dwmapi.dl [RESOLVED]

Not sure if this is the right forum catagory for this, but here goes. On one of my Vista’s I keep getting a CFP warning window about iexplorer wanting to install dwmapi.dl (that’s .dl, not .dll). When I click the highlighted link no detail window comes up. I keep blocking it, but it wants to install whenever I start the Internet. I have done some searching as to what dwmapi.dl is, but not much luck. Any one know what this is?

Hi greyhair,


This seems to be coming up a lot recently.No explanation yet,sorry.


sorry i`m getting old :-TD

Matty, your link takes us back to this thread lol.

Is Dwmapi.dl a safe file? If your not sure, you can always check with www.virustotal.com

Thanks for the replies (so far). I would submit the file to virustotal, however I cannot locate the file on the computer. The CFP window does say that “iexplorer wants to INSTALL dwmapi.dl,” so I suspect that some other app/program/file wants to install this .dl. The fact that the extension is .dl, and not .dll is a little creepy, and that no CFP detail window will open on the link. I have a feeling this is not a legit file.

Edited above post

This dll is the Desktop Windows Manager API (dwmapi.dll). It is integral to Vista effects such as the aero-glass effect, menu & window animation, scaling, etc – so a lot of programs seem to call this function; and Commodo will spout a pop-up warning at each instance.

Find the MSDN entry on this here: http://msdn.microsoft.com/en-us/library/aa969540.aspx

I’m not sure why CFP has started complaining about this function - I only started getting the pop-ups after latest version update. But the function in question is safe and necessary.


Go back and read the thread. This is .dl not .dll.

I got it for the first time today as well. When I visit 1 particular site that attempts to integrate the WMP to run videos on their site.

I think this is bad news…

Do Comodo employees ever come out here and answer questions?

An update, COMODO reports the file is in the winsys32\ directory. However, if you go to look for that file its not there. I am suspecting 1 of 2 things. 1 Its rootkited, 2. Its only placed there during the request.

I would like to see if it is visible during the time the COMODO action prompt is waiting. However, I told COMODO to block it every time it comes up. Now I cant figure out how to unblock it so the action prompt will come up again… any idea?

You tried to watch a video online, It asked to install something? Can you please send me a link VIA private message.
I would almost bet that this is the cause…

I’ll be more than happy to. I dont want to come across as I know for sure that site is related, as I dont want to be considered slanderous.

Let me add this too to see if we can begin to find a common thread.

I just rebuilt my PC today too, post finding this issue. It was more important for me to protect my data then crack the case.

So before I was running Vista 32 Home Prem
Now I am running Vista 32 Ultimate, both are legit licensed.

The new Ultimate build is still fairly bare bones.
I formated all physical drives
All available Windows updates
Latest Nvidia drivers and the same for my X-fi drivers.
I have WoW installed with all the current patches.
I also installed the latest flash plugin.

Unlike the situation before I now get the warning pop-up when IE is launched and attempts to pull up google.com
At this time its easier for me to rebuild my machine one more time, post flashing the onboard BIOS in the event somethig nasty is in there.

If it persist beyond that I would have to think this is a serious hack that would have been publicized by now, or just a buggy situation with Vista runing some funky functions.

Just an FYI I had stated earlier that I had hoped to see if the file was present in the file structure while the comodo prompt is up. Since I am getting it again on the new system I had a chance to check. It was not present as far as I could tell.

Is this what you saw?

EDIT: This may very well be a legit codec, How ever if some of you noticed that this appeared before\during the infection, please post it.

[attachment deleted by admin]

Hello, Try this -
Next time you get the pop up go to
Comodo Firewall Pro → Defense+ → View Active Process List. If you see anything suspicious, Right click on it - Terminate and Quarantine. (Make sure it’s not an important windows file…Might cause some trouble if it is)

Hello everyone,

I’m new here, yes and I’m not sure if you don’t mind me saying I have the same problem with this file:
“dwmapi.dl” < yes with ONE “L”

Been looking for answers too (yet to find anything) as COMODO keeps asking me to block or allow for nearly EVERY program I run; MSN, OUTLOOK, WORD, etc… Not sure if thats a pattern.

