Is this a worm or a virus? If not, what?

I might suggest following the steps in
http://support.microsoft.com/kb/927978. It appears that an update has
failed to install properly. Hopefully someone else will also respond with
additional insight if my suggestions prove to be incorrect.


"Ken Winter" <KenWinter.RemoveThis@discussions.microsoft.com> wrote in message
news:A1EA541F-3CAD-4A00-BCB3-37D5D295FADE@microsoft.com...
> In November, I got a new IBM ThinkPad R52 running XP Pro. Over time I
> noticed that folders with 24-character random hexidecimal names were
> periodically being added to my root C:\ drive. At first, a new folder
> appeared
> several times a day. Since 9 December, exactly one per day has been
> added,
> always at 3 am.
>
> Each folder contains a single file, always named msxml4-KB927978-enu.log.
> The first line of each file, always the same except for the date, is: "===
> Verbose logging started: 12/26/2006 3:00:36 Build type: SHIP UNICODE
> 3.01.4000.2435 Calling process: C:\WINDOWS\system32\msiexec.exe ===".
> Following that are hundreds of log lines (the text of the first one is:
> "MSI
> (c) (E0:30) [03:00:36:812]: Resetting cached policy values"). Many of
> these
> entries imply to my untrained eye that scary things are being done to my
> system.
>
> This system has always had an up-to-date antivirus running on it.
>
> I spoke to ThinkPad tech support, who speculated that it is all some kind
> of
> virus and suggested that I get rid of everything with 'msxml' in the
> title.
>
> Can you explain what is going on?
>
> And what should I do to get it to stop?
>
> ~ Thanks
> ~ Ken Winter

Windows Update experts, here's one for you.

Rock's explanation (below) fits my symptoms - I do indeed have auto updates
scheduled for 3am daily. Following some other advice I got, I looked at
http://support.microsoft.com/kb/927978. That page recommended three steps:

1. "Remove security update 927978 by using the Add or Remove Programs item."
I couldn't do that because 927978 did not show up in my list of updates.
2. "Delete the MSXML4.dll file from the %SystemRoot%\System32 folder." I
did that, and so far (one day later) no new log files have appeared.
3. "Repair the previous installation of MSXML 4.0 by using the Add or Remove
Programs item in Control Panel." I don't know how to do that.

My concern is the perhaps my system needs a functioning installation of
MSXML, and I assume that present I don't have one.

~ TIA
~ Ken Winter

"Rock" wrote:

> "Ken Winter" wrote
>
> > In November, I got a new IBM ThinkPad R52 running XP Pro. Over time I
> > noticed that folders with 24-character random hexidecimal names were
> > periodically being added to my root C:\ drive. At first, a new folder
> > appeared
> > several times a day. Since 9 December, exactly one per day has been
> > added,
> > always at 3 am.
> >
> > Each folder contains a single file, always named msxml4-KB927978-enu.log.
> > The first line of each file, always the same except for the date, is: "===
> > Verbose logging started: 12/26/2006 3:00:36 Build type: SHIP UNICODE
> > 3.01.4000.2435 Calling process: C:\WINDOWS\system32\msiexec.exe ===".
> > Following that are hundreds of log lines (the text of the first one is:
> > "MSI
> > (c) (E0:30) [03:00:36:812]: Resetting cached policy values"). Many of
> > these
> > entries imply to my untrained eye that scary things are being done to my
> > system.
> >
> > This system has always had an up-to-date antivirus running on it.
> >
> > I spoke to ThinkPad tech support, who speculated that it is all some kind
> > of
> > virus and suggested that I get rid of everything with 'msxml' in the
> > title.
>
> This is not due to virus activity. That log is related to a windows update,
> referenced by that Microsoft Knowledge Base number KB927978. When it's
> installed it creates that folder. For some reason with this update, though
> it should, it hasn't been deleting that folder when finished so normally all
> you need to do is delete it.
>
> In your case, since it's being recreated daily at 3am that must be the time
> you have automatic updates set to look for and install updates. Apparently
> that update is being reinstalled for some reason each night. The
> installation is probably failing each time, so it's redone the next night,
> creating a new folder each time. Why the installation is failing I don't
> know. For now you could tell windows update not to install that update
> until this gets resolved.
>
> You should post this to the experts in the windows update newsgroup.
> microsoft.public.windowsupdate
>
> --
> Rock [MVP - User/Shell]
>
>

Reinstall MSXML 4.00 sp2

http://download.microsoft.com/download/9/6/5/9657c01e-107f-409c-baac-7...9561629

2. When the File Download window appears, please click the Save button, and
follow the directions to save it to the Desktop.
3. After downloading this file, please double-click the "msxml.msi" file on
the Desktop. Then the installation will be performed automatically.
4. If you receive three options "Modify", "Repair", and "Remove", please
click "Remove" and follow the instructions to remove MSXML 4.0 Service Pack
2.

