Suspicious Text File

A

Arctic Wolf

New member
I just noticed a strange directory and text file on the root directory of my external drive:

The directory is called "3aaafb7243b63e617eddbf"

And the file is called "msxml4-KB927978-enu"

The text file appears to be a log of a suspicious process in text document form. There are references to disabling shutdown and to resetting security values.

References are also made about creating and deleting folders, as well as disabling and enabling debugging processes and un registering programs and/or program processes. there is also references to disabling patches . There is references in the log to personal data (Names of users) and references to Installation of some type of program.


I do not believe the log to have been created by any normal process.


Here the first bunch of lines in the text file:


=== Verbose logging started: 21/11/2006 10:01:34 Build type: SHIP UNICODE 3.01.4000.2435 Calling process: C:\WINDOWS\system32\msiexec.exe ===
MSI (c) (B8:24) [10:01:34:140]: Resetting cached policy values
MSI (c) (B8:24) [10:01:34:140]: Machine policy value 'Debug' is 0
MSI (c) (B8:24) [10:01:34:140]: ******* RunEngine:
******* Product: e:\3aaafb7243b63e617eddbf\msxml.msi
******* Action:
******* CommandLine: **********
MSI (c) (B8:24) [10:01:34:140]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (B8:24) [10:01:34:140]: Grabbed execution mutex.
MSI (c) (B8:24) [10:01:34:234]: Cloaking enabled.
MSI (c) (B8:24) [10:01:34:234]: Attempting to enable all disabled priveleges before calling Install on Server
MSI (c) (B8:24) [10:01:34:250]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (FC:4C) [10:01:34:250]: Grabbed execution mutex.
MSI (s) (FC:E8) [10:01:34:250]: Resetting cached policy values
MSI (s) (FC:E8) [10:01:34:250]: Machine policy value 'Debug' is 0
MSI (s) (FC:E8) [10:01:34:250]: ******* RunEngine:
******* Product: e:\3aaafb7243b63e617eddbf\msxml.msi
******* Action:
******* CommandLine: **********
MSI (s) (FC:E8) [10:01:34:250]: Machine policy value 'DisableUserInstalls' is 0
MSI (s) (FC:E8) [10:01:34:265]: File will have security applied from OpCode.
MSI (s) (FC:E8) [10:01:34:296]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'e:\3aaafb7243b63e617eddbf\msxml.msi' against software restriction policy
MSI (s) (FC:E8) [10:01:34:296]: SOFTWARE RESTRICTION POLICY: e:\3aaafb7243b63e617eddbf\msxml.msi has a digital signature
MSI (s) (FC:E8) [10:01:49:078]: SOFTWARE RESTRICTION POLICY: e:\3aaafb7243b63e617eddbf\msxml.msi is permitted to run at the 'unrestricted' authorization level.
MSI (s) (FC:E8) [10:01:49:078]: End dialog not enabled
MSI (s) (FC:E8) [10:01:49:109]: Original package ==> e:\3aaafb7243b63e617eddbf\msxml.msi
MSI (s) (FC:E8) [10:01:49:109]: Package we're running from ==> C:\WINDOWS\Installer\3fcbff3.msi
MSI (s) (FC:E8) [10:01:49:156]: APPCOMPAT: looking for appcompat database entry with ProductCode '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'.
MSI (s) (FC:E8) [10:01:49:171]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (FC:E8) [10:01:49:171]: MSCOREE not loaded loading copy from system32
MSI (s) (FC:E8) [10:01:49:296]: Machine policy value 'TransformsSecure' is 0
MSI (s) (FC:E8) [10:01:49:296]: User policy value 'TransformsAtSource' is 0
MSI (s) (FC:E8) [10:01:49:296]: Machine policy value 'DisablePatch' is 0
MSI (s) (FC:E8) [10:01:49:296]: Machine policy value 'AllowLockdownPatch' is 0
MSI (s) (FC:E8) [10:01:49:296]: Machine policy value 'DisableLUAPatching' is 0
MSI (s) (FC:E8) [10:01:49:296]: Machine policy value 'DisableFlyWeightPatching' is 0
MSI (s) (FC:E8) [10:01:49:296]: APPCOMPAT: looking for appcompat database entry with ProductCode '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'.
MSI (s) (FC:E8) [10:01:49:296]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (FC:E8) [10:01:49:296]: Transforms are not secure.
MSI (s) (FC:E8) [10:01:49:296]: Command Line: REBOOT=ReallySuppress CURRENTDIRECTORY=e:\3aaafb7243b63e617eddbf CLIENTUILEVEL=3 CLIENTPROCESSID=4024
MSI (s) (FC:E8) [10:01:49:296]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{2B27DCD9-53FA-4885-B6CD-698623819F4C}'.
MSI (s) (FC:E8) [10:01:49:296]: Product Code passed to Engine.Initialize: ''
MSI (s) (FC:E8) [10:01:49:296]: Product Code from property table before transforms: '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'
MSI (s) (FC:E8) [10:01:49:296]: Product Code from property table after transforms: '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'
MSI (s) (FC:E8) [10:01:49:296]: Product not registered: beginning first-time install
MSI (s) (FC:E8) [10:01:49:296]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'.
MSI (s) (FC:E8) [10:01:49:296]: Entering CMsiConfigurationManager::SetLastUsedSource.
MSI (s) (FC:E8) [10:01:49:296]: User policy value 'SearchOrder' is 'nmu'
MSI (s) (FC:E8) [10:01:49:296]: Adding new sources is allowed.
MSI (s) (FC:E8) [10:01:49:296]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'.
MSI (s) (FC:E8) [10:01:49:296]: Package name extracted from package path: 'msxml.msi'
MSI (s) (FC:E8) [10:01:49:296]: Package to be registered: 'msxml.msi'
MSI (s) (FC:E8) [10:01:49:296]: Note: 1: 2729
MSI (s) (FC:E8) [10:01:49:312]: Note: 1: 2729
MSI (s) (FC:E8) [10:01:49:312]: Note: 1: 2262 2: AdminProperties 3: -2147287038
MSI (s) (FC:E8) [10:01:49:312]: Machine policy value 'DisableMsi' is 0
MSI (s) (FC:E8) [10:01:49:312]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (FC:E8) [10:01:49:312]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (FC:E8) [10:01:49:312]: Product installation will be elevated because user is admin and product is being installed per-machine.
MSI (s) (FC:E8) [10:01:49:312]: Running product '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}' with elevated privileges: Product is assigned.
MSI (s) (FC:E8) [10:01:49:312]: PROPERTY CHANGE: Adding REBOOT property. Its value is 'ReallySuppress'.
MSI (s) (FC:E8) [10:01:49:312]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'e:\3aaafb7243b63e617eddbf'.
MSI (s) (FC:E8) [10:01:49:312]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '3'.
MSI (s) (FC:E8) [10:01:49:312]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '4024'.
MSI (s) (FC:E8) [10:01:49:312]: TRANSFORMS property is now:
MSI (s) (FC:E8) [10:01:49:312]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '200'.
MSI (s) (FC:E8) [10:01:49:328]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Application Data
MSI (s) (FC:E8) [10:01:49:328]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Favorites
MSI (s) (FC:E8) [10:01:49:343]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\NetHood
MSI (s) (FC:E8) [10:01:49:343]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\My Documents
MSI (s) (FC:E8) [10:01:49:343]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\PrintHood
MSI (s) (FC:E8) [10:01:49:359]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Recent
MSI (s) (FC:E8) [10:01:49:359]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\SendTo
MSI (s) (FC:E8) [10:01:49:375]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Templates
MSI (s) (FC:E8) [10:01:49:375]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Application Data
MSI (s) (FC:E8) [10:01:49:390]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data
MSI (s) (FC:E8) [10:01:49:390]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\My Documents\My Pictures
MSI (s) (FC:E8) [10:01:49:390]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
MSI (s) (FC:E8) [10:01:49:390]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs\Startup
MSI (s) (FC:E8) [10:01:49:406]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs
MSI (s) (FC:E8) [10:01:49:406]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu
MSI (s) (FC:E8) [10:01:49:421]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Desktop
MSI (s) (FC:E8) [10:01:49:421]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Administrative Tools
MSI (s) (FC:E8) [10:01:49:421]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup
MSI (s) (FC:E8) [10:01:49:421]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs
MSI (s) (FC:E8) [10:01:49:437]: SHELL32::SHGetFolderPath returned:





