dwmapi.dl [RESOLVED]

Sir_Joe · June 26, 2008, 6:20pm

Ok, I have this Flexnet… Macrovision FLEXnet Connect… In Msconfig, on startup, there are two voices with that, one brings to a ISUSPM.exe, the other to a issch.exe.
Shuld I atomize them someway? (:KWL)
Anyway, I confirm, at least under system32 there is now a dwmapi.dll, not dl as “promised” by captain hook…
So?
What is this macrovision? I had to check better this morning, when I formatted again and reinstalled all. I suspect it can bee something coming from Roxio Creator, or from Vista SP1…

triple · June 26, 2008, 6:29pm

http://www.macrovision.com/

Therealjobe · June 26, 2008, 9:29pm

grue155 post:18:

[ at ]Therealjobe

It would seem then that your USB stick has some real live malware that’s ready for a new home. It also means that it is a research sample, if you can safely get into it. Knowing that you don’t want to go thru that hassle of rebuilding your machine again if something got loose, I’ll suggest that you make a posting to one of the more dedicated malware cleanup forums asking if they’d like to have live malware on an USB stick that hit a Vista box. The cleanup forums do communicate among themselves in identifying new forms of malware. I think what you have would qualify.

The forums I’ll suggest are Am I infected? What do I do? Forum - BleepingComputer.com
and http://www.techsupportforum.com/security-center/general-computer-security/

These are not malware cleanup forums, as you’ve already done the cleanup (the hard way, I might add, but it did work). The folks on those forums can help pass the malware from the USB stick onto the researchers and get fixes in place.

I would love to assist and it was my inital attention to capture the beast. However, part of the rebuilding process #3 required the a bootable USB thumb drive (:SAD) Any samples are gone.

I was aware this may be the case, but the need to protect my own data took priority. I apologize if this is deemed selfish.

@Rag

I too thought that we may be looking at poor programming on the part of COMODO, ie. truncating the last ‘l’ in dll.
However, I too went digging through the verbose logs of COMODO and it clearly pointed to c:%windows%\system32\dwmapi.dl not dll.

So I dont know that this is a programming error. To add, the issue immediately reappeared post a clean install of the Win OS only after backed-up files were reintroduced via a USB Key. It did not re-occur post a flashing of the mobo bios, a LOW LEVEL format of the drives and clean install of the Win OS (and not bringing back the usb sotred files.)

This leads me to only further believe it was a trojan/rootkit in the BIOS, MBR, or files on the usb stick whether a trojan or ADS virus.

Therealjobe · June 26, 2008, 9:36pm

Guys one other note regarding .dl files.

Just food for thought, I’ve never heard of a sub7 or variation thereof that isnt picked up by a current AV. Even the heuristics should have caught something if it was derived from Sub7.

I would recommend everyone affected run a netstat -an and begin posting there results here so we can look for funky ports such as 27374.

Is anyone getting this on a non-vista system?

grue155 · June 26, 2008, 10:57pm

Not a problem. “Needs must”, as the old saying goes.

And while the “.dl” technique is a characteristic of Sub7, that doesn’t mean it necessarily is a Sub7 variant. Some new form of malware could have borrowed an old technique.

That’s a good suggestion about netstat -an. Thanks.

Sir_Joe · June 28, 2008, 2:26am

Ok, let me understand, how can we discover if it is a malware???
I formatted all, and I am noticing that any new softare or function that I use for first time ask for installing this hook, and Comodo ask me if I agree. If I say no, I do not notice anything bad, and this can be a sign that it was a malware, not that program/function. But, at same time, the fact that any program ask for this, let me think that is normal, and that, simply, for some reason Comodo guys believed that in clean pc mode Comodo has to block these actions.
I also have another element in this direction: if in process manager I shut down the dwm process, all function well the same. Maybe just windows open a bit slower. So, possibly, if we say no to those hook quests, we do not notice anything bad just because it is difficult to notice. Not because it was a malware…
Anyway, I mean, if I do a scan with:

Avira
Comodo
Windows Defender
A-Squared free
and the last Windows update malware removing tool, and these hook quests for dwmapi.dl keep going on, this means that it is not malware, isn’t it? Avira has got also a rootkit removal…
I could do a scan with the free AVG antirootkit…
But, tell me, what else can I do???

triple · June 28, 2008, 12:35pm

Maybe it is not a malware variant and it is just some kind of file corruption problem…hmm… maybe it is sensible to some optimization checks on your pc (I know you recently formatted) and do some registry defragmentation, registry cleaner, disk checks, disk optimization, and you do have scanned a lot so there is a big chance your pc is clean… If you have a second pc… use that one for the internet and use this pc to work offline and unplug the network the utp cable or disable the wireless network connection…

Than set your file firewall defense + for learning mode and let the firewall learn your whole pc… do this for a couple of days and use the pc like you normal use…

if done so, set the firewall back to clean pc mode and activate network resources and I think your pc will be running fine again…

take for just in case some extra precaution, like safer browsing habits and use some drive by downloads killers like mc afee site advisor or even better haute secure…

Ok, Hope I give you some ideas! Have a nice day!

(V)|(:THNK)

Sir_Joe · June 28, 2008, 1:45pm

Ok, I will try to download this afternoon, I will format all again now ( :THNK ) because of other things, and this afternoon I will go in town again to download again the windows updates (the ones after the SP1) and other stuff…
I am pretty sure it is nothing. Anyway, I must say that AVG antrootkit found an hidden file under System32/drivers, called amh6tlfn.sys . I did a search in goggle and found nothing, so I deleted the file. We will see if it comes again now.
ALso A-Squared had found two riskwares, and I must tell the once again one was something in the s1.tmp file in comodo folder… What is it this S1?
It could be interestin if the other guys with this “problem” (who have disappeared) download AVG antirootkit (from softpedia) and see if they find the same rootkit… And possibly also this A-Squared…
Avira found nothing, but I have latest file but not lates updates, as there is a problem now with updates for the free version (very molesting I must say!).
Comodo found nothing and Defender too, and both are actualized.
I have downloaded also Malwarebytes, and Spybot, both are actualized and found nothing.
I will try those other options…
I plan to do a scan with Hijack, but it looks complicated, I have to wait an answer from people, and I had a bad experience in an hijack site with people who banned me seeing that I had posted about dwmapi in other sites! Ridiculous, the first thing they have done to “help” me was looking for solutions in other sites, and they pretend that I should have not done the same???
TIll te point to close the thread!?
I may be wrong, but I do not agree with them at all.
Anyway, it is another theme.
Bye!

grue155 · June 28, 2008, 2:56pm

Sir Joe, have you submitted the dwmapi.dl to virustotal.com or jotti.org? I’m interested not so much if they detect a virus, but in getting the MD5/SHA hash values and in finding out if the the code is a “packed executable” of some kind.

Also, have you checked the file properties (version, dates, signed or not, that stuff).

All of that can be taken in context to determine if a file is legit, or not. If a google search turns up a MD5 hash with a dozen different names, it’s not a good sign. It takes knowing the hash to do the searches.

Sir_Joe · June 28, 2008, 3:32pm

the fact is that it does not install that dl. COmodo alerts of programs trying to install the hook, but what is installed is the dll, and it is signed by Microsoft…
If it was a Keylogger, should it install something? How coult I find and eliminate it?
With A-Squared I should be able to find trojans, with malwarebytes malwares, with avg antirootkit rootkits, with avira viruses and rootkits (and other things?), with Defender spyware? With Comodo?
So… What do I miss??? (:NRD)

grue155 · June 28, 2008, 5:22pm

Doing some research on Microsoft, turned up this http://forums.msdn.microsoft.com/en-US/clr/thread/801ebca2-71e6-4563-aba5-e098a4e40229
showing dwmapi.dLL as being a problem for some time. That thread dates from 2006.

