE
org-name: Real International Business Corp.
org-type: LIR
address: Real International Business Corp.
MARYLEBONE HIGH STREET 78
W1U 5AP LONDON
United Kingdom
phone: +380 50 4986406
fax-no: +12012218228
e-mail: makc@center.hqhost.net
admin-c: MS9776-ripe
admin-c: VK1045-ripe
mnt-ref: uaonline
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered
person: Soldatov Maxim
address: Marylebone high street 78
address: W1U 5AP London
phone: +380 50 4985406
e-mail: makc@ipipe.net
org: ORG-RIBC1-RIPE
nic-hdl: MS9776-ripe
mnt-by: uaonline
source: RIPE # Filtered
inetnum: 88.214.208.0 - 88.214.208.255
netname: uaonline-nj-1
descr: iPipe Inc. webhosting block
country: GB
admin-c: MS9776-ripe
tech-c: VK1045-ripe
status: ASSIGNED PA
remarks: INFRA-AW
mnt-by: uaonline
source: RIPE # Filtered
person: Soldatov Maxim
address: Marylebone high street 78
address: W1U 5AP London
phone: +380 50 4985406
e-mail: makc@ipipe.net
org: ORG-RIBC1-RIPE
nic-hdl: MS9776-ripe
mnt-by: uaonline
source: RIPE # Filtered
person: Vladimir Klenov
address: London, United Kingdom
phone: +380 50 4985406
e-mail: maple@ipipe.net
nic-hdl: VK1045-ripe
mnt-by: uaonline
source: RIPE # Filtered
I think I see a large infection spreading...
*** Update: to clean this junk, delete the file %windir%\system32\cache\actmxl.dll. These should also be a .000 version in your temp directory under your local settings. ***