Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Suspicious Text File

  1. #1
    Junior Member
    Join Date
    Nov 2005
    Posts
    19

    Default Suspicious Text File

    I just noticed a strange directory and text file on the root directory of my external drive:

    The directory is called "3aaafb7243b63e617eddbf"

    And the file is called "msxml4-KB927978-enu"

    The text file appears to be a log of a suspicious process in text document form. There are references to disabling shutdown and to resetting security values.

    References are also made about creating and deleting folders, as well as disabling and enabling debugging processes and un registering programs and/or program processes. there is also references to disabling patches . There is references in the log to personal data (Names of users) and references to Installation of some type of program.


    I do not believe the log to have been created by any normal process.


    Here the first bunch of lines in the text file:


    === Verbose logging started: 21/11/2006 10:01:34 Build type: SHIP UNICODE 3.01.4000.2435 Calling process: C:\WINDOWS\system32\msiexec.exe ===
    MSI (c) (B8:24) [10:01:34:140]: Resetting cached policy values
    MSI (c) (B8:24) [10:01:34:140]: Machine policy value 'Debug' is 0
    MSI (c) (B8:24) [10:01:34:140]: ******* RunEngine:
    ******* Product: e:\3aaafb7243b63e617eddbf\msxml.msi
    ******* Action:
    ******* CommandLine: **********
    MSI (c) (B8:24) [10:01:34:140]: Client-side and UI is none or basic: Running entire install on the server.
    MSI (c) (B8:24) [10:01:34:140]: Grabbed execution mutex.
    MSI (c) (B8:24) [10:01:34:234]: Cloaking enabled.
    MSI (c) (B8:24) [10:01:34:234]: Attempting to enable all disabled priveleges before calling Install on Server
    MSI (c) (B8:24) [10:01:34:250]: Incrementing counter to disable shutdown. Counter after increment: 0
    MSI (s) (FC:4C) [10:01:34:250]: Grabbed execution mutex.
    MSI (s) (FC:E8) [10:01:34:250]: Resetting cached policy values
    MSI (s) (FC:E8) [10:01:34:250]: Machine policy value 'Debug' is 0
    MSI (s) (FC:E8) [10:01:34:250]: ******* RunEngine:
    ******* Product: e:\3aaafb7243b63e617eddbf\msxml.msi
    ******* Action:
    ******* CommandLine: **********
    MSI (s) (FC:E8) [10:01:34:250]: Machine policy value 'DisableUserInstalls' is 0
    MSI (s) (FC:E8) [10:01:34:265]: File will have security applied from OpCode.
    MSI (s) (FC:E8) [10:01:34:296]: SOFTWARE RESTRICTION POLICY: Verifying package --> 'e:\3aaafb7243b63e617eddbf\msxml.msi' against software restriction policy
    MSI (s) (FC:E8) [10:01:34:296]: SOFTWARE RESTRICTION POLICY: e:\3aaafb7243b63e617eddbf\msxml.msi has a digital signature
    MSI (s) (FC:E8) [10:01:49:078]: SOFTWARE RESTRICTION POLICY: e:\3aaafb7243b63e617eddbf\msxml.msi is permitted to run at the 'unrestricted' authorization level.
    MSI (s) (FC:E8) [10:01:49:078]: End dialog not enabled
    MSI (s) (FC:E8) [10:01:49:109]: Original package ==> e:\3aaafb7243b63e617eddbf\msxml.msi
    MSI (s) (FC:E8) [10:01:49:109]: Package we're running from ==> C:\WINDOWS\Installer\3fcbff3.msi
    MSI (s) (FC:E8) [10:01:49:156]: APPCOMPAT: looking for appcompat database entry with ProductCode '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'.
    MSI (s) (FC:E8) [10:01:49:171]: APPCOMPAT: no matching ProductCode found in database.
    MSI (s) (FC:E8) [10:01:49:171]: MSCOREE not loaded loading copy from system32
    MSI (s) (FC:E8) [10:01:49:296]: Machine policy value 'TransformsSecure' is 0
    MSI (s) (FC:E8) [10:01:49:296]: User policy value 'TransformsAtSource' is 0
    MSI (s) (FC:E8) [10:01:49:296]: Machine policy value 'DisablePatch' is 0
    MSI (s) (FC:E8) [10:01:49:296]: Machine policy value 'AllowLockdownPatch' is 0
    MSI (s) (FC:E8) [10:01:49:296]: Machine policy value 'DisableLUAPatching' is 0
    MSI (s) (FC:E8) [10:01:49:296]: Machine policy value 'DisableFlyWeightPatching' is 0
    MSI (s) (FC:E8) [10:01:49:296]: APPCOMPAT: looking for appcompat database entry with ProductCode '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'.
    MSI (s) (FC:E8) [10:01:49:296]: APPCOMPAT: no matching ProductCode found in database.
    MSI (s) (FC:E8) [10:01:49:296]: Transforms are not secure.
    MSI (s) (FC:E8) [10:01:49:296]: Command Line: REBOOT=ReallySuppress CURRENTDIRECTORY=e:\3aaafb7243b63e617eddbf CLIENTUILEVEL=3 CLIENTPROCESSID=4024
    MSI (s) (FC:E8) [10:01:49:296]: PROPERTY CHANGE: Adding PackageCode property. Its value is '{2B27DCD9-53FA-4885-B6CD-698623819F4C}'.