The File is much larger and I could post the entire thing but it would probably be easier to email it to you unless you already recognize it.

Thanx Arctic Wolf
 
Last edited:
Thanks

That certainly explains the contents of the log. Thanks.

I sent this problem to Macafee as well and they were at a loss as how to explain things. Their solution was to scan my email with the text message and tell me the text message itself was not a virus. (Duh!) But since I didn't know which process had created the text message they could not determine if the log was indicating any malware on my system.

Glad you guys have a more sensible approach to the problem.:D:


Just like last time I had a problem you really helped out.
 
oh thank god i found this thread...ive been freaking out looking for the answer as to why this showed up on my computer
 
Same file, worse problem

I found this same suspicious looking file today while recovering my hard drive. :sad: I lost the partition table on the drive within 24 hours of this appearing on my computer. The file showed up on my second hard drive (HD1 labelled d: ). Thankfully, my OS drive (HD0, c: ) was ok. I don't want to blame this, but I am looking for fall guys and this is suspicious.

I will be doing a registry check too to see if I can find any anomolous behavior or files anywhere else on my machine. I will post later as I continue my post-mortem of the drive failure.
 
found the same thing

i to found it on my second hard drive its more than a little suspicious if anyone else has any information i'd be appreciative I should also say it didn't "appear" until 2 days after it says it was created
 
Hi there.
My response 2006-11-21.
http://forums.spybot.info/showpost.php?p=54308&postcount=2

Please see Microsoft security bulletin MS06-071: http://support.microsoft.com/?kbid=927978
Article ID: 927978
Last Review: November 21, 2006
Revision : 3.1

Hope that helps, however if you would like a log checked to ease your mind and to see if the System is clean, please produce a log.

