dwmapi.dl [RESOLVED]

[Guest]

[BNAMack]

Hallo Therealjobe,
I followed the entire topic briefly and the fact that dwmapi.dl or even dwmapi.dll cannot be found looks relevant.



Please confirm that the path is c:\%windows%\system32\dwmapi.dl and not something like %windir%\system32\dwmapi.dl

According to the info you provided there should be a hidden %windows% folder in the C:\ root

Also an easy way to check for rootkit files is to try to create a file with the same name in that folder.
If on XP there is actually an undetectable dwmapi.dl in a specific directory then if you try to create a file with the same name you'll get an error.

Didn't threaljobe state he has vista? if so, you will not find dwmapi.dll unless a program acutally calls it. This is why it pulls the apparent disappearing act

[gibran]

Didn't threaljobe state he has vista? if so, you will not find dwmapi.dll unless a program acutally calls it. This is why it pulls the apparent disappearing act

Guess not, the legit dwmapi.dll should be in system32 folder.

Anyway the suspicious file is dwmapi.dl and what is more suspicious is that path.

Since Vista has some virtualization protection built in and I don't recall if it affect system32 folder too, I can only say that dwmapi.dl creation method works properly on XP.

Any member who got XP could take this test if they can find those .dl files where they should supposed to be.

[BNAMack]

I've been searching again. . . .found someone with a clean install asking the same questions (also a cfp3 user) in micorosoft security forums.

Heads up Comodo  -  microsoft forum moderators are telling folks that Commodo is the problem and to uninstall it!    

Out of curiosity I have booted up a new machine I have here for my aunties B'day. Brand new dell running Vista 32 Home premium. I first updated to all Vista patches (last night) and then this morning, after reading the updates in this thread, I installed CFP 3 .0.

Result -  "internet explorer is trying to install system hook dwmapi.dl"  with 1 'L'

So -- either Dell is shipping malware, OR dwmapi.dl is the compressed version of dwmapi.dll and is only expanded after being called, OR perhaps cfp really is issuing a misspelled warning (perhaps truncated?) and this is a false positive.

Also, I've checked my (hardware) router's log file and don't find any evidence of malware trying to get out. (45 day log file)


Anyway, there's my evidence so far . . .what do y'all think?


Mack
 (R)

[grue155]

I think there's a bug floating around in the background. And just based on what you've described, I think that DL is somebody's idea for a cute representation of a compressed DLL.

It's not unknown for vendors to have shipped malware, but in this case, I think it's starting to pile on too many coincidences to be a viable explanation. Especially with system components.

With everything that has been presented so far, I'm coming to the conclusion this is a false positive with some kind of coding bug behind it (presuming it isn't that compression name thing).

[gibran]

If there is an issue with CPF truncating the  path then the alert will be presented again regardless CFP was requested to remember it.

Also copying dwapi.dll in the same folder of iexplore should affect the path displayed in the alerts too.

Please BNAMack can you test this?

Anyway there still a chance of some user affected by some malware.

[Sir Joe]

Ok, things are getting clearer...
To Mack: as you wish! No problem! (for bosses)
To Grue: there is any chance that I can learn to "read" a log as you did? Possibly for those who know, it is not impressive, but I have no idea of what you talk about. I guess that it could be interesting to learn more. Any idea about some site I can visit, with time, to learn more about ports, or security in general? Or do you say that I do not really need it?

About the rest, dwmapi.dll IS present all the time in system32 in my system (SP1 and all later actualizations). I copied it to desktop, changed its name to dl, copied into system32, I was allowed.
Possibly, IF it is a malware, maybe it copies a dl just for a while. Do you think that could be interesting to leave a dwmapi.dl file in system32, to see if the message appears again?
For what I've read here, correct me if I am wrong, if some malware tries to write a dl with that name, and it is already there, it should not be able to do it...

Edit: uh, I forgot: Mack, could you give me the link to that Microsoft discussion about dwmapi and they telling to uninstall COmodo? I fear it can be me...
As you may have read, when all this started (here), I get scared and I wrote in many places, like hijackthis.de (where they banned me thinking I was a bad guy who was intentionally trying to create false scandals under fake niks, which is ridiculous, and, especially, I always use Sir Joe wherever it is available), pchelp, Dell forums (under the nik Sergioo), and others. Which includes Microsoft community.
So, I guess I am more guilty than Grue (who is not guilty) for the excessive exposure of this case in the web...
Once again, sorry...

