Solved

Identifying a program:

Posted on 2006-06-22
10
880 Views
Last Modified: 2013-12-04
I have a program which tried the following:

Read: \WINDOWS\Registration\R000000000008.clb
Read: \WINDOWS\WINHELP.INI
Write: \PIPE\lsarpc
Write: \DOCUME~1\User\LOCALS~1\Temp\ed64_appcompat.txt
Run: \WINDOWS\system32\dwwin.exe

And another which did similar though with an additional operation:

write: \DOCUME~1\User\LOCALS~1\Temp\920_appcompat.txt

Can anyone help me identify this program by what it accessed?
0
Comment
Question by:List244
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
10 Comments
 
LVL 5

Assisted Solution

by:mkdonohue
mkdonohue earned 150 total points
ID: 16962832
It's doubtful. The ddwin.exe is just the Microsoft Doctor Watson error reporting tool... Meaning the app crashed right after starting.
0
 
LVL 8

Author Comment

by:List244
ID: 16962863
I was thinking they were using DDWin for sending something outward.  That makes more sense (your reasoning).

Can you explain:
R000000000008.clb
\PIPE\lsarpc
and
\DOCUME~1\User\LOCALS~1\Temp\ed64_appcompat.txt

I assume the third is going to be program-specific, but maybe it is a common storage by a certain logging utility?
0
 
LVL 17

Assisted Solution

by:Eagle6990
Eagle6990 earned 150 total points
ID: 16962872
Have you checked those txt files? They might have more info.  As mentioned earlier, it shows that Dr. Watson ran after a crash and left a log file for you to help diagnose the problem.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 32

Expert Comment

by:r-k
ID: 16962907
Did you recently install Vista?

Maybe if you look at the contents of those two txt files in the TEMP folder it'll give a better idea.
0
 
LVL 8

Author Comment

by:List244
ID: 16962965
The files were rejected, so there was nothing written.  The first file \WINDOWS\Registration\R000000000008.clb
seems to be some standard windows file, what it is, I do not know.

The WinHelp.ini does not exist on my computer, so nothing was read there.

And \PIPE\lsarpc I don't know what that does at all.

I do not have Vista, I run XP, this program that did these things is some sort of key-logger or other such program.
0
 
LVL 8

Author Comment

by:List244
ID: 16962984
As for Dr. Watson, the execution was not allowed, so there is no log file from that.
0
 
LVL 5

Expert Comment

by:mkdonohue
ID: 16963052
The .clb files are COM+ catalog files
0
 
LVL 32

Accepted Solution

by:
r-k earned 200 total points
ID: 16963070
I think the \registration folder is something added when you install the .net framework.

lsarpc probably stands for LSA Remote Procedure Call
LSA is the Windows subsystem that authenticates logins.

It's possibly a worm trying to login.

This page hints it might be Sasser variant:

 http://securityresponse.symantec.com/avcenter/venc/data/detecting.activity.that.may.be.due.to.lsass.worms.html
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 200 total points
ID: 16963078
If you suspect a keylogger then do a scan with RootkitRevealer:

 http://www.sysinternals.com/Utilities/RootkitRevealer.html
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question