It is a “dynamic load” DLL, part of Vista, but apparently will install on XP as needed.

If the install attempt is using a Microsoft server, and the DLL is signed by Microsoft, then it looks like all is good. Then either CFP or the installer process has a goof in dropping that last L of DLL.

Sir_Joe · June 28, 2008, 7:53pm

Ah, interesting…
They do not talk of the mistery of dl, but, I suspect that it must be something in Comodo last release. I am not talking necessarily of the error of a missing L, but of the fact that it alerts all the time about this hook.
I noticed this only when I downloades the last release, and we can see that also the other guys started to post n that period.
Anyway, the good notice is that it may be something not malicious.
Ok, Grue, thanks a lot, I will keep monitoring the thing for a while… Sooner or later, if it is a bad thing, it must be detectable with some update of some program…
Cheers!

Therealjobe · July 1, 2008, 2:12pm

Sir Joe,

First off, thanks for doing all the tests.

Secondly, dont go busting my chops about disappearing because I dont post for a week. (:AGY) I have to imagine you were banned from the other forums for similar behavior.

I will run the scans you suggested. My issue has resurfaced, and all content on the ‘clean PC’ has been freshly downloaded. SO nothing carried over from the old PC install.

Third, I challenge your assesment that you were able to see that dwmapi.dl was a signed file. You said yourself you cannot see it in the file system, so how were you able to get its properties? I agree .DLL is signed and legit, but I dont belive you are able to get that information for .DL, and after going back and reading your post again I believe poor grammer may be the culprit.

Fourth, humour me and tell me what OS you are running and place your netstat -an results here.

Therealjobe · July 1, 2008, 5:01pm

Okay here is my report
A-squared reported-
Web cookies (oh no (:TNG))
1 semi-legit issue: riskware.adtool.win32.mywebsearch.bn - low risk found in d:\comodo\firewall\s1.tmp

AVG- reported nothing… but its over a year old… so no suprise there

Blacklight - reported nothing

All scans were done at the maximum power available by the app.

That being said I want to rereport I am running 32bit Vista Ultimate

Here is a netstat -an:
Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING
TCP 127.0.0.1:12080 0.0.0.0:0 LISTENING
TCP 172.16.30.57:139 0.0.0.0:0 LISTENING
TCP [::]:135 [::]:0 LISTENING
TCP [::]:49152 [::]:0 LISTENING
TCP [::]:49153 [::]:0 LISTENING
TCP [::]:49154 [::]:0 LISTENING
TCP [::]:49155 [::]:0 LISTENING
TCP [::]:49156 [::]:0 LISTENING
UDP 0.0.0.0:123 :
UDP 0.0.0.0:500 :
UDP 0.0.0.0:4500 :
UDP 0.0.0.0:5355 :
UDP 127.0.0.1:1900 :
UDP 127.0.0.1:52402 :
UDP 127.0.0.1:52403 :
UDP 127.0.0.1:62214 :
UDP 172.16.30.57:137 :
UDP 172.16.30.57:138 :
UDP 172.16.30.57:1900 :
UDP [::]:123 :
UDP [::]:500 :
UDP [::1]:1900 :
UDP [::1]:52401 :
UDP [fe80:7f:fffe%11]:1900 :

Ports:
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING

Are accounted for in Vista:
http://www.msfn.org/board/Listening-Ports-49152-49157-t92508.html

port 137-139 is accounted for in the WinOS (NetBios)
port 12080 is tied to Avast4\ashwebsv.exe
port 123 is a time server
port 500 is for IPSec/IKE
port 4500 is IPSec/IPv6 apparently uses this too
port 5355 is LLMNR
port 1900 is UPnP SSD

So I see nothing alarming there.
Here is a list of runnig services:

