think I may have been hijacked by a hacker...

think I may have been hijacked by a hacker...
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
think I may have been hijacked by a hacker... timothy 01-28-2007
Posted by =?Utf-8?B?dGltb3RoeQ==?= on January 28, 2007, 3:05 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Checkout thiws code I found on my pc. I just reloaded my os because it was
acting very strange. Does anyone have any idea what this is??

=== Verbose logging started: 1/28/2007 3:03:15 Build type: SHIP UNICODE
3.01.4000.2435 Calling process: C:\WINDOWS\system32\msiexec.exe ===
MSI (c) (E4:8C) [03:03:15:500]: Resetting cached policy values
MSI (c) (E4:8C) [03:03:15:500]: Machine policy value 'Debug' is 0
MSI (c) (E4:8C) [03:03:15:500]: ******* RunEngine:
******* Product: c:9bdbe23a31fafa4610e81863f41d\msxml.msi
******* Action:
******* CommandLine: **********
MSI (c) (E4:8C) [03:03:15:500]: Client-side and UI is none or basic: Running
entire install on the server.
MSI (c) (E4:8C) [03:03:15:500]: Grabbed execution mutex.
MSI (c) (E4:8C) [03:03:15:593]: Cloaking enabled.
MSI (c) (E4:8C) [03:03:15:593]: Attempting to enable all disabled priveleges
before calling Install on Server
MSI (c) (E4:8C) [03:03:15:593]: Incrementing counter to disable shutdown.
Counter after increment: 0
MSI (s) (4C:08) [03:03:15:609]: Grabbed execution mutex.
MSI (s) (4C:A0) [03:03:15:609]: Resetting cached policy values
MSI (s) (4C:A0) [03:03:15:609]: Machine policy value 'Debug' is 0
MSI (s) (4C:A0) [03:03:15:609]: ******* RunEngine:
******* Product: c:9bdbe23a31fafa4610e81863f41d\msxml.msi
******* Action:
******* CommandLine: **********
MSI (s) (4C:A0) [03:03:15:609]: Machine policy value 'DisableUserInstalls'
is 0
MSI (s) (4C:A0) [03:03:15:640]: File will have security applied from OpCode.
MSI (s) (4C:A0) [03:03:15:687]: SOFTWARE RESTRICTION POLICY: Verifying
package --> 'c:9bdbe23a31fafa4610e81863f41d\msxml.msi' against software
restriction policy
MSI (s) (4C:A0) [03:03:15:687]: SOFTWARE RESTRICTION POLICY:
c:9bdbe23a31fafa4610e81863f41d\msxml.msi has a digital signature
MSI (s) (4C:A0) [03:03:16:515]: SOFTWARE RESTRICTION POLICY:
c:9bdbe23a31fafa4610e81863f41d\msxml.msi is permitted to run at the
'unrestricted' authorization level.
MSI (s) (4C:A0) [03:03:16:515]: End dialog not enabled
MSI (s) (4C:A0) [03:03:16:515]: Original package ==>
c:9bdbe23a31fafa4610e81863f41d\msxml.msi
MSI (s) (4C:A0) [03:03:16:515]: Package we're running from ==>
c:\WINDOWS\Installeraeaa8.msi
MSI (s) (4C:A0) [03:03:16:515]: APPCOMPAT: looking for appcompat database
entry with ProductCode ''.
MSI (s) (4C:A0) [03:03:16:515]: APPCOMPAT: no matching ProductCode found in
database.
MSI (s) (4C:A0) [03:03:16:515]: MSCOREE not loaded loading copy from system32
MSI (s) (4C:A0) [03:03:16:546]: Machine policy value 'TransformsSecure' is 0
MSI (s) (4C:A0) [03:03:16:546]: User policy value 'TransformsAtSource' is 0
MSI (s) (4C:A0) [03:03:16:546]: Machine policy value 'DisablePatch' is 0
MSI (s) (4C:A0) [03:03:16:546]: Machine policy value 'AllowLockdownPatch' is 0
MSI (s) (4C:A0) [03:03:16:546]: Machine policy value 'DisableLUAPatching' is 0
MSI (s) (4C:A0) [03:03:16:546]: Machine policy value
'DisableFlyWeightPatching' is 0
MSI (s) (4C:A0) [03:03:16:546]: APPCOMPAT: looking for appcompat database
entry with ProductCode ''.
MSI (s) (4C:A0) [03:03:16:546]: APPCOMPAT: no matching ProductCode found in
database.
MSI (s) (4C:A0) [03:03:16:546]: Transforms are not secure.
MSI (s) (4C:A0) [03:03:16:546]: Command Line: REBOOT=ReallySuppress
CURRENTDIRECTORY=c:9bdbe23a31fafa4610e81863f41d CLIENTUILEVEL=3
CLIENTPROCESSID=4068
MSI (s) (4C:A0) [03:03:16:546]: PROPERTY CHANGE: Adding PackageCode
property. Its value is ''.
MSI (s) (4C:A0) [03:03:16:546]: Product Code passed to Engine.Initialize:
''
MSI (s) (4C:A0) [03:03:16:546]: Product Code from property table before
transforms: ''
MSI (s) (4C:A0) [03:03:16:546]: Product Code from property table after
transforms: ''
MSI (s) (4C:A0) [03:03:16:546]: Product not registered: beginning first-time
install
MSI (s) (4C:A0) [03:03:16:546]: PROPERTY CHANGE: Adding ProductState
property. Its value is '-1'.
MSI (s) (4C:A0) [03:03:16:546]: Entering
