dwmapi.dl [RESOLVED]

Help for v3
41

Hmmm, strange, I am sure to have replied to Therealjobe but no answer is there…
I write again.
The OS is Vista Premium 32bit.
I am not 100% sure but I really think to remember that it was like that: I installed OS, maybe also the SP1 standalone (I do not remember, and possibly here is the trick: maybe it is the SP1 to install the dwmapi.dll, while without the Sp1 it is installed later, and Comodo was able to block it), then all drivers, then Comodo, and finally other appl. So COmodo started to tell that IE or Firefox or WMP or other things were trying to install hook Dwmapi.dl in system32. I said no all the time. I went to check in s32, and I think to remember that there was no dwmapi, neither dl or dll.
When I said yes the first time, the dll appeared in s32.
For this reason, and for the circumstances, I think that in the database which Comodo uses to takethe dwmapi.dl name there is an error, someone wrote dl instead of dll but it is the dll which COmodo is alerting about.

Anyway, it could be that SOMETHING is simulating the behaviour of the dll. But in this case, it could have simulated it better, and it could have called itself dll instead of dl…

Well, the point is this: there is no file to forward to any laboratory. The dwmapi.dl is never present in the system. Possibly we could let someone check the dll, but I think it is safe.

What the Comodo guys should do is just verify why Comodo alerts about dwmapi.dl and not about dwmapi.dll…
That’s it. (:WIN)

42

What is the question? I dont understand.

Vista 32 Ult:
c:%windows%\system32\dwmapi.DLL
Size: 39.0 KB
Ver: 6.0.6001.18000
Date Modified: 1/20/2008 9:22PM

MD5 9b96f6952186336cc6e3d4e08be2e0af
SHA1 202c49e9623585a5b3fa07df5422528d8e9b36fa
CRC32 2e8c92c0

43

Please let me know if you see anything alarming:
C:\Users\Spoon>netstat -anob

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 888
RpcSs
[svchost.exe]
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 556
[wininit.exe]
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 1000
Eventlog
[svchost.exe]
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 1048
Schedule
[svchost.exe]
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 600
[services.exe]
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 612
[lsass.exe]
TCP 127.0.0.1:12080 0.0.0.0:0 LISTENING 1500
[ashWebSv.exe]
TCP 172.16.30.57:139 0.0.0.0:0 LISTENING 4

Can not obtain ownership information

x: Windows Sockets initialization failed: 5
TCP [::]:135 [::]:0 LISTENING 888
RpcSs
[svchost.exe]
TCP [::]:49152 [::]:0 LISTENING 556
[wininit.exe]
TCP [::]:49153 [::]:0 LISTENING 1000
Eventlog
[svchost.exe]
TCP [::]:49154 [::]:0 LISTENING 1048
Schedule
[svchost.exe]
TCP [::]:49155 [::]:0 LISTENING 600
[services.exe]
TCP [::]:49156 [::]:0 LISTENING 612
[lsass.exe]
UDP 0.0.0.0:500 : 1048
IKEEXT
[svchost.exe]
UDP 0.0.0.0:4500 : 1048
IKEEXT
[svchost.exe]
UDP 0.0.0.0:5355 : 1420
Dnscache
[svchost.exe]
UDP 127.0.0.1:1900 : 1288
SSDPSRV
[svchost.exe]
UDP 127.0.0.1:60353 : 2856
[sidebar.exe]
UDP 127.0.0.1:62620 : 1288
SSDPSRV
[svchost.exe]
UDP 172.16.30.57:137 : 4

Can not obtain ownership information

x: Windows Sockets initialization failed: 5
UDP 172.16.30.57:138 : 4

Can not obtain ownership information

x: Windows Sockets initialization failed: 5
UDP 172.16.30.57:1900 : 1288
SSDPSRV
[svchost.exe]
UDP [::]:500 : 1048
IKEEXT
[svchost.exe]
UDP [::1]:1900 : 1288
SSDPSRV
[svchost.exe]
UDP [::1]:62619 : 1288
SSDPSRV
[svchost.exe]
UDP [fe80::100:7f:fffe%11]:1900 : 128
8
SSDPSRV
[svchost.exe]

44

Is there a way for home users to add a hash to a whitelist I’ll be mroe than happy to try if I can get directions.

