• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 892
  • Last Modified:

Identifying a program:

I have a program which tried the following:

Read: \WINDOWS\Registration\R000000000008.clb
Read: \WINDOWS\WINHELP.INI
Write: \PIPE\lsarpc
Write: \DOCUME~1\User\LOCALS~1\Temp\ed64_appcompat.txt
Run: \WINDOWS\system32\dwwin.exe

And another which did similar though with an additional operation:

write: \DOCUME~1\User\LOCALS~1\Temp\920_appcompat.txt

Can anyone help me identify this program by what it accessed?
0
List244
Asked:
List244
  • 3
  • 3
  • 2
  • +1
4 Solutions
 
mkdonohueCommented:
It's doubtful. The ddwin.exe is just the Microsoft Doctor Watson error reporting tool... Meaning the app crashed right after starting.
0
 
List244Author Commented:
I was thinking they were using DDWin for sending something outward.  That makes more sense (your reasoning).

Can you explain:
R000000000008.clb
\PIPE\lsarpc
and
\DOCUME~1\User\LOCALS~1\Temp\ed64_appcompat.txt

I assume the third is going to be program-specific, but maybe it is a common storage by a certain logging utility?
0
 
Eagle6990Commented:
Have you checked those txt files? They might have more info.  As mentioned earlier, it shows that Dr. Watson ran after a crash and left a log file for you to help diagnose the problem.
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
r-kCommented:
Did you recently install Vista?

Maybe if you look at the contents of those two txt files in the TEMP folder it'll give a better idea.
0
 
List244Author Commented:
The files were rejected, so there was nothing written.  The first file \WINDOWS\Registration\R000000000008.clb
seems to be some standard windows file, what it is, I do not know.

The WinHelp.ini does not exist on my computer, so nothing was read there.

And \PIPE\lsarpc I don't know what that does at all.

I do not have Vista, I run XP, this program that did these things is some sort of key-logger or other such program.
0
 
List244Author Commented:
As for Dr. Watson, the execution was not allowed, so there is no log file from that.
0
 
mkdonohueCommented:
The .clb files are COM+ catalog files
0
 
r-kCommented:
I think the \registration folder is something added when you install the .net framework.

lsarpc probably stands for LSA Remote Procedure Call
LSA is the Windows subsystem that authenticates logins.

It's possibly a worm trying to login.

This page hints it might be Sasser variant:

 http://securityresponse.symantec.com/avcenter/venc/data/detecting.activity.that.may.be.due.to.lsass.worms.html
0
 
r-kCommented:
If you suspect a keylogger then do a scan with RootkitRevealer:

 http://www.sysinternals.com/Utilities/RootkitRevealer.html
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 3
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now