[Erazik]

Hi there,

This could be nothing at all, but I was taking a look at my mothers computer, as it has been running like absolute shite.

She brought to my attention a folder in the C Drive, that had only sprung up in the last few days.

The name of the folder was "df3630f1fa6de4ee91995e9a17685877", and it had a text file in there titled "msxml4-KB927978-enu".

Opening the files, it appeared to be a log of some sort, that I couldn't make alot of sense of, but had suspicious sounding things in there such as :

MSI © (E0:DC) [01:33:34:890]: Client-side and UI is none or basic: Running entire install on the server.
MSI © (E0:DC) [01:33:34:906]: Grabbed execution mutex.
MSI © (E0:DC) [01:33:34:953]: Cloaking enabled.

MSI (s) (D4:4C) [01:33:35:640]: SOFTWARE RESTRICTION POLICY: c:\df3630f1fa6de4ee91995e9a17685877\msxml.msi is permitted to run at the 'unrestricted' authorization level

(D4:E0) [01:33:37:453]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI5A.tmp, Entrypoint: CustomAction_SxsMsmInstall
MSI (s) (D4:08) [01:33:37:468]: Generating random cookie.
MSI (s) (D4:08) [01:33:37:468]: Created Custom Action Server with PID 1220 (0x4C4).
MSI (s) (D4:80) [01:33:37:500]: Running as a service.
MSI (s) (D4:80) [01:33:37:500]: Hello, I'm your 32bit Elevated custom action server.

Like I said, it could be nothing, but it set off alarm bells anyway. It had lots of other things in there mentioning registry editing and "adding payload".

Should I be worried?

Any help would be appreciated - thanks guys.

Edited by Erazik, 26 January 2007 - 10:31 PM.

[Advertisements]

See this: http://superantispyw...der-msxml4.html

[1101doc]

See this: http://superantispyw...der-msxml4.html

[Erazik]

That eases my mind. Thanks alot!

[1101doc]

Glad to be of service. What is the situation with your Mom's computer?

[Kat]

Good to see that the suspicious folder wasn't suspicious at all. However, you mention that your mom's computer runs like crud. If you suspect there may be a virus/trojan problem, please follow the instructions below, and we'll be happy to help you.


Please go to the malware forum and follow the instructions at the top....Especially the CLICK HERE.

That will give you several steps that will help you clean up 70 percent of all problems by yourself. If at the end of the process you are still having difficulty--and you may not be-- then post a hijackthis log in THAT forum.

If you are still having problems after getting a clean bill of health from the malware expert, please return to this thread.

[Erazik]

Well yeah, its running like crud. I just usually give it a defrag (turns out it didn't need one), and install and run Spybot S & D and Ewido anti-malware.

Would that be enough do you think or should I read thru the forum? I wont be able to see her till next week so I've got time to read into it..