45
Can anyone remember when the times were not hard, and money not scarce?

Offhand, I don’t know. I’ll inquire about the process.

Please let me know if you see anything alarming:

Okay. I’m alarmed. These don’t look right to me, in that I’ve not encountered anything like these before.

TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 556 [wininit.exe] TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 1000 Eventlog [svchost.exe] TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 1048 Schedule [svchost.exe] TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 600 [services.exe] TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 612 [lsass.exe] UDP 127.0.0.1:62620 *:* 1288 SSDPSRV [svchost.exe]

and this IPv6 stuff

TCP [::]:49152 [::]:0 LISTENING 556
[wininit.exe]
TCP [::]:49153 [::]:0 LISTENING 1000
Eventlog
[svchost.exe]
TCP [::]:49154 [::]:0 LISTENING 1048
Schedule
[svchost.exe]
TCP [::]:49155 [::]:0 LISTENING 600
[services.exe]
TCP [::]:49156 [::]:0 LISTENING 612
[lsass.exe]

UDP [::1]:62619 : 1288
SSDPSRV
[svchost.exe]

To my knowledge, services.exe doesn’t run a listening port of any kind. It’s a control process, not a server. And SSDP stuff runs on predefined low ports (286x I think), not on an empheral where other hosts can’t find it.
And why in the world would SSDP be running on 127.0.01. That’s localhost, and even Microsoft doesn’t expect UPnP SSDP to be on 127.0.0.0/8.

This doesn’t feel right. Anybody? Am I off the wall here?

46

Mumble mumble, I smell misunderstanding again.
Let me explain, you wrote the reply nº 38, grue155 the 39, and I had written a nº40 to answer to something that you were saying, and which is NOT the nº40 that you read now. It has never been posted, I mean, I wrote it, I sent it, it should have been there, but nope.
I do not smoke, drink, or drug myself, so I guess I was not allucinating! (:AGL)
It may have been some server error, no idea.
So, when I realized that, I posted again. This is the reason of my “Hmmm, strange, I am sure to have replied to Therealjobe but no answer is there… I write again.”.
“No answer” was referred to my answer to you, which had disappeared, and not to some answer to me from your side. You had no way to answer me, as my post had never been posted!
Guy, we really have no feeling! Often the best friendships start like this, eh eh! (:LGH)

And “The OS is Vista Premium 32bit.” was referred to something that you deleted from your post. Now I see in your post “As Sir Joe mentioned, the .DLL was not present in his initial install…”, and so my sentence has got no sense, but when I wrote it your post was different, it was something like “As Sir Joe mentioned, the .DLL was not present in his initial install… (not sure which OS)”.
So I answered to you that my OS is Vista Premium 32bit.

Ok, now, let me understand:

  1. what the hell is going on? Are you really finding something “bad”?
  2. how do I use this netstat to let you see if all is ok?
  3. if the log of Therealjobe and the eventual “bad” news that it brings are related to the dwmapi.dl, IF they are, then I should be infected too, right? Well, how is it possible that no program have found anything bad? And how is it possible that this “bad” thing is still there, if I have formatted ten times?
    Is it possible that it hides in another partition? Or even if I format the whole HD, all partitions, it will still be there??? (:SAD)
47

As sometimes happens with overlapping threads in a topic, it can get confusing who said what where about what when. Got that? I don’t either. ;D

So let me try to answer your questions, as I understand things at this point.

  1. What’s going on? We’re trying to find out. I see something that got my attention, but we don’t know the details yet.

  2. netstat? It’s a command line tool. Run from a command prompt, “netstat” will give you a list of open ports at that moment. It has a number of options. Run “netstat /?” to get a quick summary.

3a) infection? Maybe, maybe not? Each instance of dwmapi is different. If it turns out that one person has a problem, that does not mean the other has a similar problem. It could be just dumb coincidence, and malware came in some other way. That’s why I’m asking about checksums being the same, or different. We don’t know yet.