5. After removing it, please double-click "msxml.msi" file again, click
"Install Now" button, and then follow the instructions.

After reinstalling MSXML 4.0 Service Pack 2, please move on to step 2 to
install the update KB927978.

Step 2: Reinstall MSXML 4.0 SP2 Security Update (KB927978)
============================================
1. Please download the update from the following link:

http://download.microsoft.com/download/e/2/e/e2e92e52-210b-4774-8cd9-3...0130141

2. When the File Download window appears, please click the Save button, and
follow the directions to save it to the Desktop.
3. After downloading this file, please double-click the
"msxml4-KB927978-enu.exe" file on the Desktop. Then the installation will be
performed automatically.

4. After finishing the above steps, please check the result on the Windows
Update website again.
------------------------------------------
Above copied from an MS support mail, se if it helps

Thanks, DL. I *think* this worked. I was able to do all the steps, but the
last one - checking on the Update web site - did not show this latest
application of update KB927978. Anyway, msxml4.dll is back in place. I have
initiated one update, which executed without dropping a new log file and
folder into C:\ We'll see tomorrow morning what happens with the automatic
update.

~ Thanks to all for your help!
~ Ken

"DL" wrote:

> Reinstall MSXML 4.00 sp2
>
> http://download.microsoft.com/download/9/6/5/9657c01e-107f-409c-baac-7...9561629
>
> 2. When the File Download window appears, please click the Save button, and
> follow the directions to save it to the Desktop.
> 3. After downloading this file, please double-click the "msxml.msi" file on
> the Desktop. Then the installation will be performed automatically.
> 4. If you receive three options "Modify", "Repair", and "Remove", please
> click "Remove" and follow the instructions to remove MSXML 4.0 Service Pack
> 2.
>
> 5. After removing it, please double-click "msxml.msi" file again, click
> "Install Now" button, and then follow the instructions.
>
> After reinstalling MSXML 4.0 Service Pack 2, please move on to step 2 to
> install the update KB927978.
>
> Step 2: Reinstall MSXML 4.0 SP2 Security Update (KB927978)
> ============================================
> 1. Please download the update from the following link:
>
> http://download.microsoft.com/download/e/2/e/e2e92e52-210b-4774-8cd9-3...0130141
>
> 2. When the File Download window appears, please click the Save button, and
> follow the directions to save it to the Desktop.
> 3. After downloading this file, please double-click the
> "msxml4-KB927978-enu.exe" file on the Desktop. Then the installation will be
> performed automatically.
>
> 4. After finishing the above steps, please check the result on the Windows
> Update website again.
> ------------------------------------------
> Above copied from an MS support mail, se if it helps
>
>
>
>
>
>

"Ken Winter" wrote:

> Windows Update experts, here's one for you.
>
> Rock's explanation (below) fits my symptoms - I do indeed have auto updates
> scheduled for 3am daily. Following some other advice I got, I looked at
> http://support.microsoft.com/kb/927978. That page recommended three steps:
>
> 1. "Remove security update 927978 by using the Add or Remove Programs item."
> I couldn't do that because 927978 did not show up in my list of updates.
> 2. "Delete the MSXML4.dll file from the %SystemRoot%\System32 folder." I
> did that, and so far (one day later) no new log files have appeared.
> 3. "Repair the previous installation of MSXML 4.0 by using the Add or Remove
> Programs item in Control Panel." I don't know how to do that.
>
> My concern is the perhaps my system needs a functioning installation of
> MSXML, and I assume that present I don't have one.
>
> ~ TIA
> ~ Ken Winter
>
> "Rock" wrote:
>
> > "Ken Winter" wrote
> >
> > > In November, I got a new IBM ThinkPad R52 running XP Pro. Over time I
> > > noticed that folders with 24-character random hexidecimal names were
> > > periodically being added to my root C:\ drive. At first, a new folder
> > > appeared
> > > several times a day. Since 9 December, exactly one per day has been
> > > added,
> > > always at 3 am.
> > >
> > > Each folder contains a single file, always named msxml4-KB927978-enu.log.
> > > The first line of each file, always the same except for the date, is: "===
> > > Verbose logging started: 12/26/2006 3:00:36 Build type: SHIP UNICODE
> > > 3.01.4000.2435 Calling process: C:\WINDOWS\system32\msiexec.exe ===".
> > > Following that are hundreds of log lines (the text of the first one is:
> > > "MSI
> > > (c) (E0:30) [03:00:36:812]: Resetting cached policy values"). Many of
> > > these
> > > entries imply to my untrained eye that scary things are being done to my
> > > system.
> > >
> > > This system has always had an up-to-date antivirus running on it.
> > >
> > > I spoke to ThinkPad tech support, who speculated that it is all some kind
> > > of
> > > virus and suggested that I get rid of everything with 'msxml' in the
> > > title.
> >
> > This is not due to virus activity. That log is related to a windows update,
> > referenced by that Microsoft Knowledge Base number KB927978. When it's
> > installed it creates that folder. For some reason with this update, though
> > it should, it hasn't been deleting that folder when finished so normally all
> > you need to do is delete it.
> >
> > In your case, since it's being recreated daily at 3am that must be the time
> > you have automatic updates set to look for and install updates. Apparently
> > that update is being reinstalled for some reason each night. The
> > installation is probably failing each time, so it's redone the next night,
> > creating a new folder each time. Why the installation is failing I don't
> > know. For now you could tell windows update not to install that update
> > until this gets resolved.
> >
> > You should post this to the experts in the windows update newsgroup.
> > microsoft.public.windowsupdate
> >
> > --
> > Rock [MVP - User/Shell]
> >
> >

