dwmapi.dl [RESOLVED]

[Guest]

[Sir Joe]

What is the question? I dont understand.

Mumble mumble, I smell misunderstanding again.
Let me explain, you wrote the reply nº 38, grue155 the 39, and I had written a nº40 to answer to something that you were saying, and which is NOT the nº40 that you read now. It has never been posted, I mean, I wrote it, I sent it, it should have been there, but nope.
I do not smoke, drink, or drug myself, so I guess I was not allucinating! 
It may have been some server error, no idea.
So, when I realized that, I posted again. This is the reason of my "Hmmm, strange, I am sure to have replied to Therealjobe but no answer is there... I write again.".
"No answer" was referred to my answer to you, which had disappeared, and not to some answer to me from your side. You had no way to answer me, as my post had never been posted!
Guy, we really have no feeling! Often the best friendships start like this, eh eh! 

And "The OS is Vista Premium 32bit." was referred to something that you deleted from your post. Now I see in your post "As Sir Joe mentioned, the .DLL was not present in his initial install...", and so my sentence has got no sense, but when I wrote it your post was different, it was something like "As Sir Joe mentioned, the .DLL was not present in his initial install... (not sure which OS)".
So I answered to you that my OS is Vista Premium 32bit.

Ok, now, let me understand:
1) what the hell is going on? Are you really finding something "bad"?
2) how do I use this netstat to let you see if all is ok?
3) if the log of Therealjobe and the eventual "bad"  news that it brings are related to the dwmapi.dl, IF they are, then I should be infected too, right? Well, how is it possible that no program have found anything bad? And how is it possible that this "bad" thing is still there, if I have formatted ten times?
Is it possible that it hides in another partition? Or even if I format the whole HD, all partitions, it will still be there???

[grue155]

Ok, now, let me understand:
1) what the hell is going on? Are you really finding something "bad"?
2) how do I use this netstat to let you see if all is ok?
3) if the log of Therealjobe and the eventual "bad"  news that it brings are related to the dwmapi.dl, IF they are, then I should be infected too, right? Well, how is it possible that no program have found anything bad? And how is it possible that this "bad" thing is still there, if I have formatted ten times?
Is it possible that it hides in another partition? Or even if I format the whole HD, all partitions, it will still be there???

As sometimes happens with overlapping threads in a topic, it can get confusing who said what where about what when. Got that? I don't either.

So let me try to answer your questions, as I understand things at this point.

1) What's going on? We're trying to find out. I see something that got my attention, but we don't know the details yet.

2) netstat? It's a command line tool. Run from a command prompt, "netstat" will give you a list of open ports at that moment. It has a number of options. Run "netstat /?" to get a quick summary.

3a) infection? Maybe, maybe not? Each instance of dwmapi is different. If it turns out that one person has a problem, that does not mean the other has a similar problem. It could be just dumb coincidence, and malware came in some other way. That's why I'm asking about checksums being the same, or different. We don't know yet.

3b) can malware hide and survive a reformat? Yes, if the format is a "quick format" that does not scrub the disk clean first. Malware can, and does, hide within the NTFS filesystem in what seems to be empty space. The quick format does not change the filesystem (well, some, but not enough). A full blown binary zero wipe and complete reformat (which can take several hours, to days on really large drives) is the only way to be sure the malware is gone. "nuke the drive" is a lot closer to reality than most folks think.

Does that help?

[Sir Joe]

Hmmm
once upon a time, with XP, at the moment of a clean install it was possible to choose between quick format or normal one.
In Vista it is not possible.
Ok, let's see if we can work it out:
I have a notebook, it is pretty nice and I need it to be there for some years.
I have three partitions, C-windows, D-Datas, E-Pagefile (I have read that the best solution is to ut the pagefile in a different partition than the root one. Before I was putting it on D, burt in these latest formattings I decided to create its own partition to not have defragmenting. On 3G of Ram I have a pagefile from 4605 to 6140MB).
Malware uses to install wherever, or only in C?
I have found something "bad", I do not remember what kind now with which program, in D, in two gif files in a offline page. I quarantined and deleted them.
Now, if D and E can be infected, I have only ONE remedy: to backup my datas (which could be infected anyway), to delete D and unify it with E, to install OS in this big D, to format C completely from D (but possibly I will not be allowed because if I am not wrong there always is sometning in C even if I install the OS in D), to install OS in C, and finally formatt D completely.
Then I will put there back my datas, which could be infected, still...