3b) can malware hide and survive a reformat? Yes, if the format is a “quick format” that does not scrub the disk clean first. Malware can, and does, hide within the NTFS filesystem in what seems to be empty space. The quick format does not change the filesystem (well, some, but not enough). A full blown binary zero wipe and complete reformat (which can take several hours, to days on really large drives) is the only way to be sure the malware is gone. “nuke the drive” is a lot closer to reality than most folks think.

Does that help?

48

Hmmm :THNK
once upon a time, with XP, at the moment of a clean install it was possible to choose between quick format or normal one.
In Vista it is not possible.
Ok, let’s see if we can work it out:
I have a notebook, it is pretty nice and I need it to be there for some years.
I have three partitions, C-windows, D-Datas, E-Pagefile (I have read that the best solution is to ut the pagefile in a different partition than the root one. Before I was putting it on D, burt in these latest formattings I decided to create its own partition to not have defragmenting. On 3G of Ram I have a pagefile from 4605 to 6140MB).
Malware uses to install wherever, or only in C?
I have found something “bad”, I do not remember what kind now with which program, in D, in two gif files in a offline page. I quarantined and deleted them.
Now, if D and E can be infected, I have only ONE remedy: to backup my datas (which could be infected anyway), to delete D and unify it with E, to install OS in this big D, to format C completely from D (but possibly I will not be allowed because if I am not wrong there always is sometning in C even if I install the OS in D), to install OS in C, and finally formatt D completely.
Then I will put there back my datas, which could be infected, still…

On the other side, I can turn off the notebook, go for an Ice Cream, have a shower, forget the thing, and let people somewhere develop a cure for this thing. Then detect it, and disintegrate it.

It is a difficult choice.

I like Ice Cream…

Ok, Ice Cream. :BNC

No, seriously, how do you see it? ANd do not answer “with my eyes” please ! (:WIN)

49

I’m going install vm server (its free :BNC) and install a clean copy inside a virtual server… ill post the nstat from there for comparison… it’ll take a while.

50

I have no idea of what you are talking about, but I agree with you.
I’ll go for an Ice Cream indeed… (:TNG)

51

There is much to say in favor of ice cream, irrespective of the question. :SMLR

But, to your question, the basic outline you give is correct. You back up your data. Then zero your disk, repartition, and reformat the partitions, install the OS, install antivirus, scan and test the bejesus out of your backed-up data, and then reinstall your data.

Easy. Shouldn’t take more than 4 or 5 liters of ice cream to complete.

But how to zero, repartition, and reformat? There are tools available that will do all that. Disk manufacturers often have their own tools to make full use of their hardware diagnostic functions. Seagate, for example, provides SeaTools. SeaTools is available at SeaTools | Support Seagate US and is about 6meg in size. SeaTools is a standalone bootable application that runs diagnostics and can zero wipe your disk if you want. The free program “Darik’s Boot’n Nuke” (dban) is another such application (http://dban.sourceforge.net/)

Seagate also makes DiskWizard, an all-encompassing backup/partition/reformat/restore application. It’s available for download, 105meg (a bit much for a dialup connection). It also seems to be available in store-bought shrinkwrap box form. It likely has competition from other utility programs.

Those are options. Whether those options make sense, depends on how things develop. Waiting, for the moment, would do no harm. Other than gaining a kilo or two, or three.

52

Do not worry, at least for now I do not gain kilos. Whatever I do.
Well, If I will ever have the time and will to zero, I will download the 105 in town, and I will check for infos, and eventually I will ask you how to proceed, if I am allowed.

Well, I hope that if there is something in this dl you find out it. But I hope that there is nothing.
I will follow you.
Well, ok, before leaving I will give you my netstat. How do I proceed? May I do it offline? If not, I can’t do it now.WHich letter should I run? Netstat -a, -b, -o, -n?
About the checksum (no idea about), where do I find it?

53

Running netstat is done from a command prompt. I don’t know the menu path in Vista, but to run a program from a command prompt, in XP I can Start → Run, “cmd” to get a DOS command window. At the prompt, enter “netstat -anob”, when done, enter “exit” to close the DOS window.