    MSI (s) (FC:E8) [10:01:49:296]: Product Code passed to Engine.Initialize: ''
    MSI (s) (FC:E8) [10:01:49:296]: Product Code from property table before transforms: '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'
    MSI (s) (FC:E8) [10:01:49:296]: Product Code from property table after transforms: '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}'
    MSI (s) (FC:E8) [10:01:49:296]: Product not registered: beginning first-time install
    MSI (s) (FC:E8) [10:01:49:296]: PROPERTY CHANGE: Adding ProductState property. Its value is '-1'.
    MSI (s) (FC:E8) [10:01:49:296]: Entering CMsiConfigurationManager::SetLastUsedSource.
    MSI (s) (FC:E8) [10:01:49:296]: User policy value 'SearchOrder' is 'nmu'
    MSI (s) (FC:E8) [10:01:49:296]: Adding new sources is allowed.
    MSI (s) (FC:E8) [10:01:49:296]: PROPERTY CHANGE: Adding PackagecodeChanging property. Its value is '1'.
    MSI (s) (FC:E8) [10:01:49:296]: Package name extracted from package path: 'msxml.msi'
    MSI (s) (FC:E8) [10:01:49:296]: Package to be registered: 'msxml.msi'
    MSI (s) (FC:E8) [10:01:49:296]: Note: 1: 2729
    MSI (s) (FC:E8) [10:01:49:312]: Note: 1: 2729
    MSI (s) (FC:E8) [10:01:49:312]: Note: 1: 2262 2: AdminProperties 3: -2147287038
    MSI (s) (FC:E8) [10:01:49:312]: Machine policy value 'DisableMsi' is 0
    MSI (s) (FC:E8) [10:01:49:312]: Machine policy value 'AlwaysInstallElevated' is 0
    MSI (s) (FC:E8) [10:01:49:312]: User policy value 'AlwaysInstallElevated' is 0
    MSI (s) (FC:E8) [10:01:49:312]: Product installation will be elevated because user is admin and product is being installed per-machine.
    MSI (s) (FC:E8) [10:01:49:312]: Running product '{37477865-A3F1-4772-AD43-AAFC6BCFF99F}' with elevated privileges: Product is assigned.
    MSI (s) (FC:E8) [10:01:49:312]: PROPERTY CHANGE: Adding REBOOT property. Its value is 'ReallySuppress'.
    MSI (s) (FC:E8) [10:01:49:312]: PROPERTY CHANGE: Adding CURRENTDIRECTORY property. Its value is 'e:\3aaafb7243b63e617eddbf'.
    MSI (s) (FC:E8) [10:01:49:312]: PROPERTY CHANGE: Adding CLIENTUILEVEL property. Its value is '3'.
    MSI (s) (FC:E8) [10:01:49:312]: PROPERTY CHANGE: Adding CLIENTPROCESSID property. Its value is '4024'.
    MSI (s) (FC:E8) [10:01:49:312]: TRANSFORMS property is now:
    MSI (s) (FC:E8) [10:01:49:312]: PROPERTY CHANGE: Adding VersionDatabase property. Its value is '200'.
    MSI (s) (FC:E8) [10:01:49:328]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Application Data
    MSI (s) (FC:E8) [10:01:49:328]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Favorites
    MSI (s) (FC:E8) [10:01:49:343]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\NetHood
    MSI (s) (FC:E8) [10:01:49:343]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\My Documents
    MSI (s) (FC:E8) [10:01:49:343]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\PrintHood
    MSI (s) (FC:E8) [10:01:49:359]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Recent
    MSI (s) (FC:E8) [10:01:49:359]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\SendTo
    MSI (s) (FC:E8) [10:01:49:375]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Templates
    MSI (s) (FC:E8) [10:01:49:375]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Application Data
    MSI (s) (FC:E8) [10:01:49:390]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data
    MSI (s) (FC:E8) [10:01:49:390]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\My Documents\My Pictures
    MSI (s) (FC:E8) [10:01:49:390]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
    MSI (s) (FC:E8) [10:01:49:390]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    MSI (s) (FC:E8) [10:01:49:406]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs
    MSI (s) (FC:E8) [10:01:49:406]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu
    MSI (s) (FC:E8) [10:01:49:421]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Desktop
    MSI (s) (FC:E8) [10:01:49:421]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Administrative Tools
    MSI (s) (FC:E8) [10:01:49:421]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup
    MSI (s) (FC:E8) [10:01:49:421]: SHELL32::SHGetFolderPath returned: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs
    MSI (s) (FC:E8) [10:01:49:437]: SHELL32::SHGetFolderPath returned:





    The File is much larger and I could post the entire thing but it would probably be easier to email it to you unless you already recognize it.