C:\Users\Spoon>tasklist /svc

Image Name PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 440 N/A
csrss.exe 508 N/A
wininit.exe 556 N/A
csrss.exe 568 N/A
services.exe 600 N/A
lsass.exe 612 SamSs
lsm.exe 624 N/A
svchost.exe 772 DcomLaunch, PlugPlay
nvvsvc.exe 820 nvsvc
winlogon.exe 856 N/A
svchost.exe 880 RpcSs
svchost.exe 952 WinDefend
svchost.exe 980 Audiosrv, Eventlog, wscsvc
svchost.exe 1036 AudioEndpointBuilder, hidserv, Netman,
PcaSvc, SysMain, UxSms, WdiSystemHost,
WPDBusEnum
svchost.exe 1064 AeLookupSvc, BITS, IKEEXT, MMCSS, ProfSvc,
RasMan, Schedule, seclogon, SENS,
ShellHWDetection, Themes, Winmgmt, wuauserv
audiodg.exe 1184 N/A
CTAudSvc.exe 1224 CTAudSvcService
svchost.exe 1240 gpsvc
SLsvc.exe 1256 slsvc
svchost.exe 1316 EventSystem, netprofm, nsi, SLUINotify,
SSDPSRV, SstpSvc, W32Time, WebClient
rundll32.exe 1380 N/A
svchost.exe 1412 CryptSvc, Dnscache, KtmRm, NlaSvc, TapiSrv,
TermService
aswUpdSv.exe 1500 aswUpdSv
ashServ.exe 1544 avast! Antivirus
svchost.exe 1744 BFE, DPS, MpsSvc
a2service.exe 1840 a2free
cmdagent.exe 1912 cmdAgent
svchost.exe 336 PolicyAgent
svchost.exe 512 WerSvc
ashWebSv.exe 1444 avast! Web Scanner
taskeng.exe 2304 N/A
dwm.exe 2364 N/A
explorer.exe 2432 N/A
taskeng.exe 2556 N/A
MSASCui.exe 2660 N/A
cfp.exe 2668 N/A
rundll32.exe 2696 N/A
ashDisp.exe 2716 N/A
VolPanlu.exe 2768 N/A
CTHELPER.EXE 2812 N/A
CTXFIHLP.EXE 2824 N/A
sidebar.exe 2872 N/A
CTXFISPI.EXE 2940 N/A
avgarkt.exe 3696 N/A
sJcw.exe 3892 N/A
iexplore.exe 2116 N/A
cmd.exe 2360 N/A
iexplore.exe 2576 N/A
cmd.exe 3836 N/A
tasklist.exe 2312 N/A
WmiPrvSE.exe 2584 N/A

Nothing stood out to me…

My question is how do we get someone is COMODOs lab to check this out?

grue155 · July 1, 2008, 7:04pm

That is an interesting netstat report. I haven’t encountered the 49152 ports before as being listening ports. Emphermal, yes, but listening, no. And I’m curious about the 52401 port sequence.

Can you run another netstat report, as “netstat -anob”? That should report the control process and the dll list. It’ll take a while to generate the list, so give it time. Thanks.

Sir_Joe · July 1, 2008, 8:34pm

Relax my friend, relax, liver is important… (:WIN)
My native language is not english, it is true, and I am sorry if I confuse with poor grammar.
Anyway it sounds pretty clear, to me, that by saying “what is installed is the dll, and it is signed by Microsoft…” I am saying that the DLL is signed… Not the DL.
Let see if I can say it clearer, (:NRD), Comodo alerts on programs which try to install a DL hook, BUT finally if one says YES, the hook which is been installed is the DLL. In anewly formatted machine it is very easy to see it: at the beginning there is no DWMapi.dll in system32. Then, if one says YES LET IT INSTALL THE HOOK, and he goes to check in system32, now there is a DWmapi.dll. SO, in my humble point of view, Comodo’s alerts for a dl are an error, because it is actually alerting about the DLL.
In a system which is running by some time, it is impossible to see this, as the DWmapi.dll is already there. But I installed COmodoas the very first program after the drivers, and so I was able to see the moment in which DWmapi.dll was installed.
Is it clear now?
I never said that the dl is signed, as I never found it in my system.

