This could be nothing at all, but I was taking a look at my mothers computer, as it has been running like absolute shite.
She brought to my attention a folder in the C Drive, that had only sprung up in the last few days.
The name of the folder was "df3630f1fa6de4ee91995e9a17685877", and it had a text file in there titled "msxml4-KB927978-enu".
Opening the files, it appeared to be a log of some sort, that I couldn't make alot of sense of, but had suspicious sounding things in there such as :
MSI © (E0:DC) [01:33:34:890]: Client-side and UI is none or basic: Running entire install on the server.
MSI © (E0:DC) [01:33:34:906]: Grabbed execution mutex.
MSI © (E0:DC) [01:33:34:953]: Cloaking enabled.
MSI (s) (D4:4C) [01:33:35:640]: SOFTWARE RESTRICTION POLICY: c:\df3630f1fa6de4ee91995e9a17685877\msxml.msi is permitted to run at the 'unrestricted' authorization level
(D4:E0) [01:33:37:453]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI5A.tmp, Entrypoint: CustomAction_SxsMsmInstall
MSI (s) (D4:08) [01:33:37:468]: Generating random cookie.
MSI (s) (D4:08) [01:33:37:468]: Created Custom Action Server with PID 1220 (0x4C4).
MSI (s) (D4:80) [01:33:37:500]: Running as a service.
MSI (s) (D4:80) [01:33:37:500]: Hello, I'm your 32bit Elevated custom action server.
Like I said, it could be nothing, but it set off alarm bells anyway. It had lots of other things in there mentioning registry editing and "adding payload".
Should I be worried?
Any help would be appreciated - thanks guys.
Edited by Erazik, 26 January 2007 - 10:31 PM.