what is windows password debugger, should it be running???

Discussion in 'malware problems & news' started by HandsOff, Jun 8, 2006.

Thread Status:
Not open for further replies.
  1. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Hi

    I have windows washer, by webroot. It's a pretty cool program, but since I stopped using Internet Explorer I haven't used it all that much...but I started noticing a few things:

    - It would always delete 5 mb from "windows recycle bin" only I don't use the recycle, i just delete.

    - when I looked in the log it said it could not clean debugger files because they were in use - specifically, the password debugger.


    I just manually deactivated dr.watson, maybe I can find some log entry.

    Does this not seem suspicious? I've scanned with Trojan Hunter and NOD32, and nothing found.

    (also with rootkit revealer)


    - HandsOff
     
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    Sounds exactly like a name a Rbot or SDbot worm would use.

    If your system is still infected, I suggest you post a HijackThis log at one of the boards specializing in malware removal so that the experts can have a look at what's running.

    Here's an excellent one that isn't quite as busy as the "big names": http://www.bleepingcomputer.com/forums/index.php? ":

    Best regards.
     
  3. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Hi Tony, Good to see your caricature again!


    Yeah, I didn't like the sound of it either but I think it must have been a false alarm. This is the actually entry that got my attention:


    Washing: Windows Application Debug Log
    In use: K:\WINDOWS\debug\PASSWD.LOG
    Finished: Windows Application Debug Log


    I saw an article on annoyances.org where it was mentioned as a file that AV's will say is in use and cannot be checked, so it's something that is not so unusual. I navigated to the file and it is just a plain old empty log file. It is not even read only, or hidden. I was able to open it. I am confused about that. If I could open it, then I must be able to delete it. It was created on the day that XP was installed. So it is still semi-mysterious. Ah, I tried to view the alternate data streams (if present) and it said the file was in use by the system. I guess XP might be using alternate data streams with it. I say this because a program once made a backup of this file and it had two empty alternate data streams attatched. The plot thickens!

    Anyway, I don't think this is trojan any more, but thanks for the suggestion, and I have read in their forum at Bleeping computer and they do seem pretty cool!


    -HandsOff
     
  4. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
  5. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Hi Tony, thanks for the links.

    I have to say it is pretty low for them to feed on victims hopes, fears, and desperation with such a fantasy as a "windows update debugger".


    My problem is I get overy suspiciousl when I see something like that and notice it for the first time. Since WW does not save the logs I cannot go back and see if it has always been there and I just didn't notice.

    What gets me is, if this is a system file and it can't be cleaned....Then why are they trying to clean it? I fell into the trap of thinking, Why is there something here that is supposed to be cleaned but for some reason it is not. Its putting things into strange contexts that make security harder to understand. At this rate I will become aquainted with every single file in xp!



    -HsndsOff
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.