I just noticed a strange directory and text file on the root directory of my external drive:
The directory is called "3aaafb7243b63e617eddbf"
And the file is called "msxml4-KB927978-enu"
The text file appears to be a log of a suspicious process in text document form. There are references to disabling shutdown and to resetting security values.
References are also made about creating and deleting folders, as well as disabling and enabling debugging processes and un registering programs and/or program processes. there is also references to disabling patches . There is references in the log to personal data (Names of users) and references to Installation of some type of program.
I do not believe the log to have been created by any normal process.
Here the first bunch of lines in the text file:
=== Verbose logging started: 21/11/2006 10:01:34 Build type: SHIP UNICODE 3.01.4000.2435 Calling process: C:\WINDOWS\system32\msiexec.exe ===
MSI (c) (B8:24) [10:01:34:140]: Resetting cached policy values
MSI (c) (B8:24) [10:01:34:140]: Machine policy value 'Debug' is 0
MSI (c) (B8:24) [10:01:34:140]: ******* RunEngine:
******* Product: e:\3aaafb7243b63e617eddbf\msxml.msi
******* Action:
******* CommandLine: **********
MSI (c) (B8:24) [10:01:34:140]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (B8:24) [10:01:34:140]: Grabbed execution mutex.
MSI (c) (B8:24) [10:01:34:234]: Cloaking enabled.
MSI (c) (B8:24) [10:01:34:234]: Attempting to enable all disabled priveleges before calling Install on Server
MSI (c) (B8:24) [10:01:34:250]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (FC:4C) [10:01:34:250]: Grabbed execution mutex.
MSI (s) (FC:E8) [10:01:34:250]: Resetting cached policy values
MSI (s) (FC:E8) [10:01:34:250]: Machine policy value 'Debug' is 0
MSI (s) (FC:E8) [10:01:34:250]: ******* RunEngine:
******* Product: e:\3aaafb7243b63e617eddbf\msxml.msi
******* Action:
******* CommandLine: **********
MSI (s) (FC:E8) [10:01:34:250]: Machine policy value 'DisableUserInstalls' is 0
MSI (s) (FC:E8) [10:01:34:265]: File will have security applied from OpCode.
MSI (s) (FC:E8) [10:01:34:296]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'e:\3aaafb7243b63e617eddbf\msxml.msi' against software restriction policy
MSI (s) (FC:E8) [10:01:34:296]: SOFTWARE RESTRICTION POLICY: e:\3aaafb7243b63e617eddbf\msxml.msi has a digital signature
MSI (s) (FC:E8) [10:01:49:078]: SOFTWARE RESTRICTION POLICY: e:\3aaafb7243b63e617eddbf\msxml.msi is permitted to run at the 'unrestricted' authorization level.
MSI (s) (FC:E8) [10:01:49:078]: End dialog not enabled
MSI (s) (FC:E8) [10:01:49:109]: Original package ==> e:\3aaafb7243b63e617eddbf\msxml.msi
MSI (s) (FC:E8) [10:01:49:109]: Package we're running from ==> C:\WINDOWS\Installer\3fcbff3.msi
MSI (s) (FC:E8) [10:01:49:156]: APPCOMPAT: looking for appcompat database entry with ProductCode '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'.
MSI (s) (FC:E8) [10:01:49:171]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (FC:E8) [10:01:49:171]: MSCOREE not loaded loading copy from system32
MSI (s) (FC:E8) [10:01:49:296]: Machine policy value 'TransformsSecure' is 0
MSI (s) (FC:E8) [10:01:49:296]: User policy value 'TransformsAtSource' is 0
MSI (s) (FC:E8) [10:01:49:296]: Machine policy value 'DisablePatch' is 0
MSI (s) (FC:E8) [10:01:49:296]: Machine policy value 'AllowLockdownPatch' is 0
MSI (s) (FC:E8) [10:01:49:296]: Machine policy value 'DisableLUAPatching' is 0
MSI (s) (FC:E8) [10:01:49:296]: Machine policy value 'DisableFlyWeightPatching' is 0
MSI (s) (FC:E8) [10:01:49:296]: APPCOMPAT: looking for appcompat database entry with ProductCode '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'.
MSI (s) (FC:E8) [10:01:49:296]: APPCOMPAT: no matching ProductCode found in database.
MSI (s) (FC:E8) [10:01:49:296]: Transforms are not secure.
