Solved

Identifying a program:

Posted on 2006-06-22
10
870 Views
Last Modified: 2013-12-04
I have a program which tried the following:

Read: \WINDOWS\Registration\R000000000008.clb
Read: \WINDOWS\WINHELP.INI
Write: \PIPE\lsarpc
Write: \DOCUME~1\User\LOCALS~1\Temp\ed64_appcompat.txt
Run: \WINDOWS\system32\dwwin.exe

And another which did similar though with an additional operation:

write: \DOCUME~1\User\LOCALS~1\Temp\920_appcompat.txt

Can anyone help me identify this program by what it accessed?
0
Comment
Question by:List244
  • 3
  • 3
  • 2
  • +1
10 Comments
 
LVL 5

Assisted Solution

by:mkdonohue
mkdonohue earned 150 total points
Comment Utility
It's doubtful. The ddwin.exe is just the Microsoft Doctor Watson error reporting tool... Meaning the app crashed right after starting.
0
 
LVL 8

Author Comment

by:List244
Comment Utility
I was thinking they were using DDWin for sending something outward.  That makes more sense (your reasoning).

Can you explain:
R000000000008.clb
\PIPE\lsarpc
and
\DOCUME~1\User\LOCALS~1\Temp\ed64_appcompat.txt

I assume the third is going to be program-specific, but maybe it is a common storage by a certain logging utility?
0
 
LVL 17

Assisted Solution

by:Eagle6990
Eagle6990 earned 150 total points
Comment Utility
Have you checked those txt files? They might have more info.  As mentioned earlier, it shows that Dr. Watson ran after a crash and left a log file for you to help diagnose the problem.
0
 
LVL 17

Expert Comment

by:Eagle6990
Comment Utility
0
 
LVL 32

Expert Comment

by:r-k
Comment Utility
Did you recently install Vista?

Maybe if you look at the contents of those two txt files in the TEMP folder it'll give a better idea.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 8

Author Comment

by:List244
Comment Utility
The files were rejected, so there was nothing written.  The first file \WINDOWS\Registration\R000000000008.clb
seems to be some standard windows file, what it is, I do not know.

The WinHelp.ini does not exist on my computer, so nothing was read there.

And \PIPE\lsarpc I don't know what that does at all.

I do not have Vista, I run XP, this program that did these things is some sort of key-logger or other such program.
0
 
LVL 8

Author Comment

by:List244
Comment Utility
As for Dr. Watson, the execution was not allowed, so there is no log file from that.
0
 
LVL 5

Expert Comment

by:mkdonohue
Comment Utility
The .clb files are COM+ catalog files
0
 
LVL 32

Accepted Solution

by:
r-k earned 200 total points
Comment Utility
I think the \registration folder is something added when you install the .net framework.

lsarpc probably stands for LSA Remote Procedure Call
LSA is the Windows subsystem that authenticates logins.

It's possibly a worm trying to login.

This page hints it might be Sasser variant:

 http://securityresponse.symantec.com/avcenter/venc/data/detecting.activity.that.may.be.due.to.lsass.worms.html
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 200 total points
Comment Utility
If you suspect a keylogger then do a scan with RootkitRevealer:

 http://www.sysinternals.com/Utilities/RootkitRevealer.html
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now