dwmapi.dl [RESOLVED]

[Guest]

[Therealjobe]

Guys,

The good news and the bad news.

As I communicated previously, post rebuilding my system, got the same dwmapi.dl issue...
What I failed to mention is that I used a thumb drive to retain several different files during the rebuild process, just used the windows formatter, and didnt touch the bios.

I want to report that I rebuilt my computer a 3rd time from top to bottom.
That included:
Flashing the bios from a cleanly formatted thumbdrive (made on a different PC)
Fdisk and low level format of all harddrives
The installation of 32bit Vista Home Premium
The installation of: FF3, Nvidia and Creative Xfi Drivers, WoW, all windows patches, COMODO, Avast, winrar, & flash
I can say that I no longer have the problem under any circumstance...

I tried to follow the course of the second rebuilding during the 3rd. The only difference is I didnt bring over any content from previous builds on a thumbdrive, i did a low level drive format, and i flashed the bios.

To me this just screams rootkit/trojan since it reappeared so quickly after my second rebuild.
Where it was, bootsector, bios, thumbdrive, I do not know. However, I hope someone finds this soon as I know it is not realistic for everyone to go through an entire low level rebuild like I had to.

I'm available for questions but wont take the chance of testing anything.

[DaRtH VaDeR.]

when something installs a global hook it could be dangerous... check the fileproperties to see where on the system the file is coming from.. this could make a decision easier for you...

[grue155]

I've been kind of following along in the backgorund. Doing some research, it seems that anything named ".dl not dll" is a Sub7 malware variant. Google doesn't turn up much, except for these Comodo forum topics. A couple of other hits elsewhere, but nothing good (as in legit).

[at]Therealjobe

It would seem then that your USB stick has some real live malware that's ready for a new home. It also means that it is a research sample, if you can safely get into it. Knowing that you don't want to go thru that hassle of rebuilding your machine again if something got loose, I'll suggest that you make a posting to one of the more dedicated malware cleanup forums asking if they'd like to have live malware on an USB stick that hit a Vista box. The cleanup forums do communicate among themselves in identifying new forms of malware. I think what you have would qualify.

The forums I'll suggest are http://www.bleepingcomputer.com/forums/forum103.html
and http://www.techsupportforum.com/security-center/general-computer-security/

These are not malware cleanup forums, as you've already done the cleanup (the hard way, I might add, but it did work). The folks on those forums can help pass the malware from the USB stick onto the researchers and get fixes in place.

[Sir Joe]

I think I am getting close to the solution. See what i posted here: https://forums.comodo.com/help_for_v3/problems_with_msctfdl-t19884.0.html;msg173930#msg173930

[Ragwing]

Sir Joe, it might very likely be some error (like you wrote in your post).
To check this, allow one application to install it (for example, iexplore.exe), and then open CFP 3, go to Defense+ -> Advanced -> Computer Security Policy and find iexplore.exe. Now double-click it and go to 'Access Rights'. Next to the 'Windows/WinEvent Hooks', click 'Modify...'. Under the allowed hooks, look if it says \WINDOWS\system32\dwmapi.dll.

This is what I found on .dl-files from FILExt:

Animation - This appears to be associated with glifomon.zip, a probable porno file

FLEXnet Manager Debug Log File - FLEXnet Manager is a Web-based software license management system that enables organizations to centrally track and manage FLEXwrapped Windows, FLEX-enabled, and IBM LUM-enabled license usage within departments and across the organization

MAC Image Format

Masked .DLL File - often used by malware to hide .DLL files from virus scanners (e.g., Sub7)

Unknown Apple II File (found on Golden Orchard Apple II CD Rom)

Cheers,
Ragwing

[Sir Joe]

Ok, I have this Flexnet... Macrovision FLEXnet Connect... In Msconfig, on startup, there are two voices with that, one brings to a ISUSPM.exe, the other to a issch.exe.
Shuld I atomize them someway? 
Anyway, I confirm, at least under system32 there is now a dwmapi.dll, not dl as "promised" by captain hook...
So?
What is this macrovision? I had to check better this morning, when I formatted again and reinstalled all. I suspect it can bee something coming from Roxio Creator, or from Vista SP1...

[DaRtH VaDeR.]

http://www.macrovision.com/

[Therealjobe]

[ at ]Therealjobe

It would seem then that your USB stick has some real live malware that's ready for a new home. It also means that it is a research sample, if you can safely get into it. Knowing that you don't want to go thru that hassle of rebuilding your machine again if something got loose, I'll suggest that you make a posting to one of the more dedicated malware cleanup forums asking if they'd like to have live malware on an USB stick that hit a Vista box. The cleanup forums do communicate among themselves in identifying new forms of malware. I think what you have would qualify.

The forums I'll suggest are http://www.bleepingcomputer.com/forums/forum103.html
and http://www.techsupportforum.com/security-center/general-computer-security/

These are not malware cleanup forums, as you've already done the cleanup (the hard way, I might add, but it did work). The folks on those forums can help pass the malware from the USB stick onto the researchers and get fixes in place.

I would love to assist and it was my inital attention to capture the beast. However, part of the rebuilding process #3 required the a bootable USB thumb drive  Any samples are gone.

I was aware this may be the case, but the need to protect my own data took priority. I apologize if this is deemed selfish.



[at]Rag

I too thought that we may be looking at poor programming on the part of COMODO, ie. truncating the last 'l' in dll.
However, I too went digging through the verbose logs of COMODO and it clearly pointed to c:\%windows%\system32\dwmapi.dl not dll.