MSI (s) (FC:E8) [10:01:49:296]: Command Line: REBOOT=ReallySuppress CURRENTDIRECTORY=e:\3aaafb7243b63e617eddbf CLIENTUILEVEL=3 CLIENTPROCESSID=4024
MSI (s) (FC:E8) [10:01:49:296]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{2B27DCD9-53FA-4885-B6CD-698623819F4C}'.
MSI (s) (FC:E8) [10:01:49:296]: Product Code passed to Engine.Initialize: ''
MSI (s) (FC:E8) [10:01:49:296]: Product Code from property table before transforms: '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'
MSI (s) (FC:E8) [10:01:49:296]: Product Code from property table after transforms: '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'
MSI (s) (FC:E8) [10:01:49:296]: Product not registered: beginning first-time install
MSI (s) (FC:E8) [10:01:49:296]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'.
MSI (s) (FC:E8) [10:01:49:296]: Entering CMsiConfigurationManager::SetLastUsedSource.
MSI (s) (FC:E8) [10:01:49:296]: User policy value 'SearchOrder' is 'nmu'
MSI (s) (FC:E8) [10:01:49:296]: Adding new sources is allowed.
MSI (s) (FC:E8) [10:01:49:296]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'.
MSI (s) (FC:E8) [10:01:49:296]: Package name extracted from package path: 'msxml.msi'
MSI (s) (FC:E8) [10:01:49:296]: Package to be registered: 'msxml.msi'
MSI (s) (FC:E8) [10:01:49:296]: Note: 1: 2729
MSI (s) (FC:E8) [10:01:49:312]: Note: 1: 2729
MSI (s) (FC:E8) [10:01:49:312]: Note: 1: 2262 2: AdminProperties 3: -2147287038
MSI (s) (FC:E8) [10:01:49:312]: Machine policy value 'DisableMsi' is 0
MSI (s) (FC:E8) [10:01:49:312]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (FC:E8) [10:01:49:312]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (FC:E8) [10:01:49:312]: Product installation will be elevated because user is admin and product is being installed per-machine.
MSI (s) (FC:E8) [10:01:49:312]: Running product '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}' with elevated privileges: Product is assigned.
MSI (s) (FC:E8) [10:01:49:312]: PROPERTY CHANGE: Adding REBOOT property. Its value is 'ReallySuppress'.
MSI (s) (FC:E8) [10:01:49:312]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'e:\3aaafb7243b63e617eddbf'.
MSI (s) (FC:E8) [10:01:49:312]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '3'.
MSI (s) (FC:E8) [10:01:49:312]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '4024'.
MSI (s) (FC:E8) [10:01:49:312]: TRANSFORMS property is now:
MSI (s) (FC:E8) [10:01:49:312]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '200'.
MSI (s) (FC:E8) [10:01:49:328]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Application Data
MSI (s) (FC:E8) [10:01:49:328]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Favorites
MSI (s) (FC:E8) [10:01:49:343]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\NetHood
MSI (s) (FC:E8) [10:01:49:343]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\My Documents
MSI (s) (FC:E8) [10:01:49:343]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\PrintHood
MSI (s) (FC:E8) [10:01:49:359]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Recent
MSI (s) (FC:E8) [10:01:49:359]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\SendTo
MSI (s) (FC:E8) [10:01:49:375]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Templates
MSI (s) (FC:E8) [10:01:49:375]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Application Data
MSI (s) (FC:E8) [10:01:49:390]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data
MSI (s) (FC:E8) [10:01:49:390]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\My Documents\My Pictures
MSI (s) (FC:E8) [10:01:49:390]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
MSI (s) (FC:E8) [10:01:49:390]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs\Startup
MSI (s) (FC:E8) [10:01:49:406]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs
MSI (s) (FC:E8) [10:01:49:406]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu
MSI (s) (FC:E8) [10:01:49:421]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Desktop
MSI (s) (FC:E8) [10:01:49:421]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Administrative Tools
MSI (s) (FC:E8) [10:01:49:421]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup
MSI (s) (FC:E8) [10:01:49:421]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs
MSI (s) (FC:E8) [10:01:49:437]: SHELL32::SHGetFolderPath returned:
The File is much larger and I could post the entire thing but it would probably be easier to email it to you unless you already recognize it.
Thanx Arctic Wolf