I block it for every program and they all seem to run fine…

As mention up the page a bit, when I try to examine the file or send IT’S NOT THERE and it’s NOT anywhere (search wise) on my system! Not in task man, system32… NOTHING…

This file is starting to freak me out.

Thanx for reading and I hope my butting in is okay seeing as we are all talking about the same problem. :Beer

Running Windows Vista Ultimate with all updates.

Me too.
I have formatted the notebook, so all is new. No strange things installed. Just the Microsoft Silverlight.
I am downloading the standalone SP1, so, no windows update done yet.
I have the message for IE, Firefox, WMP…
By the way, what is a “hook”?
Mmm, I do not want bad things to install now.
Someone please discover out what the hell is that (:WAV)


The good news and the bad news.

As I communicated previously, post rebuilding my system, got the same dwmapi.dl issue…
What I failed to mention is that I used a thumb drive to retain several different files during the rebuild process, just used the windows formatter, and didnt touch the bios.

I want to report that I rebuilt my computer a 3rd time from top to bottom.
That included:
Flashing the bios from a cleanly formatted thumbdrive (made on a different PC)
Fdisk and low level format of all harddrives
The installation of 32bit Vista Home Premium
The installation of: FF3, Nvidia and Creative Xfi Drivers, WoW, all windows patches, COMODO, Avast, winrar, & flash
I can say that I no longer have the problem under any circumstance…

I tried to follow the course of the second rebuilding during the 3rd. The only difference is I didnt bring over any content from previous builds on a thumbdrive, i did a low level drive format, and i flashed the bios.

To me this just screams rootkit/trojan since it reappeared so quickly after my second rebuild.
Where it was, bootsector, bios, thumbdrive, I do not know. However, I hope someone finds this soon as I know it is not realistic for everyone to go through an entire low level rebuild like I had to.

I’m available for questions but wont take the chance of testing anything.

when something installs a global hook it could be dangerous… check the fileproperties to see where on the system the file is coming from… this could make a decision easier for you…

I’ve been kind of following along in the backgorund. Doing some research, it seems that anything named “.dl not dll” is a Sub7 malware variant. Google doesn’t turn up much, except for these Comodo forum topics. A couple of other hits elsewhere, but nothing good (as in legit).


It would seem then that your USB stick has some real live malware that’s ready for a new home. It also means that it is a research sample, if you can safely get into it. Knowing that you don’t want to go thru that hassle of rebuilding your machine again if something got loose, I’ll suggest that you make a posting to one of the more dedicated malware cleanup forums asking if they’d like to have live malware on an USB stick that hit a Vista box. The cleanup forums do communicate among themselves in identifying new forms of malware. I think what you have would qualify.

The forums I’ll suggest are http://www.bleepingcomputer.com/forums/forum103.html
and http://www.techsupportforum.com/security-center/general-computer-security/

These are not malware cleanup forums, as you’ve already done the cleanup (the hard way, I might add, but it did work). The folks on those forums can help pass the malware from the USB stick onto the researchers and get fixes in place.

I think I am getting close to the solution. See what i posted here: https://forums.comodo.com/help_for_v3/problems_with_msctfdl-t19884.0.html;msg173930#msg173930

Sir Joe, it might very likely be some error (like you wrote in your post).
To check this, allow one application to install it (for example, iexplore.exe), and then open CFP 3, go to Defense+ → Advanced → Computer Security Policy and find iexplore.exe. Now double-click it and go to ‘Access Rights’. Next to the ‘Windows/WinEvent Hooks’, click ‘Modify…’. Under the allowed hooks, look if it says \WINDOWS\system32\dwmapi.dll.

This is what I found on .dl-files from FILExt:

Animation - This appears to be associated with glifomon.zip, a probable porno file

FLEXnet Manager Debug Log File - FLEXnet Manager is a Web-based software license management system that enables organizations to centrally track and manage FLEXwrapped Windows, FLEX-enabled, and IBM LUM-enabled license usage within departments and across the organization

MAC Image Format

Masked .DLL File - often used by malware to hide .DLL files from virus scanners (e.g., Sub7)

Unknown Apple II File (found on Golden Orchard Apple II CD Rom)