On the other side, I can turn off the notebook, go for an Ice Cream, have a shower, forget the thing, and let people somewhere develop a cure for this thing. Then detect it, and disintegrate it.

It is a difficult choice.

I like Ice Cream...

Ok, Ice Cream. 

No, seriously, how do you see it? ANd do not answer "with my eyes" please ! 

[Therealjobe]

I'm going install vm server (its free  ) and install a clean copy inside a virtual server... ill post the nstat from there for comparison... it'll take a while.

[Sir Joe]

I have no idea of what you are talking about, but I agree with you.
I'll go for an Ice Cream indeed...

[grue155]

Now, if D and E can be infected, I have only ONE remedy: to backup my datas (which could be infected anyway), to delete D and unify it with E, to install OS in this big D, to format C completely from D (but possibly I will not be allowed because if I am not wrong there always is sometning in C even if I install the OS in D), to install OS in C, and finally formatt D completely.
Then I will put there back my datas, which could be infected, still...

On the other side, I can turn off the notebook, go for an Ice Cream, have a shower, forget the thing, and let people somewhere develop a cure for this thing. Then detect it, and disintegrate it.

It is a difficult choice.

I like Ice Cream...

Ok, Ice Cream. 

No, seriously, how do you see it? ANd do not answer "with my eyes" please ! 

There is much to say in favor of ice cream, irrespective of the question. 

But, to your question, the basic outline you give is correct. You back up your data. Then zero your disk, repartition, and reformat the partitions, install the OS, install antivirus, scan and test the bejesus out of your backed-up data, and then reinstall your data.

Easy. Shouldn't take more than 4 or 5 liters of ice cream to complete.

But how to zero, repartition, and reformat? There are tools available that will do all that. Disk manufacturers often have their own tools to make full use of their hardware diagnostic functions. Seagate, for example, provides SeaTools. SeaTools is available at http://www.seagate.com/www/en-us/support/downloads/seatools/ and is about 6meg in size. SeaTools is a standalone bootable application that runs diagnostics and can zero wipe your disk if you want. The free program "Darik's Boot'n Nuke" (dban) is another such application (http://dban.sourceforge.net/)

Seagate also makes DiskWizard, an all-encompassing backup/partition/reformat/restore application. It's available for download, 105meg (a bit much for a dialup connection). It also seems to be available in store-bought shrinkwrap box form. It likely has competition from other utility programs.

Those are options. Whether those options make sense, depends on how things develop. Waiting, for the moment, would do no harm. Other than gaining a kilo or two, or three.

[Sir Joe]

Do not worry, at least for now I do not gain kilos. Whatever I do.
Well, If I will ever have the time and will to zero, I will download the 105 in town, and I will check for infos, and eventually I will ask you how to proceed, if I am allowed.

Well, I hope that if there is something in this dl you find out it. But I hope that there is nothing.
I will follow you.
Well, ok, before leaving I will give you my netstat. How do I proceed? May I do it offline? If not, I can't do it now.WHich letter should I run? Netstat -a, -b, -o, -n?
 About the checksum (no idea about), where do I find it?

[grue155]

Running netstat is done from a command prompt. I don't know the menu path in Vista, but to run a program from a command prompt, in XP I can Start -> Run, "cmd" to get a DOS command window. At the prompt, enter "netstat -anob", when done, enter "exit" to close the DOS window.

Checksums take a utility program, not normally part of Windows. Microsoft has a tool for download at http://support.microsoft.com/kb/841290

DiskWizard is available for download at http://www.seagate.com/ww/v/index.jsp?locale=en-US&name=DiscWizard&vgnextoid=d9fd4a3cdde5c010VgnVCM100000dd04090aRCRD

[BNAMack]

BNAMack, thank you for doing all that research. Can you post the md5 or sha checksums for the dll? The Microsoft tool "fciv" can do this. Details on the tool are at http://support.microsoft.com/kb/841290  Any comparable tool would do the job as well. I'd like to make sure this thing gets placed in the Comodo "safe list", so this doesn't become a continuing question.