Checksums take a utility program, not normally part of Windows. Microsoft has a tool for download at http://support.microsoft.com/kb/841290

DiskWizard is available for download at DiscWizard | Support Seagate US

54

C:\FCIV>fciv.exe c:\Windows\System32\dwmapi.dll
//
// File Checksum Integrity Verifier version 2.05.
//
9b96f6952186336cc6e3d4e08be2e0af c:\windows\system32\dwmapi.dll

C:\FCIV>

I’ve done some additional research since today’s earlier posting. To re-clarify dwmapi.dll – this is only called when needed and doesn’t exist in memory until then. Under Vista, programs do not render directly, so many programs will call dwmapi.
This results in multiple hits from Comodo products as dwmapi.dll is defined as a system hook.
dwmapi.dll is disabled if aero effects like compositing are disabled and/or the theme is changed to Windows Standard. See Desktop Window Manager - Win32 apps | Microsoft Learn and the wiki at Desktop Window Manager - Wikipedia If you 'd like more technical info, search MSDN or Technet.

I can find no instances of anyone’s system being infected via this route, and am fairly confident at this point that this is a safe file and that calls to it are also safe. But I am not the security expert here, and would appreciate comodo’s confirmation.

**note: !ot! there are posts all over the web regarding dependency errors in XP with dwmapi.dll. This is because it shouldn’t exist for XP. The dependency was introduced either with IE7, or possibly with an update to IE7 or SP2. (MS hasn’t addressed this officially) It has been fixed for some by installing .Net framework 3.0. Others have had to uninstall and reinstall IE7.

–the only other significant hits regarding dwmapi.dll (when googled) are all comodo-forums related.

55

Hey guys, rela busy with Fam this weekend. I am posting this from a virt vista machine (:CLP)

here is the initial netstat w/o any addons/updates:
C:\Users\Usem>netstat -an

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING
TCP 172.16.30.60:139 0.0.0.0:0 LISTENING
TCP 172.16.30.60:49160 63.88.212.184:80 TIME_WAIT
TCP [::]:135 [::]:0 LISTENING
TCP [::]:445 [::]:0 LISTENING
TCP [::]:49152 [::]:0 LISTENING
TCP [::]:49153 [::]:0 LISTENING
TCP [::]:49154 [::]:0 LISTENING
TCP [::]:49155 [::]:0 LISTENING
TCP [::]:49156 [::]:0 LISTENING
UDP 0.0.0.0:123 :
UDP 0.0.0.0:500 :
UDP 0.0.0.0:4500 :
UDP 0.0.0.0:5355 :
UDP 127.0.0.1:1900 :
UDP 127.0.0.1:65499 :
UDP 172.16.30.60:137 :
UDP 172.16.30.60:138 :
UDP 172.16.30.60:1900 :
UDP [::]:123 :
UDP [::]:500 :
UDP [::]:5355 :
UDP [::1]:1900 :
UDP [::1]:65498 :
UDP [fe80::20ef:bca:53ef:e1c3%15]:1900 :

NETSTAT -ANOB:
C:\Users\Usem>netstat -anob

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 836
RpcSs
[svchost.exe]
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4

Can not obtain ownership information

x: Windows Sockets initialization failed: 5
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 516
[wininit.exe]
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 944
Eventlog
[svchost.exe]
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 1000
Schedule
[svchost.exe]
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 604
[lsass.exe]
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 560
[services.exe]
TCP 172.16.30.60:139 0.0.0.0:0 LISTENING 4

Can not obtain ownership information

x: Windows Sockets initialization failed: 5
TCP [::]:135 [::]:0 LISTENING 836
RpcSs
[svchost.exe]
TCP [::]:445 [::]:0 LISTENING 4

Can not obtain ownership information

x: Windows Sockets initialization failed: 5
TCP [::]:49152 [::]:0 LISTENING 516
[wininit.exe]
TCP [::]:49153 [::]:0 LISTENING 944
Eventlog
[svchost.exe]
TCP [::]:49154 [::]:0 LISTENING 1000
Schedule
[svchost.exe]
TCP [::]:49155 [::]:0 LISTENING 604
[lsass.exe]
TCP [::]:49156 [::]:0 LISTENING 560
[services.exe]
UDP 0.0.0.0:123 : 1148
W32Time
[svchost.exe]
UDP 0.0.0.0:500 : 1000
IKEEXT
[svchost.exe]
UDP 0.0.0.0:4500 : 1000
IKEEXT
[svchost.exe]
UDP 0.0.0.0:5355 : 1320
Dnscache
[svchost.exe]
UDP 127.0.0.1:1900 : 1148
SSDPSRV
[svchost.exe]
UDP 127.0.0.1:64324 : 2784
[iexplore.exe]
UDP 127.0.0.1:65499 : 1148
SSDPSRV
[svchost.exe]
UDP 172.16.30.60:137 : 4