About the banning story, I am sorry if you felt offended, but it is a limit of the written dialogue, I possibly had to use more smilies to make it clear that I was smiling while telling that you and the other guy of the other similar thread were disappeared. Actually, you were disappeared, then you reappeared, and so? What’s the problem? Nobody is saying nothing.
In the other forum they were a bit nervous (as you (:WIN) ) and they thought that I was a kind of hacker of a “malware person”, just because I was posting about dwmapi.dl in 10 different forums in the web.
But I just was “scared”, and I wanrted no problems with the newly formatted machine, and I had no time, I needed an answer soon. I just thought that it could have been a known issue, and that I was doing nothing bad by asking to different people, as they would have just had to tell me “don’t worry” or “yes, it is malware”.
Then in another forum a very kind guy explained me that it is not a known issue, and so helping me would have requested time, and it is not good to ask for time in ten different forums…
I was “new” to spywares, I am sorry for the incident.
Anyway in that forum they wer very very exagerated, a bit paranoid, and very unkind. At least they were so with me.

If all is clear ad we are friend again, stop boring me with your pride and just tell me what is this netstat… :■■■■
(:KWL)

BNAMack · July 3, 2008, 1:50pm

I’ve been checking and re-checking this issue - including many of the steps outlined in previous posts. My machine has been broken down (software-wise) and examined virtually file by file. I’ve run several root-kit scan/repair tools, and isolated the .dl / .dll in question. (the list is exhaustive - please forgive the lack of documentation)

My research indicates that this is still nothing more than programs making a call to the Desktop Windows Manager. This is a real function in Vista, and is installed on XP in certain cases.

Are you looking at which program is making the call? Legit programs, especially when running in Vista, will need this to function properly. ( please see MSDN link in my first post on this thread)

Again, I’ve been running vista for 18 months, now, and this version of CFP is the first (and only) program to complain about it.

False positive? I really still don’t know. It seems so, but I still hope that some moderator who might have access to CFP developers has made them aware of this thread, just in case CFP has found something sinister.

grue155 · July 3, 2008, 5:05pm

BNAMack, thank you for doing all that research. Can you post the md5 or sha checksums for the dll? The Microsoft tool “fciv” can do this. Details on the tool are at http://support.microsoft.com/kb/841290 Any comparable tool would do the job as well. I’d like to make sure this thing gets placed in the Comodo “safe list”, so this doesn’t become a continuing question.

Therealjobe · July 3, 2008, 6:52pm

Guys my concern here is whether the .dl is the .dll file.

Has this been determined?

I agree with BNAMack. I would feel like we’re jumping the gun if we added the .dll hash to the white list and called it a day.

I hope that COMODO labs have some way of viewing the hash of the valid .dll, as signed by MS, and could compare it to the .DL refrenced in the Defence+ warning.

My other concern is the lack of consistency.
As Sir Joe mentioned, the .DLL was not present in his initial install… However, I did see that it was initially present in my install. Please remember I loaded COMODO Defense + ala paranoia at the highest setting right away. I have nerver permitted the hook.

I would like to believe, which I know is a stretch in the MS world, that if it was a system operation it would have shown up sooner rahter than later.

Let us also not forget that the hook request has shown up in several locations. For me, I got it in the beginning when I only went to a very specific website. Then I only got it when IE was launched to the MSN homepage. Now I only receive it when I work in specific control pannel apps…

I would love nothing more than for this to be a false positive, I just dont want to jump the gun. I really feel that we’ve done quite a bit as a community here, and I would hope COMODO does more research as a responsible company before white-listing.

grue155 · July 3, 2008, 7:15pm

Whitelist only a known real proper dll. Anything else would be counterproductive, if not downright dangerous. The real dwmapi.dll apparently exists on Vista machines. I don’t know if this is the same as the XP version or not. If we can verify an XP version, great. Then we know what the real ones are. Anything else, that doesn’t verify, or fails any whitelist integrity check, is to be blocked, banned, and buried.