[grue155]

 

To Grue: there is any chance that I can learn to "read" a log as you did? Possibly for those who know, it is not impressive, but I have no idea of what you talk about. I guess that it could be interesting to learn more. Any idea about some site I can visit, with time, to learn more about ports, or security in general? Or do you say that I do not really need it?

At the risk of pointing to something that reads as alphabet soup, I'll point you to http://en.wikipedia.org/wiki/TCP/IP which has links to a number of very good sites, and lists the by-now classic textbooks on the subject. The netstat reporting program is one that has been around ever since the invention of wire. It's a standard tool, like ping and arp, to figure out what is going on. Once you understand context, it is easy. But to understand context? That can take a while.

[BNAMack]

Thanks SirJoe!   

Gibran:

If there is an issue with CPF truncating the  path then the alert will be presented again regardless CFP was requested to remember it.

Also copying dwapi.dll in the same folder of iexplore should affect the path displayed in the alerts too.

Please BNAMack can you test this?

Anyway there still a chance of some user affected by some malware.

Excellent point about truncation -- and so I am pretty sure that isn't the issue.

Do you want me to copy to the IE folder to see if it exists already, maybe?. If so, Windows let me copy it into whichever folder I wish. ( .dll and a renamed .dl version of the file) I also tried various system folders with the same results. Seems to only live in System 32 (see further below). I left the copies in place, rebooted and opened IE again -- getting the same message from the same location (...\System32\) so it appears, again, to be a valid program call.

Once I disabled Aero, no more prompts from CFP on the new machine.  (On my machine I have already OK'd this hook with CFP. No issues so far, and a boot-cd scan of system did not show up any malware,)

I have also booted my machine into Linux and searched through the windows partition for 'dwmapi.dl'  -- this usually defeats hidden files as the windows OS isn't loaded  -- and do not find any other instances either of the .dl or .dll versions of this file.

Also, see my previous post for MD5 hash value.

  btw- where did you get the Kurosaki Ichigo icon?  Bleach rocks, and Ichigo & Urahara are my heros!   

Mack

[Therealjobe]

Hallo Therealjobe,
I followed the entire topic briefly and the fact that dwmapi.dl or even dwmapi.dll cannot be found looks relevant.



Please confirm that the path is c:\%windows%\system32\dwmapi.dl and not something like %windir%\system32\dwmapi.dl

According to the info you provided there should be a hidden %windows% folder in the C:\ root

Also an easy way to check for rootkit files is to try to create a file with the same name in that folder.
If on XP there is actually an undetectable dwmapi.dl in a specific directory then if you try to create a file with the same name you'll get an error.

I have verified it is C:\windows\

Good idea on making a dwmapi.DL file, it worked w/o error... would that work if thw malicious dwmapi.DL was in the ADS?

[gibran]

Excellent point about truncation -- and so I am pretty sure that isn't the issue.

If you marked those alerts to remember is the path listed in CFP allow list still featuring that dwmapi.dl ?

Once I disabled Aero, no more prompts from CFP on the new machine.  (On my machine I have already OK'd this hook with CFP. No issues so far, and a boot-cd scan of system did not show up any malware,)

Yes this prove that there is no hidden file. But just in case if something like this happens usually I guess that some checks should be made since malware writers use misspelled system files to make  them easier to overlook.

Do you want me to copy to the IE folder to see if it exists already, maybe?. If so, Windows let me copy it into whichever folder I wish.

Nope. That test, although may not works properly on vista, was intended to check the path in the alerts.

Usually when an application need a dll it looks first in the folder where it is placed and then it looks in other places (including windows and system32). This way it could be possible to troubleshoot DLL version compatibility issues (it's kinda like an override).

Anyway Vista file virtualization makes this test difficult. I finally found out a detailed article about it
Since Vista protects System32 folder and programs file folder if file virtualization is not disabled those tests may not work as intended.


