Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Suspicious folder & file in C:\


  • Please log in to reply

#1
Erazik

Erazik

    New Member

  • Member
  • Pip
  • 3 posts
Hi there,

This could be nothing at all, but I was taking a look at my mothers computer, as it has been running like absolute shite.

She brought to my attention a folder in the C Drive, that had only sprung up in the last few days.

The name of the folder was "df3630f1fa6de4ee91995e9a17685877", and it had a text file in there titled "msxml4-KB927978-enu".

Opening the files, it appeared to be a log of some sort, that I couldn't make alot of sense of, but had suspicious sounding things in there such as :

MSI © (E0:DC) [01:33:34:890]: Client-side and UI is none or basic: Running entire install on the server.
MSI © (E0:DC) [01:33:34:906]: Grabbed execution mutex.
MSI © (E0:DC) [01:33:34:953]: Cloaking enabled.

MSI (s) (D4:4C) [01:33:35:640]: SOFTWARE RESTRICTION POLICY: c:\df3630f1fa6de4ee91995e9a17685877\msxml.msi is permitted to run at the 'unrestricted' authorization level

(D4:E0) [01:33:37:453]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI5A.tmp, Entrypoint: CustomAction_SxsMsmInstall
MSI (s) (D4:08) [01:33:37:468]: Generating random cookie.
MSI (s) (D4:08) [01:33:37:468]: Created Custom Action Server with PID 1220 (0x4C4).
MSI (s) (D4:80) [01:33:37:500]: Running as a service.
MSI (s) (D4:80) [01:33:37:500]: Hello, I'm your 32bit Elevated custom action server.

Like I said, it could be nothing, but it set off alarm bells anyway. It had lots of other things in there mentioning registry editing and "adding payload".

Should I be worried?

Any help would be appreciated - thanks guys.

Edited by Erazik, 26 January 2007 - 10:31 PM.

  • 0

Advertisements


#2
1101doc

1101doc

    Trusted Tech

  • Retired Staff
  • 909 posts
See this: http://superantispyw...der-msxml4.html
  • 0

#3
Erazik

Erazik

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
That eases my mind. Thanks alot!
  • 0

#4
1101doc

1101doc

    Trusted Tech

  • Retired Staff
  • 909 posts
Glad to be of service. What is the situation with your Mom's computer?
  • 0

#5
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Good to see that the suspicious folder wasn't suspicious at all. :whistling: However, you mention that your mom's computer runs like crud. :blink: If you suspect there may be a virus/trojan problem, please follow the instructions below, and we'll be happy to help you.


Please go to the malware forum and follow the instructions at the top....Especially the CLICK HERE.

That will give you several steps that will help you clean up 70 percent of all problems by yourself. If at the end of the process you are still having difficulty--and you may not be-- then post a hijackthis log in THAT forum.

If you are still having problems after getting a clean bill of health from the malware expert, please return to this thread.
  • 0

#6
Erazik

Erazik

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Well yeah, its running like crud. I just usually give it a defrag (turns out it didn't need one), and install and run Spybot S & D and Ewido anti-malware.

Would that be enough do you think or should I read thru the forum? I wont be able to see her till next week so I've got time to read into it..
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP