Solved

Identifying a program:

Posted on 2006-06-22
10
874 Views
Last Modified: 2013-12-04
I have a program which tried the following:

Read: \WINDOWS\Registration\R000000000008.clb
Read: \WINDOWS\WINHELP.INI
Write: \PIPE\lsarpc
Write: \DOCUME~1\User\LOCALS~1\Temp\ed64_appcompat.txt
Run: \WINDOWS\system32\dwwin.exe

And another which did similar though with an additional operation:

write: \DOCUME~1\User\LOCALS~1\Temp\920_appcompat.txt

Can anyone help me identify this program by what it accessed?
0
Comment
Question by:List244
  • 3
  • 3
  • 2
  • +1
10 Comments
 
LVL 5

Assisted Solution

by:mkdonohue
mkdonohue earned 150 total points
ID: 16962832
It's doubtful. The ddwin.exe is just the Microsoft Doctor Watson error reporting tool... Meaning the app crashed right after starting.
0
 
LVL 8

Author Comment

by:List244
ID: 16962863
I was thinking they were using DDWin for sending something outward.  That makes more sense (your reasoning).

Can you explain:
R000000000008.clb
\PIPE\lsarpc
and
\DOCUME~1\User\LOCALS~1\Temp\ed64_appcompat.txt

I assume the third is going to be program-specific, but maybe it is a common storage by a certain logging utility?
0
 
LVL 17

Assisted Solution

by:Eagle6990
Eagle6990 earned 150 total points
ID: 16962872
Have you checked those txt files? They might have more info.  As mentioned earlier, it shows that Dr. Watson ran after a crash and left a log file for you to help diagnose the problem.
0
 
LVL 17

Expert Comment

by:Eagle6990
ID: 16962886
0
 
LVL 32

Expert Comment

by:r-k
ID: 16962907
Did you recently install Vista?

Maybe if you look at the contents of those two txt files in the TEMP folder it'll give a better idea.
0
New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

 
LVL 8

Author Comment

by:List244
ID: 16962965
The files were rejected, so there was nothing written.  The first file \WINDOWS\Registration\R000000000008.clb
seems to be some standard windows file, what it is, I do not know.

The WinHelp.ini does not exist on my computer, so nothing was read there.

And \PIPE\lsarpc I don't know what that does at all.

I do not have Vista, I run XP, this program that did these things is some sort of key-logger or other such program.
0
 
LVL 8

Author Comment

by:List244
ID: 16962984
As for Dr. Watson, the execution was not allowed, so there is no log file from that.
0
 
LVL 5

Expert Comment

by:mkdonohue
ID: 16963052
The .clb files are COM+ catalog files
0
 
LVL 32

Accepted Solution

by:
r-k earned 200 total points
ID: 16963070
I think the \registration folder is something added when you install the .net framework.

lsarpc probably stands for LSA Remote Procedure Call
LSA is the Windows subsystem that authenticates logins.

It's possibly a worm trying to login.

This page hints it might be Sasser variant:

 http://securityresponse.symantec.com/avcenter/venc/data/detecting.activity.that.may.be.due.to.lsass.worms.html
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 200 total points
ID: 16963078
If you suspect a keylogger then do a scan with RootkitRevealer:

 http://www.sysinternals.com/Utilities/RootkitRevealer.html
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now