    Thanx Arctic Wolf
    Last edited by Arctic Wolf; 2006-11-22 at 05:22. Reason: typo

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Quote Originally Posted by Arctic Wolf View Post
    And the file is called "msxml4-KB927978-enu"
    Hello.

    I believe that is left over from Windows Security update 927978.
    See:
    Microsoft has released security bulletin MS06-071.
    http://support.microsoft.com/?kbid=927978

    The text file appears to contain details of the update installation and data regarding your setup.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  3. #3
    Junior Member
    Join Date
    Nov 2005
    Posts
    19

    Default Thanks

    That certainly explains the contents of the log. Thanks.

    I sent this problem to Macafee as well and they were at a loss as how to explain things. Their solution was to scan my email with the text message and tell me the text message itself was not a virus. (Duh!) But since I didn't know which process had created the text message they could not determine if the log was indicating any malware on my system.

    Glad you guys have a more sensible approach to the problem.


    Just like last time I had a problem you really helped out.

  4. #4
    Junior Member
    Join Date
    Nov 2006
    Posts
    1

    Default

    oh thank god i found this thread...ive been freaking out looking for the answer as to why this showed up on my computer

  5. #5
    Junior Member
    Join Date
    Nov 2006
    Posts
    1

    Angry Same file, worse problem

    I found this same suspicious looking file today while recovering my hard drive. I lost the partition table on the drive within 24 hours of this appearing on my computer. The file showed up on my second hard drive (HD1 labelled d: ). Thankfully, my OS drive (HD0, c: ) was ok. I don't want to blame this, but I am looking for fall guys and this is suspicious.

    I will be doing a registry check too to see if I can find any anomolous behavior or files anywhere else on my machine. I will post later as I continue my post-mortem of the drive failure.

  6. #6
    Junior Member
    Join Date
    Dec 2006
    Posts
    1

    Default found the same thing

    i to found it on my second hard drive its more than a little suspicious if anyone else has any information i'd be appreciative I should also say it didn't "appear" until 2 days after it says it was created

  7. #7
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hi there.
    My response 2006-11-21.
    http://forums.spybot.info/showpost.p...08&postcount=2

    Please see Microsoft security bulletin MS06-071: http://support.microsoft.com/?kbid=927978
    Article ID: 927978
    Last Review: November 21, 2006
    Revision : 3.1

    Hope that helps, however if you would like a log checked to ease your mind and to see if the System is clean, please produce a log.

    Spybot-S&D Version 1.4 :Systems Supported

    If you do not have version 1.4 please let us know.
    • Close all browsers
    • Open SpyBot, check for and get any updates available
    • Check for problems and fix everything found in red
    • Then on the toolbar menu select mode and switch to advanced mode, on the left lower down select tools, and view report, ensure all the options are selected near the bottom except
    • Uncheck[ ] do not report disabled or known legitimate Items.
    • Uncheck[ ] Include a list of services in report.
    • Uncheck[ ] Include uninstall list in report.
    • Uncheck[ ] Include list of Winsock LSPs in report
    • Now select (near the top) view report.
    • Click export and in the 'save in' box choose a place such as your my documents folder, then in your next post near the bottom select the "browse" button; navigate to and attach or post that report.


    If you cannot attach the Spybot-S&D log take as many posts as needed, however the instructions given usually produce manageable logs.

    Cheers.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  8. #8
    Junior Member
    Join Date
    Dec 2006
    Posts
    3

    Default

    So, can anyone please tell me,

    How do I uninstall it? It's driving me crazy, and taking up a lot of space.

    Thank you,

    Carol

  9. #9
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello deerfern.

    Did you check the link I provided above?

    http://support.microsoft.com/?kbid=927978

    Known issues with this security update
    • Security update 927978 for MSXML 4.0, for MSXML 4.0 SP1, and for MSXML 4.0 SP2 does not support the complete removal of MSXML 4.0 because this version of MSXML is installed in side-by-side mode. To work around this issue, follow these steps:
    1. Remove security update 927978 by using the Add or Remove Programs item in Control Panel.
    2. Delete the MSXML4.dll file from the %SystemRoot%\System32 folder.
    3. Repair the previous installation of MSXML 4.0 by using the Add or Remove Programs item in Control Panel.

    The earlier versions of the Msxml4.dll and Msxml4r.dll files are restored to both the side-by-side folder and the %SystemRoot%\System32 folder.
    I recommend reading the entire article to put things into perspective.

    Cheers.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  10. #10
    Junior Member
    Join Date
    Jan 2007
    Posts
    1

    Default Ladies and Gentlemen;

    I have also noticed this file and backtracked it to completing the log file just prior to when Microsoft did their monthly automatic MalWare search and removal. I do not know if the two are related and wonder why I have not seen this log file before but there it was, on my second hard drive no less. Guess it got lost in the file shuffle. Or else the good folks at Microsoft want us to see them working hard to keep us happy? Have a great one....

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •