itman

Strange Win 10 Behavior

Recommended Posts

I just upgraded to Win 10 From Win 7.

 

I am puzzled by the file shown in the below screen shot, R00000000000d.clb, that is being injected into every running process. Only info I can glean from the web is its a necessary file. It certainly didn't exist in Win 7. Appears that when a process starts up in Win 10, svchost.exe is doing the injection but can't determine what service is being used. Is this something to do with Win 10 telemetry?

 

post-28635-0-76655500-1469919816_thumb.png
Download Image

Share this post


Link to post
Share on other sites

It's a COM+ catalog file. As for what the file in question is being used for, I can't be certain. Have you tried uploading it to VirusTotal?

Been discussing this over at wilderssecurity.com and appears it is Win 10 build related. I upgraded to Win 10 from Win 7 using a initial release build 10240 ISO. People on later Win 10 builds are not seeing the same injection occurring.

 

BTW - string display from Process Explorer indicates its COM+ utilities. Might be being used by RuntimeBroker.exe?

Share this post


Link to post
Share on other sites

... People on later Win 10 builds are not seeing the same injection occurring.

People who upgraded using newer builds, or people who have newer builds installed?

Share this post


Link to post
Share on other sites

People who upgraded using newer builds, or people who have newer builds installed?

It is a "mixed bag." Some see the injection on clean installs, some don't. Ditto for latter ver. clean installs and updates from.

 

BTW - the .clb file is injected into EAM's service and GUI. Ditto for Eset ones. Interestingly, it is not injected into EMET's service or GUI.

Share this post


Link to post
Share on other sites

I fail to see why you would post this on Emsisoft Forums since it doesn't seems related with Emsisoft products at all to be honest.

Share this post


Link to post
Share on other sites

BTW - the .clb file is injected into EAM's service and GUI. Ditto for Eset ones. Interestingly, it is not injected into EMET's service or GUI.

EMET is a Microsoft tool, so it probably knows to avoid it.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.