Is this a worm or a virus? If not, what?

[Guest]

In November, I got a new IBM ThinkPad R52 running XP Pro. Over time I
noticed that folders with 24-character random hexidecimal names were
periodically being added to my root C:\ drive. At first, a new folder
appeared
several times a day. Since 9 December, exactly one per day has been added,
always at 3 am.

Each folder contains a single file, always named msxml4-KB927978-enu.log.
The first line of each file, always the same except for the date, is: "===
Verbose logging started: 12/26/2006 3:00:36 Build type: SHIP UNICODE
3.01.4000.2435 Calling process: C:\WINDOWS\system32\msiexec.exe ===".
Following that are hundreds of log lines (the text of the first one is: "MSI
(c) (E0:30) [03:00:36:812]: Resetting cached policy values"). Many of these
entries imply to my untrained eye that scary things are being done to my
system.

This system has always had an up-to-date antivirus running on it.

I spoke to ThinkPad tech support, who speculated that it is all some kind of
virus and suggested that I get rid of everything with 'msxml' in the title.

Can you explain what is going on?

And what should I do to get it to stop?

~ Thanks
~ Ken Winter

 

[LVTravel]

I might suggest following the steps in
http://support.microsoft.com/kb/927978. It appears that an update has
failed to install properly. Hopefully someone else will also respond with
additional insight if my suggestions prove to be incorrect.

 

[Rock]

In November, I got a new IBM ThinkPad R52 running XP Pro. Over time I
noticed that folders with 24-character random hexidecimal names were
periodically being added to my root C:\ drive. At first, a new folder
appeared
several times a day. Since 9 December, exactly one per day has been
added,
always at 3 am.

Each folder contains a single file, always named msxml4-KB927978-enu.log.
The first line of each file, always the same except for the date, is: "===
Verbose logging started: 12/26/2006 3:00:36 Build type: SHIP UNICODE
3.01.4000.2435 Calling process: C:\WINDOWS\system32\msiexec.exe ===".
Following that are hundreds of log lines (the text of the first one is:
"MSI
(c) (E0:30) [03:00:36:812]: Resetting cached policy values"). Many of
these
entries imply to my untrained eye that scary things are being done to my
system.

This system has always had an up-to-date antivirus running on it.

I spoke to ThinkPad tech support, who speculated that it is all some kind
of
virus and suggested that I get rid of everything with 'msxml' in the
title.

This is not due to virus activity. That log is related to a windows update,
referenced by that Microsoft Knowledge Base number KB927978. When it's
installed it creates that folder. For some reason with this update, though
it should, it hasn't been deleting that folder when finished so normally all
you need to do is delete it.

In your case, since it's being recreated daily at 3am that must be the time
you have automatic updates set to look for and install updates. Apparently
that update is being reinstalled for some reason each night. The
installation is probably failing each time, so it's redone the next night,
creating a new folder each time. Why the installation is failing I don't
know. For now you could tell windows update not to install that update
until this gets resolved.

You should post this to the experts in the windows update newsgroup.
microsoft.public.windowsupdate

 

[Guest]

Windows Update experts, here's one for you.

Rock's explanation (below) fits my symptoms - I do indeed have auto updates
scheduled for 3am daily. Following some other advice I got, I looked at
http://support.microsoft.com/kb/927978. That page recommended three steps:

1. "Remove security update 927978 by using the Add or Remove Programs item."
I couldn't do that because 927978 did not show up in my list of updates.
2. "Delete the MSXML4.dll file from the %SystemRoot%\System32 folder." I
did that, and so far (one day later) no new log files have appeared.
3. "Repair the previous installation of MSXML 4.0 by using the Add or Remove
Programs item in Control Panel." I don't know how to do that.

My concern is the perhaps my system needs a functioning installation of
MSXML, and I assume that present I don't have one.

~ TIA
~ Ken Winter

In November, I got a new IBM ThinkPad R52 running XP Pro. Over time I
noticed that folders with 24-character random hexidecimal names were
periodically being added to my root C:\ drive. At first, a new folder
appeared
several times a day. Since 9 December, exactly one per day has been
added,
always at 3 am.

Each folder contains a single file, always named msxml4-KB927978-enu.log.
The first line of each file, always the same except for the date, is: "===
Verbose logging started: 12/26/2006 3:00:36 Build type: SHIP UNICODE
3.01.4000.2435 Calling process: C:\WINDOWS\system32\msiexec.exe ===".
Following that are hundreds of log lines (the text of the first one is:
"MSI
(c) (E0:30) [03:00:36:812]: Resetting cached policy values"). Many of
these
entries imply to my untrained eye that scary things are being done to my
system.

This system has always had an up-to-date antivirus running on it.

I spoke to ThinkPad tech support, who speculated that it is all some kind
of
virus and suggested that I get rid of everything with 'msxml' in the
title.

This is not due to virus activity. That log is related to a windows update,
referenced by that Microsoft Knowledge Base number KB927978. When it's
installed it creates that folder. For some reason with this update, though
it should, it hasn't been deleting that folder when finished so normally all
you need to do is delete it.

In your case, since it's being recreated daily at 3am that must be the time
you have automatic updates set to look for and install updates. Apparently
that update is being reinstalled for some reason each night. The
installation is probably failing each time, so it's redone the next night,
creating a new folder each time. Why the installation is failing I don't
know. For now you could tell windows update not to install that update
until this gets resolved.

