What is rss.xml?

[Tan DJ]

I have noticed a weird thing on my computer recently.

I'm running Windows XP SP2, and I have PerfectDisk 8 for defragmenting.

At the end, after PerfectDisk 8 has completed defraging, there is a list of excluded files and a reason they were excluded. One of the files that is excluded is:

C:\Documents and Settings\<User name>\Local Settings\Temporary Internet Files\Content.IE5\Y2YZWQXZ\rss[1].xml

this file is excluded because "Access denied"

so I went exploring to see what the file contained only to discover that there is not a "Temporary Internet Files" folder in the "Local Settings" folder. I found a "Temporary Internet Files" folder in a folder called "Temp" that was in the "Local Settings" folder, but that "Temporary Internet Files" folder did not contain a "Y2YZWQXZ" folder in the "Content.IE5" folder.

A search of all files containing rss in the filename does not reveal any rss.xml files

Does anyone know what is going on here?

I was not running IE at the time that I ran PerfectDisk, infact I had only just booted my PC, so nothing else was running.

[xylomn]

Its probably just a program was checking for any updates to any rss feeds you get and as such was using that file... coz the file was in use access is denied

[Tan DJ]

Quote:

Originally Posted by xylomn

Its probably just a program was checking for any updates to any rss feeds you get and as such was using that file... coz the file was in use access is denied

Um... I don't think I have any RSS feeds. Are programs able to use RSS as a means of keeping themselves up to date?

Is it possible for an RSS feed to be set up without me knowing?

How would I find if someone using this computer has knowingly or unknowingly set up an rss feed?

Cheers,

Tan DJ

[Wile E]

xml is a style sheet. I presume you have IE7? If so, that's what determines the display style of any feeds you may want to load.

To find the file, do you have "Hide Protected Operating System files" unchecked, and "Show Hidden Files and Folders" checked in your Folder Options?

[Tan DJ]

Quote:

Originally Posted by Wile E

xml is a style sheet. I presume you have IE7? If so, that's what determines the display style of any feeds you may want to load.

To find the file, do you have "Hide Protected Operating System files" unchecked, and "Show Hidden Files and Folders" checked in your Folder Options?

Hmm... Didn't have "Hide Protected Operating System files" unchecked. Now I can see the "Temporary Internet Files" folder specified, but it is full of files, and there is no "Content.IE5" folder in there.

And yes, I have IE7, but I don't think I have any feeds.

[Wile E]

Quote:

Originally Posted by Tan DJ

Hmm... Didn't have "Hide Protected Operating System files" unchecked. Now I can see the "Temporary Internet Files" folder specified, but it is full of files, and there is no "Content.IE5" folder in there.

And yes, I have IE7, but I don't think I have any feeds.

It's ok that you have the file there. It comes stock. All it does is make feeds look prettier, if/when you do choose to use them.

As for getting to that file, even tho you have all the files unhidden, it's still a hidden folder. lol Just type the location of the folder in manually in the address bar of Explorer.

In other words, put this into the address bar: C:\Documents and Settings\<User name>\Local Settings\Temporary Internet Files\Content.IE5\Y2YZWQXZ

Once you get there, you can try to take ownership of the file, or at least change it's properties to allow modification.

[Tan DJ]

Found the file. Looks like a whole bunch of news stuff from ninemsn.

But I don't read ninemsn news. So where's this news feed coming from?

[Wile E]

That's weird. Do you have MSN as your homepage? Maybe it puts it there? I say just go ahead and try deleting it.

[Tan DJ]

I have iiNet as my home page

[Tan DJ]

Hmmm... I have the file open in vim, and a message just popped up saying that the file changed since editing started

[Wile E]

Hmmm, perhaps it's time to do an AV/AS scan?

[Tan DJ]

Avast didn't pick up anything, Adaware didn't find anything, Spybot S&D only found:

HKY_USERS\...\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_ LOCKDOWN\iexplore.exe!=W=1

RootkitRevealer found 15 discrepancies, but I was browsing this forum at the time it was running, and most of the entries appear to be IE cache entries related to viewing stuff on this forum. But there were 5 refferences to files called rss[X].xml

I also run spywareblaster.

[Wile E]

I looked around in my fresh install, and actually didn't see rss.xml, but I had it in my old install. I haven't used IE yet, this time around, so I'm thinking it has something to do with visiting sites that have an active rss feed (Like MSN for example, which is the default homepage, is it not?). This could be a fly-by install type of thing, automatically generating when you visit a site containing feeds. Many news sites are basically rss feeds as well. Endgadget comes to mind immediately.

Then again, some clever coder could've disguised something as an rss.xml file.

I say give deleting it a shot.

Also, I highly recommend switching to a more secure browser. Something like Opera, Netscape, Firefox, etc. They're not completely safe (no browser is, really) but they're much more secure than any version of IE.

[Tan DJ]

Quote:

Originally Posted by Wile E

Then again, some clever coder could've disguised something as an rss.xml file.