Using an intemediate file like dwmapi.dl  to carry some task is an uncommon solution I guess it would be better to summarize all evidences in a bugreport and let devs handle this.

PS: I took the animated gif on a forum I searching for animated gif avatars

[Sir Joe]

Ok, I got jealous and I decided to have an avatar too.
Guys, I introduce you "Twitchy!", from Hoodwinked...
He's my hero.
And, btw, I don't drink coffee...

Well, Gibran, I scrolled quickly the UAC link (quickly is an euphemism, with my connection, but I meant superficially), and I have a question: are you saying that if we do not deactivate virtualization (and UAC too?) that trick of copying a false dwmapi.dl is useless?
If it is so, how do I deactivate it?
Ah, I may have said it already, but I tried to do netstat -anob, and it requires administrator rights. As I have just one account (with administrator rights), I got surprised. ANy idea about it?
It passed me twice, as I am being assisted by a Microsoft technician  (I can't install an actualization published after the SP1, and the "search" option is completely disappeared from the Start Menu, and also from the "personalize" options of the Start Menu -which I have NOT in classic mode-) who told me to type something in CMD (something with /scannow at the end) and I was not able to do it...

[gibran]

Well, Gibran, I scrolled quickly the UAC link (quickly is an euphemism, with my connection, but I meant superficially), and I have a question: are you saying that if we do not deactivate virtualization (and UAC too?) that trick of copying a false dwmapi.dl is useless?
If it is so, how do I deactivate it?

Since vista is different enough I need to test that with an untraceable file in order to check if it works the same way. IIRC it is possible to have full privileges using run as administrator.
Virtualized files  are written to a specific folder of the user profile so it is possible to check them. I don't advise disabling Vista new security features.

Ah, I may have said it already, but I tried to do netstat -anob, and it requires administrator rights. As I have just one account (with administrator rights), I got surprised.

Even logged as admin vista does not grant all admin privileges. You could try the method described in that article to run a command prompt as administrator. IIRC only the b part of that netstat command require a full admin token.

[BNAMack]

Since vista is different enough I need to test that with an untraceable file in order to check if it works the same way. IIRC it is possible to have full privileges using run as administrator.
Virtualized files  are written to a specific folder of the user profile so it is possible to check them. I don't advise disabling Vista new security features.
Even logged as admin vista does not grant all admin privileges. You could try the method described in that article to run a command prompt as administrator. IIRC only the b part of that netstat command require a full admin token.

Understood your request after reading the quoted. Read the article you linked and re-ran test in both the new/clean machine and my pc. Also checked the virtualized directories ( c:\Users\<username>\AppData\Local\VirtualStore\Windows\System32) but neither dwmapi.* was found. (But I think my earlier searches would have found it in these directories as well.)
 Also checked the virtualized reg entries to see if dwmapi.dl* was found, with negative results. Then realized something that your terrific article stated kinda plainly.     Virtualization is already disabled in the System32 and other protected folders by default. And if virtualization had been enabled, a UAC prompt would've initiated any writing to the virtualized folder or registry. Even on an administrator account.  UAC would also have popped up when a program requested the elevated privilege needed to create a file in System32 with virtualization turned off.  UAC did not intervene in any of my tests/examples.   Think you're correct about the bug report.

Thanks for the article links -- learned alot about how vista does file virtualization & how to account for it when testing!   

[gibran]

Vista behaviours are more complex than XP ones. For example when virtualization is disabled some command fails. It is possible to check virtualization status of a process enabling a new column in task manager. Anyway Virualization can be enabled automatically (my guess) in some cases but I have no details about this.

The pro of this "maze" is that malwares tailored against XP will have a tough life (as the rest of software not vista compliant).
Anyway this complexity also trashes existing troubleshooting procedures that worked on XP.

BNAMack since you investigated this issue a lot can you please summarize your findings in the bugreport board?
Reading the entire thread is quite time consuming.

[Sir Joe]

I agree with Gibran.
In fact, I did understood nothing of what Mack said.
Can you use a more basic language please? 

The only thing which I was able to understand is that you don't like simpsons anymore...

Cool.

[Tags:]