C:\FCIV>fciv.exe c:\Windows\System32\dwmapi.dll
//
// File Checksum Integrity Verifier version 2.05.
//
9b96f6952186336cc6e3d4e08be2e0af c:\windows\system32\dwmapi.dll

C:\FCIV>




I've done some additional research since today's earlier posting. To re-clarify dwmapi.dll -- this is only called when needed and doesn't exist in memory until then. Under Vista, programs do not render directly, so many programs will call dwmapi.
This results in multiple hits from Comodo products as dwmapi.dll is defined as a system hook.
dwmapi.dll is disabled if aero effects like compositing are disabled and/or the theme is changed to Windows Standard.   See    http://msdn.microsoft.com/en-us/library/aa969540.aspx  and the wiki at  http://en.wikipedia.org/wiki/Desktop_windows_manager    If you 'd like more technical info, search MSDN or Technet.

I can find no instances of anyone's system being infected via this route, and am fairly confident at this point that this is a safe file and that calls to it are also safe. But I am not the security expert here, and would appreciate comodo's confirmation.

**note:    there are posts all over the web regarding dependency errors in XP with dwmapi.dll. This is because it shouldn't exist for XP. The dependency was introduced either with IE7, or possibly with an update to IE7 or SP2. (MS hasn't addressed this officially) It has been fixed for some by installing .Net framework 3.0.  Others have had to uninstall and reinstall IE7.

--the only other significant hits regarding dwmapi.dll (when googled) are all comodo-forums related.

[Therealjobe]

Hey guys, rela busy with Fam this weekend. I am posting this from a virt vista machine

here is the initial netstat w/o any addons/updates:
C:\Users\Usem>netstat -an

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49156          0.0.0.0:0              LISTENING
  TCP    172.16.30.60:139       0.0.0.0:0              LISTENING
  TCP    172.16.30.60:49160     63.88.212.184:80       TIME_WAIT
  TCP    [::]:135               [::]:0                 LISTENING
  TCP    [::]:445               [::]:0                 LISTENING
  TCP    [::]:49152             [::]:0                 LISTENING
  TCP    [::]:49153             [::]:0                 LISTENING
  TCP    [::]:49154             [::]:0                 LISTENING
  TCP    [::]:49155             [::]:0                 LISTENING
  TCP    [::]:49156             [::]:0                 LISTENING
  UDP    0.0.0.0:123            *:*
  UDP    0.0.0.0:500            *:*
  UDP    0.0.0.0:4500           *:*
  UDP    0.0.0.0:5355           *:*
  UDP    127.0.0.1:1900         *:*
  UDP    127.0.0.1:65499        *:*
  UDP    172.16.30.60:137       *:*
  UDP    172.16.30.60:138       *:*
  UDP    172.16.30.60:1900      *:*
  UDP    [::]:123               *:*
  UDP    [::]:500               *:*
  UDP    [::]:5355              *:*
  UDP    [::1]:1900             *:*
  UDP    [::1]:65498            *:*
  UDP    [fe80::20ef:bca:53ef:e1c3%15]:1900  *:*


NETSTAT -ANOB:
C:\Users\Usem>netstat -anob

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       836
  RpcSs
 [svchost.exe]
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4

 Can not obtain ownership information

x: Windows Sockets initialization failed: 5
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       516
 [wininit.exe]
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       944
  Eventlog
 [svchost.exe]
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       1000
  Schedule
 [svchost.exe]
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING       604
 [lsass.exe]
  TCP    0.0.0.0:49156          0.0.0.0:0              LISTENING       560
 [services.exe]
  TCP    172.16.30.60:139       0.0.0.0:0              LISTENING       4

 Can not obtain ownership information

x: Windows Sockets initialization failed: 5
  TCP    [::]:135               [::]:0                 LISTENING       836
  RpcSs
 [svchost.exe]
  TCP    [::]:445               [::]:0                 LISTENING       4

 Can not obtain ownership information

x: Windows Sockets initialization failed: 5
  TCP    [::]:49152             [::]:0                 LISTENING       516
 [wininit.exe]
  TCP    [::]:49153             [::]:0                 LISTENING       944
  Eventlog
 [svchost.exe]
  TCP    [::]:49154             [::]:0                 LISTENING       1000
  Schedule
 [svchost.exe]
  TCP    [::]:49155             [::]:0                 LISTENING       604
 [lsass.exe]
  TCP    [::]:49156             [::]:0                 LISTENING       560
 [services.exe]
  UDP    0.0.0.0:123            *:*                                    1148
  W32Time
 [svchost.exe]
  UDP    0.0.0.0:500            *:*                                    1000
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:4500           *:*                                    1000
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:5355           *:*                                    1320
  Dnscache
 [svchost.exe]
  UDP    127.0.0.1:1900         *:*                                    1148
  SSDPSRV
 [svchost.exe]
  UDP    127.0.0.1:64324        *:*                                    2784
 [iexplore.exe]
  UDP    127.0.0.1:65499        *:*                                    1148
  SSDPSRV
 [svchost.exe]
  UDP    172.16.30.60:137       *:*                                    4