You should post this to the experts in the windows update newsgroup.
microsoft.public.windowsupdate

 

[DL]

Reinstall MSXML 4.00 sp2

http://download.microsoft.com/download/9/6/5/9657c01e-107f-409c-baac-7d249561629c/msxml.msi

2. When the File Download window appears, please click the Save button, and
follow the directions to save it to the Desktop.
3. After downloading this file, please double-click the "msxml.msi" file on
the Desktop. Then the installation will be performed automatically.
4. If you receive three options "Modify", "Repair", and "Remove", please
click "Remove" and follow the instructions to remove MSXML 4.0 Service Pack
2.

5. After removing it, please double-click "msxml.msi" file again, click
"Install Now" button, and then follow the instructions.

After reinstalling MSXML 4.0 Service Pack 2, please move on to step 2 to
install the update KB927978.

Step 2: Reinstall MSXML 4.0 SP2 Security Update (KB927978)
============================================
1. Please download the update from the following link:

http://download.microsoft.com/downl...774-8cd9-3a7a0130141d/msxml4-KB927978-enu.exe

2. When the File Download window appears, please click the Save button, and
follow the directions to save it to the Desktop.
3. After downloading this file, please double-click the
"msxml4-KB927978-enu.exe" file on the Desktop. Then the installation will be
performed automatically.

4. After finishing the above steps, please check the result on the Windows
Update website again.

 

[Guest]

Windows Update experts, here's one for you.

Rock's explanation (below) fits my symptoms - I do indeed have auto updates
scheduled for 3am daily. Following some other advice I got, I looked at
http://support.microsoft.com/kb/927978. That page recommended three steps:

1. "Remove security update 927978 by using the Add or Remove Programs item."
I couldn't do that because 927978 did not show up in my list of updates.
2. "Delete the MSXML4.dll file from the %SystemRoot%\System32 folder." I
did that, and so far (one day later) no new log files have appeared.
3. "Repair the previous installation of MSXML 4.0 by using the Add or Remove
Programs item in Control Panel." I don't know how to do that.

My concern is the perhaps my system needs a functioning installation of
MSXML, and I assume that present I don't have one.

~ TIA
~ Ken Winter

In November, I got a new IBM ThinkPad R52 running XP Pro. Over time I
noticed that folders with 24-character random hexidecimal names were
periodically being added to my root C:\ drive. At first, a new folder
appeared
several times a day. Since 9 December, exactly one per day has been
added,
always at 3 am.

Each folder contains a single file, always named msxml4-KB927978-enu.log.
The first line of each file, always the same except for the date, is: "===
Verbose logging started: 12/26/2006 3:00:36 Build type: SHIP UNICODE
3.01.4000.2435 Calling process: C:\WINDOWS\system32\msiexec.exe ===".
Following that are hundreds of log lines (the text of the first one is:
"MSI
(c) (E0:30) [03:00:36:812]: Resetting cached policy values"). Many of
these
entries imply to my untrained eye that scary things are being done to my
system.

This system has always had an up-to-date antivirus running on it.

I spoke to ThinkPad tech support, who speculated that it is all some kind
of
virus and suggested that I get rid of everything with 'msxml' in the
title.

This is not due to virus activity. That log is related to a windows update,
referenced by that Microsoft Knowledge Base number KB927978. When it's
installed it creates that folder. For some reason with this update, though
it should, it hasn't been deleting that folder when finished so normally all
you need to do is delete it.

In your case, since it's being recreated daily at 3am that must be the time
you have automatic updates set to look for and install updates. Apparently
that update is being reinstalled for some reason each night. The
installation is probably failing each time, so it's redone the next night,
creating a new folder each time. Why the installation is failing I don't
know. For now you could tell windows update not to install that update
until this gets resolved.

You should post this to the experts in the windows update newsgroup.
microsoft.public.windowsupdate

 

[Guest]

LOOK THIS SOLVES UR PROBLEM INSTATANEOUSLY FOR REAL!!! THIS OCCURED TO ME
WHEN I WENT THRU MY HISTORY AND FIGOURED OUT WHAT I HAD DELETED FROM MY
SYSTEM.. BUDDY U NEED TO INSTALL Lineage2 Interlude AND i'M TELLING U THIS
BECAUSE i'VEW TRIED ALL THE METHODS ONMICROSOFT AND FORUMS OVER THE NET..THEY
ALL SAY TO REINSTALL MSXML AND BLA BLA....I DID IT 50TIMES ALREADY, AND IM
BORED... LISTEN TO ME INTALL LINEAGE2 INTERLUDE, PERSONALLY IO DONT CARE
WHERE U GET IT, BUT JUST DO!! Sincerely urs, "Friend"

 

[Shenan Stanley]

LOOK THIS SOLVES UR PROBLEM INSTATANEOUSLY FOR REAL!!! THIS OCCURED
TO ME WHEN I WENT THRU MY HISTORY AND FIGOURED OUT WHAT I HAD
DELETED FROM MY SYSTEM.. BUDDY U NEED TO INSTALL Lineage2 Interlude
AND i'M TELLING U THIS BECAUSE i'VEW TRIED ALL THE METHODS
ONMICROSOFT AND FORUMS OVER THE NET..THEY ALL SAY TO REINSTALL
MSXML AND BLA BLA....I DID IT 50TIMES ALREADY, AND IM BORED...
LISTEN TO ME INTALL LINEAGE2 INTERLUDE, PERSONALLY IO DONT CARE
WHERE U GET IT, BUT JUST DO!! Sincerely urs, "Friend"

Wow.
That's weak.