Suspicious Text File

[Arctic Wolf]

I just noticed a strange directory and text file on the root directory of my external drive:

The directory is called "3aaafb7243b63e617eddbf"

And the file is called "msxml4-KB927978-enu"

The text file appears to be a log of a suspicious process in text document form. There are references to disabling shutdown and to resetting security values.

References are also made about creating and deleting folders, as well as disabling and enabling debugging processes and un registering programs and/or program processes. there is also references to disabling patches . There is references in the log to personal data (Names of users) and references to Installation of some type of program.


I do not believe the log to have been created by any normal process.


Here the first bunch of lines in the text file:


=== Verbose logging started: 21/11/2006 10:01:34 Build type: SHIP UNICODE 3.01.4000.2435 Calling process: C:\WINDOWS\system32\msiexec.exe ===
MSI (c) (B8:24) [10:01:34:140]: Resetting cached policy values
MSI (c) (B8:24) [10:01:34:140]: Machine policy value 'Debug' is 0
MSI (c) (B8:24) [10:01:34:140]: ******* RunEngine:
******* Product: e:\3aaafb7243b63e617eddbf\msxml.msi
******* Action:
******* CommandLine: **********
MSI (c) (B8:24) [10:01:34:140]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (B8:24) [10:01:34:140]: Grabbed execution mutex.
MSI (c) (B8:24) [10:01:34:234]: Cloaking enabled.
MSI (c) (B8:24) [10:01:34:234]: Attempting to enable all disabled priveleges before calling Install on Server
MSI (c) (B8:24) [10:01:34:250]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (FC:4C) [10:01:34:250]: Grabbed execution mutex.
MSI (s) (FC:E8) [10:01:34:250]: Resetting cached policy values
MSI (s) (FC:E8) [10:01:34:250]: Machine policy value 'Debug' is 0
MSI (s) (FC:E8) [10:01:34:250]: ******* RunEngine:
******* Product: e:\3aaafb7243b63e617eddbf\msxml.msi
******* Action:
******* CommandLine: **********
MSI (s) (FC:E8) [10:01:34:250]: Machine policy value 'DisableUserInstalls' is 0
MSI (s) (FC:E8) [10:01:34:265]: File will have security applied from OpCode.
MSI (s) (FC:E8) [10:01:34:296]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'e:\3aaafb7243b63e617eddbf\msxml.msi' against software restriction policy
MSI (s) (FC:E8) [10:01:34:296]: SOFTWARE RESTRICTION POLICY: e:\3aaafb7243b63e617eddbf\msxml.msi has a digital signature
MSI (s) (FC:E8) [10:01:49:078]: SOFTWARE RESTRICTION POLICY: e:\3aaafb7243b63e617eddbf\msxml.msi is permitted to run at the 'unrestricted' authorization level.
MSI (s) (FC:E8) [10:01:49:078]: End dialog not enabled
MSI (s) (FC:E8) [10:01:49:109]: Original package ==> e:\3aaafb7243b63e617eddbf\msxml.msi
MSI (s) (FC:E8) [10:01:49:109]: Package we're running from ==> C:\WINDOWS\Installer\3fcbff3.msi
MSI (s) (FC:E8) [10:01:49:156]: APPCOMPAT: looking for appcompat database entry with ProductCode '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'.
MSI (s) (FC:E8) [10:01:49:171]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (FC:E8) [10:01:49:171]: MSCOREE not loaded loading copy from system32
MSI (s) (FC:E8) [10:01:49:296]: Machine policy value 'TransformsSecure' is 0
MSI (s) (FC:E8) [10:01:49:296]: User policy value 'TransformsAtSource' is 0
MSI (s) (FC:E8) [10:01:49:296]: Machine policy value 'DisablePatch' is 0
MSI (s) (FC:E8) [10:01:49:296]: Machine policy value 'AllowLockdownPatch' is 0
MSI (s) (FC:E8) [10:01:49:296]: Machine policy value 'DisableLUAPatching' is 0
MSI (s) (FC:E8) [10:01:49:296]: Machine policy value 'DisableFlyWeightPatching' is 0
MSI (s) (FC:E8) [10:01:49:296]: APPCOMPAT: looking for appcompat database entry with ProductCode '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'.
MSI (s) (FC:E8) [10:01:49:296]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (FC:E8) [10:01:49:296]: Transforms are not secure.
MSI (s) (FC:E8) [10:01:49:296]: Command Line: REBOOT=ReallySuppress CURRENTDIRECTORY=e:\3aaafb7243b63e617eddbf CLIENTUILEVEL=3 CLIENTPROCESSID=4024
MSI (s) (FC:E8) [10:01:49:296]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{2B27DCD9-53FA-4885-B6CD-698623819F4C}'.