To be technically correct, the file name is not "rss.xml" but "rss[x].xml" where x is some number.

I have deleted it, but as mentioned in my previous reply, there are 5 versions of this file on my system.

[Wile E]

hmmm, boot into safe mode and get rid of all of them. Then reboot and see if they return, then run your scans again, all before you even launch IE7.

I never checked to see how many I ended up with, but IE by default renames things in the temp folder with the [x], when it encounters numerous files of the same name.

I really don't think they are a problem. I'm thinking permissions were corrupted (or something similar) on the Access denied one, but these are measures to take, just to be on the safe side.

and good night.

[Wile E]

Oh, and sorry, but it's 7:30 am here, and I have to be off to bed. (I work evenings 4pm-230am). I'll check back after work tonight.

and good night.

[Tan DJ]

it's 10pm here when I got the last post, so I'll have to try your suggestion later.

[Tan DJ]

Ok, I got a chance to restart in safe mode. I performed a thorough virus scan with Avast AV, a full system scan with Adaware-SE, and a scan with Spybot S&D. I also did a search including all system folders and hidden files and folders for files containing rss in the filename, and none of these found anything. Took 4 hours.

Have manually deleted the rss files. But they are still there.

[Wile E]

Well, if everything is clean, I'm gonna have to say that they're getting put there when you visit a site that has rss feeds. Almost all news sites have feeds. Some of them, like Engadget, actually ARE a feed.

Is it still messing with your defrag, tho?

[Tan DJ]

Another interesting thing which may or may not be related, but could be linked to changing the case (see "I think I toasted one of my hard drives" thread in the hardware forum)

Ever since I changed my case, every 3 or 4 boots, my PC either says that the drive is inconsistant and needs to run scan disk, which finds 3 or 4 problems, or a message comes up that says that one of the system files is corrupt and that I need to boot off my original CD and press "r" at the first screen. It did that this afternoon, so I booted off the CD as suggested, then ran fixmbr which said that the MBR was not standard. (NOTE: Prior to entering the BIOS, I also entered the BIOS of the RAID controller and deleted the "MIRROR" definition as there is now only 1 drive since I killed the other one). I also ran fixboot which ran but didn't display any errors. I also ran chkdsk which by itself said that the drive was clean so it didn't do anything, so I ran it with the /p option, and it ran and right at the end said that it fixed some errors. Cant remember the details though. I then ran chkdsk a second time, but it didn't find any errors the second time.

The system then booted fine - hence my ability to write in this forum at the moment.

(Hmm... some of the stuff in this reply is verging on "hardware". Maybe something that should be taken over there to discuss?)

Havn't tried a defrag in a couple of days. 'bout time I tried again

[Clement]

Quote:

Originally Posted by Tan DJ

Ok, I got a chance to restart in safe mode. I performed a thorough virus scan with Avast AV, a full system scan with Adaware-SE, and a scan with Spybot S&D. I also did a search including all system folders and hidden files and folders for files containing rss in the filename, and none of these found anything. Took 4 hours.

Have manually deleted the rss files. But they are still there.

Before you can track the culprit down, do this in safe mode.

Delete the offending files.

Create new blank files with the same names, as many numbers in [] as you may need.

Make the Read-Only, System files and see if new ones are created.

Because of the brackets used, I'm assuming the culprit will just create new files.

In this case, I personally would make the entire Y2YZWQXZ folder Read only, system attributes. Then I would put permissions on that folder that no-one has access too. IE. a new limited account.

Now for tracking the culprit down, you could find a file monitoring program.

Check out Hijack this and see if you have any thing suspicious attached to IE.

Why aren't you using firefox, lol?

IE is what most all exploits are designed for .

[Wile E]

Quote:

Originally Posted by Clement

Before you can track the culprit down, do this in safe mode.

Delete the offending files.

Create new blank files with the same names, as many numbers in [] as you may need.

Make the Read-Only, System files and see if new ones are created.

Because of the brackets used, I'm assuming the culprit will just create new files.

In this case, I personally would make the entire Y2YZWQXZ folder Read only, system attributes. Then I would put permissions on that folder that no-one has access too. IE. a new limited account.

Now for tracking the culprit down, you could find a file monitoring program.

Check out Hijack this and see if you have any thing suspicious attached to IE.

Why aren't you using firefox, lol?

IE is what most all exploits are designed for .

You just bumped a 2 1/2 year old thread. lol.

[FordGT90Concept]

Quote:

Originally Posted by Tan DJ

C:\Documents and Settings\<User name>\Local Settings\Temporary Internet Files\Content.IE5\Y2YZWQXZ\rss[1].xml

Empty your temporary internet files (via Control Panel -> Internet Options) prior to defragging. The file won't exist so it can't be fragmented.


The one that's hard to defragment is eventlogs...

[Clement]

Quote:

Originally Posted by Wile E

You just bumped a 2 1/2 year old thread. lol.

Just archiving a solution that I know works .

[Tan DJ]

Wow! I'd forgotten all about this thread. I can hardly remember what it was originally about.