 Can not obtain ownership information

x: Windows Sockets initialization failed: 5
  UDP    172.16.30.60:138       *:*                                    4

 Can not obtain ownership information

x: Windows Sockets initialization failed: 5
  UDP    172.16.30.60:1900      *:*                                    1148
  SSDPSRV
 [svchost.exe]
  UDP    [::]:123               *:*                                    1148
  W32Time
 [svchost.exe]
  UDP    [::]:500               *:*                                    1000
  IKEEXT
 [svchost.exe]
  UDP    [::]:5355              *:*                                    1320
  Dnscache
 [svchost.exe]
  UDP    [::1]:1900             *:*                                    1148
  SSDPSRV
 [svchost.exe]
  UDP    [::1]:65498            *:*                                    1148
  SSDPSRV
 [svchost.exe]
  UDP    [fe80::20ef:bca:53ef:e1c3%15]:1900  *:*
    1148
  SSDPSRV
 [svchost.exe]



Havent had time to go through this yet myself. Let me know what you think.

[Sir Joe]

BNAMack, you are a genius!
We solve it guys, I have no more doubt, the trick is in Aero!
I had no dwmapi.dll in system32 the first time, just because I had not aero enabled!
SO, in some moment I eneabled Aero, or possibly it was the SP1 (which adds some beautiful colors for Aero), and dwmapi.dll appeared!

Anyway, Grue, I did -anob, but it says that I need administrative rights. Strange, I have one profile only, and it has got administrative rights.
I have no idea about how to run cmd with adm. rights.
If you have...
If not, maybe I could run -a, -b. -n, and -o separately...
But, I repeat, I am offline.

Well, I need an Ice Cream.
No checksum needed.
Bye
 

[grue155]

[at]BNAMack, thank you. Your fciv checksum matches that from therealjobe, and yours is a known good. I think that clears any question on dwmapi.dll, at least with that checksum.

[at]Sir Joe, looks like you're also clear.

[at]therealjobe, those ports are still open, but the driving process has changed. It still bothers me. I'm on the end of my day here, and I need to research some things. Looks like it will be tomorrow for those details.

[grue155]

Sometimes we get lucky, as in a chance hallway conversation with the right person on the way out the door.

It turns out that

TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       516
 [wininit.exe]
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       944
  Eventlog
 [svchost.exe]
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       1000
  Schedule
 [svchost.exe]
  TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING       604
 [lsass.exe]
  TCP    0.0.0.0:49156          0.0.0.0:0              LISTENING       560
 [services.exe]

these are normal ports in Vista. Microsoft, in their wisdom, decided to relocate the RPC service functions from their familiar WinXP ports.

UDP    127.0.0.1:64324        *:*                                    2784
 [iexplore.exe]
  UDP    127.0.0.1:65499        *:*                                    1148
  SSDPSRV

I am still not clear as to why these would be here. Unless there is some kind of redirection taking place, being on localhost doesn't make a whole lot of sense to me. But localhost isn't accessible from the Internet, so it is by itself not a hazard.

So basically, it's all clear. Mostly just me getting an education, and getting everybody else anxious in the process. My apologies for that, folks.

[BNAMack]

BNAMack, you are a genius!
We solve it guys, I have no more doubt, the trick is in Aero!

If I gave you my bosses email, could you tell him?    



And grue, no need for apologies. Look at this thread and others in the forum and on the web. This has caused concern/confusion all around. You kept asking questions and found the answer. High marks for that in my book.   

Mack

[gibran]

Hallo Therealjobe,
I followed the entire topic briefly and the fact that dwmapi.dl or even dwmapi.dll cannot be found looks relevant.



Please confirm that the path is c:\%windows%\system32\dwmapi.dl and not something like %windir%\system32\dwmapi.dl

According to the info you provided there should be a hidden %windows% folder in the C:\ root

Also an easy way to check for rootkit files is to try to create a file with the same name in that folder.
If on XP there is actually an undetectable dwmapi.dl in a specific directory then if you try to create a file with the same name you'll get an error.

[Tags:]