Spybot-S&D Version 1.4 :Systems Supported

If you do not have version 1.4 please let us know.
  • Close all browsers
  • Open SpyBot, check for and get any updates available
  • Check for problems and fix everything found in red
  • Then on the toolbar menu select mode and switch to advanced mode, on the left lower down select tools, and view report, ensure all the options are selected near the bottom except
  • Uncheck[ ] do not report disabled or known legitimate Items.
  • Uncheck[ ] Include a list of services in report.
  • Uncheck[ ] Include uninstall list in report.
  • Uncheck[ ] Include list of Winsock LSPs in report
  • Now select (near the top) view report.
  • Click export and in the 'save in' box choose a place such as your my documents folder, then in your next post near the bottom select the "browse" button; navigate to and attach or post that report.

If you cannot attach the Spybot-S&D log take as many posts as needed, however the instructions given usually produce manageable logs.

Cheers.
 
So, can anyone please tell me,

How do I uninstall it? It's driving me crazy, and taking up a lot of space.

Thank you,

Carol
 
Hello deerfern.

Did you check the link I provided above?

http://support.microsoft.com/?kbid=927978

Known issues with this security update
• Security update 927978 for MSXML 4.0, for MSXML 4.0 SP1, and for MSXML 4.0 SP2 does not support the complete removal of MSXML 4.0 because this version of MSXML is installed in side-by-side mode. To work around this issue, follow these steps:
1. Remove security update 927978 by using the Add or Remove Programs item in Control Panel.
2. Delete the MSXML4.dll file from the %SystemRoot%\System32 folder.
3. Repair the previous installation of MSXML 4.0 by using the Add or Remove Programs item in Control Panel.

The earlier versions of the Msxml4.dll and Msxml4r.dll files are restored to both the side-by-side folder and the %SystemRoot%\System32 folder.
Click to expand...

I recommend reading the entire article to put things into perspective.

Cheers.
 
Ladies and Gentlemen;

I have also noticed this file and backtracked it to completing the log file just prior to when Microsoft did their monthly automatic MalWare search and removal. I do not know if the two are related and wonder why I have not seen this log file before but there it was, on my second hard drive no less. Guess it got lost in the file shuffle. Or else the good folks at Microsoft want us to see them working hard to keep us happy? Have a great one....
 
msxml4-927978-enu file directories

I have recently found 32 such directories. I was concerned until reading these posts. I still have reservations since there are so many directories. I would also like to know what the reason is for developing them and if deleting these directories would jeopordize the functionality of my pc.
 
msxml4-927978-enu

The folder appeared for the first time today, straight after that Windows update.

A search of the log files contents didnt reveal any drives I use so im not that worried :fear: , its like one of those surveys you receive after the big spend :eek: ...(Its about something but you dont know what its about):mad:
 
Still confused

I am very confused.

I do not know how this could have got on to my system

I have a brand new
quad 3.2 computer with 2gb ram and a terabyte HD.

My son made it for me.

The OS is Windows Vista Ultimate

All of a sudden I have about 20 of these files on my G drive.

When I went to the link you posted I have no idea what it is talking about.

To say it is over my head is silly.

I am at the bottom of the ocean.:red:
484faint.gif


Is this a call for geeksquad for something.

Please Help
Jerry
 
is Macafee the problem

I found these files, loads of them on a laptop was was running macafee security software.
I scrubbed it to use something better however I have another laptop that has never ran macafee.

Both Laptops are configured very much alike except the other is running AVG. So I was wondering if the presence of macafee contribed to the problem? How many other people who have found these files have been runnung macafee?
 
tashi said:
http://support.microsoft.com/?kbid=927978
Known issues with this security update
• Security update 927978 for MSXML 4.0, for MSXML 4.0 SP1, and for MSXML 4.0 SP2 does not support the complete removal of MSXML 4.0 because this version of MSXML is installed in side-by-side mode. To work around this issue, follow these steps:
1. Remove security update 927978 by using the Add or Remove Programs item in Control Panel.
2. Delete the MSXML4.dll file from the %SystemRoot%\System32 folder.
3. Repair the previous installation of MSXML 4.0 by using the Add or Remove Programs item in Control Panel.

The earlier versions of the Msxml4.dll and Msxml4r.dll files are restored to both the side-by-side folder and the %SystemRoot%\System32 folder.
Click to expand...

I recommend reading the entire article to put things into perspective.
Click to expand...

From the Microsoft XML Team's WebLog.
http://blogs.msdn.com/xmlteam/archive/2007/03/12/msxml4-is-going-to-be-kill-bit-ed.aspx
We are going to kill bit MSXML4 in the October – December timeframe of this year. Kill Bit applies to Internet Explorer only. After the kill bit , applications will not be able to create MSXML4 objects in the browser. Other Applications like C++ apps which are not killbit aware will continue to work with MSXML4.

We are announcing this in advance so that our customers get sufficient time to try their applications with MSXML6 and give us feedback on their experience. Please email us at msxml4 AT microsoft.com with feedback/questions/concerns.
Click to expand...
(Disabled email address so they don't receive spam.)

Hope that helps. :)
 
You must log in or register to reply here.
Back
Top