So I dont know that this is a programming error. To add, the issue immediately reappeared post a clean install of the Win OS only after backed-up files were reintroduced via a USB Key. It did not re-occur post a flashing of the mobo bios, a LOW LEVEL format of the drives and clean install of the Win OS (and not bringing back the usb sotred files.)

This leads me to only further believe it was a trojan/rootkit in the BIOS, MBR, or files on the usb stick whether a trojan or ADS virus.

[Therealjobe]

Guys one other note regarding .dl files.

Just food for thought, I've never heard of a sub7 or variation thereof that isnt picked up by a current AV. Even the heuristics should have caught something if it was derived from Sub7.

I would recommend everyone affected run a netstat -an and begin posting there results here so we can look for funky ports such as 27374.

Is anyone getting this on a non-vista system?

[grue155]

I would love to assist and it was my inital attention to capture the beast. However, part of the rebuilding process #3 required the a bootable USB thumb drive   Any samples are gone.

I was aware this may be the case, but the need to protect my own data took priority. I apologize if this is deemed selfish.

Not a problem. "Needs must", as the old saying goes.

And while the ".dl" technique is a characteristic of Sub7, that doesn't mean it necessarily is a Sub7 variant. Some new form of malware could have borrowed an old technique.

That's a good suggestion about netstat -an. Thanks.

[Sir Joe]

Ok, let me understand, how can we discover if it is a malware???
I formatted all, and I am noticing that any new softare or function that I use for first time ask for installing this hook, and Comodo ask me if I agree. If I say no, I do not notice anything bad, and this can be a sign that it was a malware, not that program/function. But, at same time, the fact that any program ask for this, let me think that is normal, and that, simply, for some reason Comodo guys believed that in clean pc mode Comodo has to block these actions.
I also have another element in this direction: if in process manager I shut down the dwm process, all function well the same. Maybe just windows open a bit slower. So, possibly, if we say no to those hook quests, we do not notice anything bad just because it is difficult to notice. Not because it was a malware...
Anyway, I mean, if I do a scan with:
1) Avira
2) Comodo
3) Windows Defender
4) A-Squared free
and the last Windows update malware removing tool, and these hook quests for dwmapi.dl keep going on, this means that it is not malware, isn't it? Avira has got also a rootkit removal...
I could do a scan with the free AVG antirootkit...
But, tell me, what else can I do???

[DaRtH VaDeR.]

Maybe it is not a malware variant and it is just some kind of file corruption problem...hmm.. maybe it is sensible to some optimization checks on your pc (I know you recently formatted) and do some registry defragmentation, registry cleaner, disk checks, disk optimization, and you do have scanned a lot so there is a big chance your pc is clean.... If you have a second pc... use that one for the internet and use this pc to work offline and unplug the network the utp cable or disable the wireless network connection...

Than set your file firewall defense + for learning mode and let the firewall learn your whole pc... do this for a couple of days and use the pc like you normal use...

if done so, set the firewall back to clean pc mode and activate network resources and I think your pc will be running fine again...

take for just in case some extra precaution, like safer browsing habits and use some drive by downloads killers like mc afee site advisor or even better haute secure..

Ok, Hope I give you some ideas! Have a nice day!

|()

[Sir Joe]

Ok, I will try to download this afternoon, I will format all again now (  ) because of other things, and this afternoon I will go in town again to download again the windows updates (the ones after the SP1) and other stuff...
I am pretty sure it is nothing. Anyway, I must say that AVG antrootkit found an hidden file under System32/drivers, called amh6tlfn.sys . I did a search in goggle and found nothing, so I deleted the file. We will see if it comes again now.
ALso A-Squared had found two riskwares, and I must tell the once again one was something in the s1.tmp file in comodo folder... What is it this S1?
It could be interestin if the other guys with this "problem" (who have disappeared) download AVG antirootkit (from softpedia) and see if they find the same rootkit... And possibly also this A-Squared...
Avira found nothing, but I have latest file but not lates updates, as there is a problem now with updates for the free version (very molesting I must say!).
Comodo found nothing and Defender too, and both are actualized.
I have downloaded also Malwarebytes, and Spybot, both are actualized  and found nothing.
I will try those other options...
I plan to do a scan with Hijack, but it looks complicated, I have to wait an answer from people, and I had a bad experience in an hijack site with people who banned me seeing that I had posted about dwmapi in other sites! Ridiculous, the first thing they have done to "help" me was looking for solutions in other sites, and they pretend that I should have not done the same???
TIll te point to close the thread!?
I may be wrong, but I do not agree with them at all.
Anyway, it is another theme.
Bye!

[grue155]

Sir Joe, have you submitted the dwmapi.dl to virustotal.com or jotti.org? I'm interested not so much if they detect a virus, but in getting the MD5/SHA hash values and in finding out if the the code is a "packed executable" of some kind.

Also, have you checked the file properties (version, dates, signed or not, that stuff).

All of that can be taken in context to determine if a file is legit, or not. If a google search turns up a MD5 hash with a dozen different names, it's not a good sign. It takes knowing the hash to do the searches.

[Sir Joe]

the fact is that it does not install that dl. COmodo alerts of programs trying to install the hook, but what is installed is the dll, and it is signed by Microsoft...
If it was a Keylogger, should it install something? How coult I find and eliminate it?
With A-Squared I should be able to find trojans, with malwarebytes malwares, with avg antirootkit rootkits, with avira viruses and rootkits (and other things?), with Defender spyware? With Comodo?
So... What do I miss???

[Tags:]