CMsiConfigurationManager::SetLastUsedSource.
MSI (s) (4C:A0) [03:03:16:562]: User policy value 'SearchOrder' is 'nmu'
MSI (s) (4C:A0) [03:03:16:562]: Adding new sources is allowed.
MSI (s) (4C:A0) [03:03:16:562]: PROPERTY CHANGE: Adding PackagecodeChanging
property. Its value is '1'.
MSI (s) (4C:A0) [03:03:16:562]: Package name extracted from package path:
'msxml.msi'
MSI (s) (4C:A0) [03:03:16:578]: Package to be registered: 'msxml.msi'
MSI (s) (4C:A0) [03:03:16:578]: Note: 1: 2729
MSI (s) (4C:A0) [03:03:16:640]: Note: 1: 2729
MSI (s) (4C:A0) [03:03:16:640]: Note: 1: 2262 2: AdminProperties 3:
-2147287038
MSI (s) (4C:A0) [03:03:16:640]: Machine policy value 'DisableMsi' is 0
MSI (s) (4C:A0) [03:03:16:640]: Machine policy value 'AlwaysInstallElevated'
is 0
MSI (s) (4C:A0) [03:03:16:640]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (4C:A0) [03:03:16:640]: Product installation will be elevated
because user is admin and product is being installed per-machine.
MSI (s) (4C:A0) [03:03:16:640]: Running product
'' with elevated privileges: Product is
assigned.
MSI (s) (4C:A0) [03:03:16:640]: PROPERTY CHANGE: Adding REBOOT property. Its
value is 'ReallySuppress'.
MSI (s) (4C:A0) [03:03:16:640]: PROPERTY CHANGE: Adding CURRENTDIRECTORY
property. Its value is 'c:9bdbe23a31fafa4610e81863f41d'.
MSI (s) (4C:A0) [03:03:16:640]: PROPERTY CHANGE: Adding CLIENTUILEVEL
property. Its value is '3'.
MSI (s) (4C:A0) [03:03:16:640]: PROPERTY CHANGE: Adding CLIENTPROCESSID
property. Its value is '4068'.
MSI (s) (4C:A0) [03:03:16:640]: TRANSFORMS property is now:
MSI (s) (4C:A0) [03:03:16:640]: PROPERTY CHANGE: Adding VersionDatabase
property. Its value is '200'.
MSI (s) (4C:A0) [03:03:16:640]: SHELL32::SHGetFolderPath returned:
C:\WINDOWS\system32\config\systemprofile\Application Data
MSI (s) (4C:A0) [03:03:16:640]: SHELL32::SHGetFolderPath returned:
C:\WINDOWS\system32\config\systemprofile\Favorites
MSI (s) (4C:A0) [03:03:16:656]: SHELL32::SHGetFolderPath returned:
C:\WINDOWS\system32\config\systemprofile\NetHood
MSI (s) (4C:A0) [03:03:16:656]: SHELL32::SHGetFolderPath returned:
C:\WINDOWS\system32\config\systemprofile\My Documents
MSI (s) (4C:A0) [03:03:16:656]: SHELL32::SHGetFolderPath returned:
C:\WINDOWS\system32\config\systemprofile\PrintHood
MSI (s) (4C:A0) [03:03:16:656]: SHELL32::SHGetFolderPath returned:
C:\WINDOWS\system32\config\systemprofile\Recent
MSI (s) (4C:A0) [03:03:16:656]: SHELL32::SHGetFolderPath returned:
C:\WINDOWS\system32\config\systemprofile\SendTo
MSI (s) (4C:A0) [03:03:16:656]: SHELL32::SHGetFolderPath returned:
C:\WINDOWS\system32\config\systemprofile\Templates
MSI (s) (4C:A0) [03:03:16:656]: SHELL32::SHGetFolderPath returned:
C:\Documents and Settings\All Users.WINDOWS\Application Data
MSI (s) (4C:A0) [03:03:16:656]: SHELL32::SHGetFolderPath returned:
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data
MSI (s) (4C:A0) [03:03:16:656]: SHELL32::SHGetFolderPath returned:
C:\WINDOWS\system32\config\systemprofile\My Documents\My Pictures
MSI (s) (4C:A0) [03:03:16:687]: SHELL32::SHGetFolderPath returned:
C:\Documents and Settings\All Users.WINDOWS\Start
Menu\Programs\Administrative Tools
MSI (s) (4C:A0) [03:03:16:703]: SHELL32::SHGetFolderPath returned:
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
MSI (s) (4C:A0) [03:03:16:703]: SHELL32::SHGetFolderPath returned:
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs
MSI (s) (4C:A0) [03:03:16:703]: SHELL32::SHGetFolderPath returned:
C:\Documents and Settings\All Users.WINDOWS\Start Menu
MSI (s) (4C:A0) [03:03:16:703]: SHELL32::SHGetFolderPath returned:
C:\Documents and Settings\All Users.WINDOWS\Desktop
MSI (s) (4C:A0) [03:03:16:703]: SHELL32::SHGetFolderPath returned:
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Administrative
Tools
MSI (s) (4C:A0) [03:03:16:718]: SHELL32::SHGetFolderPath returned:
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup
MSI (s) (4C:A0) [03:03:16:718]: SHELL32::SHGetFolderPath returned:
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs
MSI (s) (4C:A0) [03:03:16:718]: SHELL32::SHGetFolderPath returned:
C:\WINDOWS\system32\config\systemprofile\Start Menu
MSI (s) (4C:A0) [03:03:16:734]: SHELL32::SHGetFolderPath returned:
C:\WINDOWS\system32\config\systemprofile\Desktop
MSI (s) (4C:A0) [03:03:16:734]: SHELL32::SHGetFolderPath returned:
C:\Documents and Settings\All Users.WINDOWS\Templates
MSI (s) (4C:A0) [03:03:16:734]: SHELL32::SHGetFolderPath returned:
C:\WINDOWS\Fonts
MSI (s) (4C:A0) [03:03:16:750]: Note: 1: 2898 2: MS Sans Serif 3: MS Sans
Serif 4: 0 5: 16
MSI (s) (4C:A0) [03:03:16:750]: PROPERTY CHANGE: Adding Privileged property.
Its value is '1'.
MSI (s) (4C:A0) [03:03:16:750]: Note: 1: 1402 2:
HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (s) (4C:A0) [03:03:16:750]: PROPERTY CHANGE: Adding USERNAME property.
Its value is 'timothy bigelow'.
MSI (s) (4C:A0) [03:03:16:750]: Note: 1: 1402 2:
HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info 3: 2
MSI (s) (4C:A0) [03:03:16:750]: PROPERTY CHANGE: Adding DATABASE property.
Its value is 'c:\WINDOWS\Installeraeaa8.msi'.
MSI (s) (4C:A0) [03:03:16:750]: PROPERTY CHANGE: Adding OriginalDatabase
property. Its value is 'c:9bdbe23a31fafa4610e81863f41d\msxml.msi'.
MSI (s) (4C:A0) [03:03:16:765]: Note: 1: 2205 2: 3: PatchPackage
MSI (s) (4C:A0) [03:03:16:765]: Machine policy value 'DisableRollback' is 0
MSI (s) (4C:A0) [03:03:16:765]: User policy value 'DisableRollback' is 0
MSI (s) (4C:A0) [03:03:16:765]: PROPERTY CHANGE: Adding UILevel property.
Its value is '2'.
=== Logging started: 1/28/2007 3:03:16 ===
MSI (s) (4C:A0) [03:03:16:765]: PROPERTY CHANGE: Adding ACTION property. Its
value is 'INSTALL'.
MSI (s) (4C:A0) [03:03:16:765]: Doing action: INSTALL
MSI (s) (4C:A0) [03:03:16:765]: Running ExecuteSequence
MSI (s) (4C:A0) [03:03:16:765]: Doing action:
DesktopFolder.4576A2F1_959E_4BCA_94A9_596523761901
Action start 3:03:16: INSTALL.
MSI (s) (4C:A0) [03:03:16:765]: PROPERTY CHANGE: Adding
DesktopFolder.4576A2F1_959E_4BCA_94A9_596523761901 property. Its value is
'C:\Documents and Settings\All Users.WINDOWS\Desktop\'.
Action start 3:03:16: DesktopFolder.4576A2F1_959E_4BCA_94A9_596523761901.
MSI (s) (4C:A0) [03:03:16:765]: Doing action:
ProgramMenuFolder.4576A2F1_959E_4BCA_94A9_596523761901
Action ended 3:03:16: DesktopFolder.4576A2F1_959E_4BCA_94A9_596523761901.
Return value 1.
MSI (s) (4C:A0) [03:03:16:765]: PROPERTY CHANGE: Adding
ProgramMenuFolder.4576A2F1_959E_4BCA_94A9_596523761901 property. Its value is
'C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\'.
Action start 3:03:16: ProgramMenuFolder.4576A2F1_959E_4BCA_94A9_596523761901.
MSI (s) (4C:A0) [03:03:16:765]: Doing action:
WindowsFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537
Action ended 3:03:16:
ProgramMenuFolder.4576A2F1_959E_4BCA_94A9_596523761901. Return value 1.
MSI (s) (4C:A0) [03:03:16:765]: PROPERTY CHANGE: Adding
WindowsFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is
'C:\WINDOWS\'.
Action start 3:03:16: WindowsFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537.
MSI (s) (4C:A0) [03:03:16:765]: Doing action:
SystemFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537
Action ended 3:03:16: WindowsFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537.
Return value 1.
MSI (s) (4C:A0) [03:03:16:765]: PROPERTY CHANGE: Adding
SystemFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537 property. Its value is
'C:\WINDOWS\system32\'.
Action start 3:03:16: SystemFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537.
MSI (s) (4C:A0) [03:03:16:765]: Doing action:
WindowsFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537
Action ended 3:03:16: SystemFolder.0E9F98FC_A692_A6DF_FF6B_D6B9ABF34537.
Return value 1.
MSI (s) (4C:A0) [03:03:16:765]: PROPERTY CHANGE: Adding
WindowsFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is
'C:\WINDOWS\'.
Action start 3:03:16: WindowsFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537.
MSI (s) (4C:A0) [03:03:16:765]: Doing action:
SystemFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537
Action ended 3:03:16: WindowsFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537.
Return value 1.
MSI (s) (4C:A0) [03:03:16:765]: PROPERTY CHANGE: Adding
SystemFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537 property. Its value is
'C:\WINDOWS\system32\'.
Action start 3:03:16: SystemFolder.DA6654F6_456F_3658_FF6B_D6B9ABF34537.