Can not obtain ownership information

x: Windows Sockets initialization failed: 5
UDP 172.16.30.60:138 : 4

Can not obtain ownership information

x: Windows Sockets initialization failed: 5
UDP 172.16.30.60:1900 : 1148
SSDPSRV
[svchost.exe]
UDP [::]:123 : 1148
W32Time
[svchost.exe]
UDP [::]:500 : 1000
IKEEXT
[svchost.exe]
UDP [::]:5355 : 1320
Dnscache
[svchost.exe]
UDP [::1]:1900 : 1148
SSDPSRV
[svchost.exe]
UDP [::1]:65498 : 1148
SSDPSRV
[svchost.exe]
UDP [fe80::20ef:bca:53ef:e1c3%15]:1900 :
1148
SSDPSRV
[svchost.exe]

Havent had time to go through this yet myself. Let me know what you think.

56

BNAMack, you are a genius!
We solve it guys, I have no more doubt, the trick is in Aero!
I had no dwmapi.dll in system32 the first time, just because I had not aero enabled!
SO, in some moment I eneabled Aero, or possibly it was the SP1 (which adds some beautiful colors for Aero), and dwmapi.dll appeared!

Anyway, Grue, I did -anob, but it says that I need administrative rights. Strange, I have one profile only, and it has got administrative rights.
I have no idea about how to run cmd with adm. rights.
If you have…
If not, maybe I could run -a, -b. -n, and -o separately…
But, I repeat, I am offline.

Well, I need an Ice Cream.
No checksum needed.
Bye
(:HUG)

57

@BNAMack, thank you. Your fciv checksum matches that from therealjobe, and yours is a known good. I think that clears any question on dwmapi.dll, at least with that checksum.

@Sir Joe, looks like you’re also clear.

@therealjobe, those ports are still open, but the driving process has changed. It still bothers me. I’m on the end of my day here, and I need to research some things. Looks like it will be tomorrow for those details.

58

Sometimes we get lucky, as in a chance hallway conversation with the right person on the way out the door.

It turns out that

TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 516 [wininit.exe] TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 944 Eventlog [svchost.exe] TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 1000 Schedule [svchost.exe] TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 604 [lsass.exe] TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 560 [services.exe]

these are normal ports in Vista. Microsoft, in their wisdom, decided to relocate the RPC service functions from their familiar WinXP ports.

UDP 127.0.0.1:64324 *:* 2784 [iexplore.exe] UDP 127.0.0.1:65499 *:* 1148 SSDPSRV

I am still not clear as to why these would be here. Unless there is some kind of redirection taking place, being on localhost doesn’t make a whole lot of sense to me. But localhost isn’t accessible from the Internet, so it is by itself not a hazard.

So basically, it’s all clear. Mostly just me getting an education, and getting everybody else anxious in the process. My apologies for that, folks.

59

If I gave you my bosses email, could you tell him? (:NRD) (:LGH)

And grue, no need for apologies. Look at this thread and others in the forum and on the web. This has caused concern/confusion all around. You kept asking questions and found the answer. High marks for that in my book. :■■■■

Mack

60

Hallo Therealjobe,
I followed the entire topic briefly and the fact that dwmapi.dl or even dwmapi.dll cannot be found looks relevant.

Please confirm that the path is c:%windows%\system32\dwmapi.dl and not something like %windir%\system32\dwmapi.dl

According to the info you provided there should be a hidden %windows% folder in the C:\ root

Also an easy way to check for rootkit files is to try to create a file with the same name in that folder.
If on XP there is actually an undetectable dwmapi.dl in a specific directory then if you try to create a file with the same name you’ll get an error.