MSI (s) (FC:E8) [10:01:49:296]: Product Code passed to Engine.Initialize: ''
MSI (s) (FC:E8) [10:01:49:296]: Product Code from property table before transforms: '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'
MSI (s) (FC:E8) [10:01:49:296]: Product Code from property table after transforms: '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'
MSI (s) (FC:E8) [10:01:49:296]: Product not registered: beginning first-time install
MSI (s) (FC:E8) [10:01:49:296]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'.
MSI (s) (FC:E8) [10:01:49:296]: Entering CMsiConfigurationManager::SetLastUsedSource.
MSI (s) (FC:E8) [10:01:49:296]: User policy value 'SearchOrder' is 'nmu'
MSI (s) (FC:E8) [10:01:49:296]: Adding new sources is allowed.
MSI (s) (FC:E8) [10:01:49:296]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'.
MSI (s) (FC:E8) [10:01:49:296]: Package name extracted from package path: 'msxml.msi'
MSI (s) (FC:E8) [10:01:49:296]: Package to be registered: 'msxml.msi'
MSI (s) (FC:E8) [10:01:49:296]: Note: 1: 2729
MSI (s) (FC:E8) [10:01:49:312]: Note: 1: 2729
MSI (s) (FC:E8) [10:01:49:312]: Note: 1: 2262 2: AdminProperties 3: -2147287038
MSI (s) (FC:E8) [10:01:49:312]: Machine policy value 'DisableMsi' is 0
MSI (s) (FC:E8) [10:01:49:312]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (FC:E8) [10:01:49:312]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (FC:E8) [10:01:49:312]: Product installation will be elevated because user is admin and product is being installed per-machine.
MSI (s) (FC:E8) [10:01:49:312]: Running product '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}' with elevated privileges: Product is assigned.
MSI (s) (FC:E8) [10:01:49:312]: PROPERTY CHANGE: Adding REBOOT property. Its value is 'ReallySuppress'.
MSI (s) (FC:E8) [10:01:49:312]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'e:\3aaafb7243b63e617eddbf'.
MSI (s) (FC:E8) [10:01:49:312]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '3'.
MSI (s) (FC:E8) [10:01:49:312]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '4024'.
MSI (s) (FC:E8) [10:01:49:312]: TRANSFORMS property is now:
MSI (s) (FC:E8) [10:01:49:312]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '200'.
MSI (s) (FC:E8) [10:01:49:328]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Application Data
MSI (s) (FC:E8) [10:01:49:328]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Favorites
MSI (s) (FC:E8) [10:01:49:343]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\NetHood
MSI (s) (FC:E8) [10:01:49:343]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\My Documents
MSI (s) (FC:E8) [10:01:49:343]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\PrintHood
MSI (s) (FC:E8) [10:01:49:359]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Recent
MSI (s) (FC:E8) [10:01:49:359]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\SendTo
MSI (s) (FC:E8) [10:01:49:375]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Templates
MSI (s) (FC:E8) [10:01:49:375]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Application Data
MSI (s) (FC:E8) [10:01:49:390]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data
MSI (s) (FC:E8) [10:01:49:390]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\My Documents\My Pictures
MSI (s) (FC:E8) [10:01:49:390]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
MSI (s) (FC:E8) [10:01:49:390]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs\Startup
MSI (s) (FC:E8) [10:01:49:406]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs
MSI (s) (FC:E8) [10:01:49:406]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu
MSI (s) (FC:E8) [10:01:49:421]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Desktop
MSI (s) (FC:E8) [10:01:49:421]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Administrative Tools
MSI (s) (FC:E8) [10:01:49:421]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup
MSI (s) (FC:E8) [10:01:49:421]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs
MSI (s) (FC:E8) [10:01:49:437]: SHELL32::SHGetFolderPath returned:





The File is much larger and I could post the entire thing but it would probably be easier to email it to you unless you already recognize it.