Posted by David H. Lipman on January 28, 2007, 3:16 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

| Checkout thiws code I found on my pc. I just reloaded my os because it was
| acting very strange. Does anyone have any idea what this is??
|

< snip >

Looks alot more like you installed the MSXML HotFix.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Posted by =?Utf-8?B?UGFuZGFfbWFu?= on January 28, 2007, 4:02 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
"David H. Lipman" wrote:

>
> | Checkout thiws code I found on my pc. I just reloaded my os because it was
> | acting very strange. Does anyone have any idea what this is??
> |
>
> Looks alot more like you installed the MSXML HotFix.
>

I'll second that . The MS-XML fix was recently pushed via Windows Update :-)

--
Panda_man
Silver level Contributor

Similar ThreadsPosted
Tag.sys files -- hacker? June 30, 2006, 3:41 pm
HELP! Chinese to Hacker-2 Monitor Worm. August 7, 2006, 6:58 pm
Strange behaviour of a virus or the hacker. February 13, 2008, 4:04 pm
X12-30107-DLM.EXE Virus or Hacker Hook October 16, 2008, 11:47 am
cmd has been hijacked, any help? August 16, 2005, 4:57 am
IE Hijacked? June 14, 2006, 7:07 am
Desktop wallpaper hijacked March 7, 2006, 8:20 am
Help! Has my yahoo email been hijacked? February 1, 2007, 3:48 pm
Win2K logon hijacked. Repeating self-generating asterisks! August 26, 2006, 12:00 am

The site map in XML format XML site map

Contact Us | Privacy Policy