LOOK THIS SOLVES UR PROBLEM INSTATANEOUSLY FOR REAL!!! THIS OCCURED TO ME
WHEN I WENT THRU MY HISTORY AND FIGOURED OUT WHAT I HAD DELETED FROM MY
SYSTEM.. BUDDY U NEED TO INSTALL Lineage2 Interlude AND i'M TELLING U THIS
BECAUSE i'VEW TRIED ALL THE METHODS ONMICROSOFT AND FORUMS OVER THE NET..THEY
ALL SAY TO REINSTALL MSXML AND BLA BLA....I DID IT 50TIMES ALREADY, AND IM
BORED... LISTEN TO ME INTALL LINEAGE2 INTERLUDE, PERSONALLY IO DONT CARE
WHERE U GET IT, BUT JUST DO!! Sincerely urs, "Friend"

"Ken Winter" wrote:

> Thanks, DL. I *think* this worked. I was able to do all the steps, but the
> last one - checking on the Update web site - did not show this latest
> application of update KB927978. Anyway, msxml4.dll is back in place. I have
> initiated one update, which executed without dropping a new log file and
> folder into C:\ We'll see tomorrow morning what happens with the automatic
> update.
>
> ~ Thanks to all for your help!
> ~ Ken
>
> "DL" wrote:
>
> > Reinstall MSXML 4.00 sp2
> >
> > http://download.microsoft.com/download/9/6/5/9657c01e-107f-409c-baac-7...9561629
> >
> > 2. When the File Download window appears, please click the Save button, and
> > follow the directions to save it to the Desktop.
> > 3. After downloading this file, please double-click the "msxml.msi" file on
> > the Desktop. Then the installation will be performed automatically.
> > 4. If you receive three options "Modify", "Repair", and "Remove", please
> > click "Remove" and follow the instructions to remove MSXML 4.0 Service Pack
> > 2.
> >
> > 5. After removing it, please double-click "msxml.msi" file again, click
> > "Install Now" button, and then follow the instructions.
> >
> > After reinstalling MSXML 4.0 Service Pack 2, please move on to step 2 to
> > install the update KB927978.
> >
> > Step 2: Reinstall MSXML 4.0 SP2 Security Update (KB927978)
> > ============================================
> > 1. Please download the update from the following link:
> >
> > http://download.microsoft.com/download/e/2/e/e2e92e52-210b-4774-8cd9-3...0130141
> >
> > 2. When the File Download window appears, please click the Save button, and
> > follow the directions to save it to the Desktop.
> > 3. After downloading this file, please double-click the
> > "msxml4-KB927978-enu.exe" file on the Desktop. Then the installation will be
> > performed automatically.
> >
> > 4. After finishing the above steps, please check the result on the Windows
> > Update website again.
> > ------------------------------------------
> > Above copied from an MS support mail, se if it helps
> >
> >
> >
> >
> >
> >

Alecs wrote:
> LOOK THIS SOLVES UR PROBLEM INSTATANEOUSLY FOR REAL!!! THIS OCCURED
> TO ME WHEN I WENT THRU MY HISTORY AND FIGOURED OUT WHAT I HAD
> DELETED FROM MY SYSTEM.. BUDDY U NEED TO INSTALL Lineage2 Interlude
> AND i'M TELLING U THIS BECAUSE i'VEW TRIED ALL THE METHODS
> ONMICROSOFT AND FORUMS OVER THE NET..THEY ALL SAY TO REINSTALL
> MSXML AND BLA BLA....I DID IT 50TIMES ALREADY, AND IM BORED...
> LISTEN TO ME INTALL LINEAGE2 INTERLUDE, PERSONALLY IO DONT CARE
> WHERE U GET IT, BUT JUST DO!! Sincerely urs, "Friend"

Wow.
That's weak.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html