Thanx Arctic Wolf

[tashi]

Quote:

Originally Posted by Arctic Wolf

And the file is called "msxml4-KB927978-enu"

Hello.

I believe that is left over from Windows Security update 927978.
See:
Microsoft has released security bulletin MS06-071.
http://support.microsoft.com/?kbid=927978

The text file appears to contain details of the update installation and data regarding your setup.

[Arctic Wolf]

That certainly explains the contents of the log. Thanks.

I sent this problem to Macafee as well and they were at a loss as how to explain things. Their solution was to scan my email with the text message and tell me the text message itself was not a virus. (Duh!) But since I didn't know which process had created the text message they could not determine if the log was indicating any malware on my system.

Glad you guys have a more sensible approach to the problem.


Just like last time I had a problem you really helped out.

[tattered]

oh thank god i found this thread...ive been freaking out looking for the answer as to why this showed up on my computer

[tpholden]

I found this same suspicious looking file today while recovering my hard drive. I lost the partition table on the drive within 24 hours of this appearing on my computer. The file showed up on my second hard drive (HD1 labelled d: ). Thankfully, my OS drive (HD0, c: ) was ok. I don't want to blame this, but I am looking for fall guys and this is suspicious.

I will be doing a registry check too to see if I can find any anomolous behavior or files anywhere else on my machine. I will post later as I continue my post-mortem of the drive failure.

[zeroklk]

i to found it on my second hard drive its more than a little suspicious if anyone else has any information i'd be appreciative I should also say it didn't "appear" until 2 days after it says it was created

[tashi]

Hi there.
My response 2006-11-21.
http://forums.spybot.info/showpost.p...08&postcount=2

Please see Microsoft security bulletin MS06-071: http://support.microsoft.com/?kbid=927978
Article ID: 927978
Last Review: November 21, 2006
Revision : 3.1

Hope that helps, however if you would like a log checked to ease your mind and to see if the System is clean, please produce a log.

Spybot-S&D Version 1.4 :Systems Supported

If you do not have version 1.4 please let us know.

• Close all browsers
• Open SpyBot, check for and get any updates available
• Check for problems and fix everything found in red
• Then on the toolbar menu select mode and switch to advanced mode, on the left lower down select tools, and view report, ensure all the options are selected near the bottom except
  
• Uncheck[ ] do not report disabled or known legitimate Items.
• Uncheck[ ] Include a list of services in report.
• Uncheck[ ] Include uninstall list in report.
• Uncheck[ ] Include list of Winsock LSPs in report
• Now select (near the top) view report.
• Click export and in the 'save in' box choose a place such as your my documents folder, then in your next post near the bottom select the "browse" button; navigate to and attach or post that report.

If you cannot attach the Spybot-S&D log take as many posts as needed, however the instructions given usually produce manageable logs.

Cheers.

[deerfern]

So, can anyone please tell me,

How do I uninstall it? It's driving me crazy, and taking up a lot of space.

Thank you,

Carol

[tashi]

Hello deerfern.

Did you check the link I provided above?

http://support.microsoft.com/?kbid=927978

Quote:

Known issues with this security update
• Security update 927978 for MSXML 4.0, for MSXML 4.0 SP1, and for MSXML 4.0 SP2 does not support the complete removal of MSXML 4.0 because this version of MSXML is installed in side-by-side mode. To work around this issue, follow these steps:
1. Remove security update 927978 by using the Add or Remove Programs item in Control Panel.
2. Delete the MSXML4.dll file from the %SystemRoot%\System32 folder.
3. Repair the previous installation of MSXML 4.0 by using the Add or Remove Programs item in Control Panel.

The earlier versions of the Msxml4.dll and Msxml4r.dll files are restored to both the side-by-side folder and the %SystemRoot%\System32 folder.

I recommend reading the entire article to put things into perspective.

Cheers.

[Railroadengineer]

I have also noticed this file and backtracked it to completing the log file just prior to when Microsoft did their monthly automatic MalWare search and removal. I do not know if the two are related and wonder why I have not seen this log file before but there it was, on my second hard drive no less. Guess it got lost in the file shuffle. Or else the good folks at Microsoft want us to see them working hard to keep us happy? Have a great one....