Almost every program I start pops up a message box informing me that that program is trying to install a system hook via MSCTF.DL, which is located in C:\Windows\System32.
I’ve look for this file and I can’t find it anywhere in that directory. There is a MSCTF.DLL located there, which is a part of the Windows system files (something to do with text services), but since Comodo is informing me that it is MSCTF.DL that is trying to install a hook, I assume that they are not the same file.
I’ve tried several anti-spyware and rootkit detectors and this file is still eluding me.
Am I on a wild goose chase now and is Comodo really informing me about MSCTF.DLL or am I really infested with a nasty piece of rootkit.
I did a bit of a search for this problem and found that someone who uses or had used Outpost firewall ran into a similar situation with MSCTF.DL. I could not find a solution though. Could it be possible that a previous installed security application has left some remnants in the registry to create this problem? Some firewall are very hard to uninstall and like to leave their droppings behind which will cause some strange things to happen. If no one can come up with an answer for you I think an uninstall of CFP, a good registry clean, and then after a reboot a fresh install.
Hope you get it working. Here is a link to what I found.
I’ve been using Comodo Personal Firewall for the last few years and I’ve not had this problem before. I do have a Wacom tablet, maybe a driver update caused this issue.
The problem is that if I allow this file to be loaded and it turns out that it was spyware/malware it will be too late.
So until I get a positive or negative answer, this file goes into the global block list.
After some more research I found out that the MSCTF.DL is nowhere to be found on my system. Also, other DLL’s that popup Defense+ warnings are show with the extension .DLL in the warning box.
When I click on the filename of one these DLL’s in the defense+ warning box it shows the windows properties window for that file.
All of this is not the case for my mystery MSCTF.DL file. When clicking on that filename in the Defense+ warning box nothing happens.
All of the above only feeds my suspicion that this file is some sort of malware. Does anybody else have similar experiences with this file or similar files?
UPDATE:
This morning a got a warning about a new file: DWMAPI.DL
The behaviour is the same: Defense+ warns about a hook being installed by DWMAPI.DL and when I click on the link for this file in the warning box nothing is shown.
I guess that this malware seems to try several routes to install itself and will use system file like names to fool the user into accepting this.
Since DWMAPI.DLL is the desktop windows manager I guess I would notice malfunctions when blocking it. Since nothing bad happens to the app I’m starting I’m getting more and more suspicious about these .dl file warnings.
I’m getting the same alerts for dwmapi.dl, which come up the first few times I run Explorer or insert a USB drive – in that case wmplayer.exe is the app – the alert says they are trying to install a global hook to dwmapi.dl
Again, blocking the access does not seem to afffect the windows in any way, and I also can not find any file with just the .dl extension, with “show hidden files” enabled and with “hide protected operating system files” disabled. Searching the registry shows NO entries for either dwmapi.dl or dwmapi.dll.
Needless to say, this is rather scary. Can anyone shed further light on this? I’m really hesitant to connect this PC to any other if I can’t be sure it’s not infected with something?
I am also experiencing this same issue running Windows Vista Ultimate (32-bit). I also do have a Wacom tablet installed, but I believe I had this issue even before I installed the drivers.
I also get the same thing with dwmapi.dl which also doesn’t exist on my system.
Personally I believe that there is no malware on my system, and that it is actually a bug with Comodo.
Can we get some information from a dev please? I’ve disabled Defense+ as it’s far too annoying with this problem at present.
I have been searching for the cause of this too. The application causing it is Firefox portable, running on a thumbdrive. The install hook activity is logged frequently for the duration that firefox is running (6 times a minute) . As with the others, there is no sign of dwmapi.dl on my system. It is a fairly fresh install of Vista Premium 32 bit with no tablet drivers installed. Maybe firefox is infected?
I am now having this issue, I am using Vista 32bit business on a clean install, it comes up with dwmapi.dl when i try to launch internet explorer, the worrying thing is aswell is i left the box open so i could see the name was reading this via the browser in Gamespy and all of a sudden the box closed and internet exploer opened to the home page, now i am worried that comodo just got fed up of waiting and allowed this to open? if so it may have just installed some nasty stuff on my pc, does comodo have a time out and if so what is the default answer it will give?!
Well, I had the same problem with dwmapi.dl, and considering that I have no internet at home, and I had just reformatted the system, I was a bit anxious.
I wrote to half world, and in a Hijackthis site answered me:
“It is normal for programs to use shared .dll processes for their needs - they “hook” them by including some of their own information, so when “this” happens, the hooks allow “that” to happen. But that one file, dwmapi.dl, is either some glitch that is giving incorrect file info”.
This is the same opinion of someone on PcHelp, and of a friend of mine, a Dell technician who says that for some misterious reason in VIsta error messages sometimes dll are called dl.
I must tell you that I am installing the SP1 for Vista, and I had to put COmodo in instal mode, so I was unable to block dwmapi again. It installed, and it is dwmapi.dll… So, possibly it was just an error.
Now it would be interesting to understand “error of whom?”. COmodo? Comodo last release? Vista?
Who decide how to call the programs and process in Comodo’s messages? It is Comodo? Or Comodo just reads the name which Vista gives to it?
Anyway, I had an error with the SP1, and I was unable to install it. I am going to post to see if someone knows something.
Bye!
Ah, anyway I must tell that a-squared found a low risk riskware in program files\comodo\firewall\s1.tmp, called Riskware.adtool.web32.mywebsearch.bn
and avira found a trojan, Spy.banker.vk.1, on 2 gif images in a offpage site I had downloaded. Anyway, the first can of course be involved, by the second was on another partition, and I had never opened it after the formatting…
Mmm…
What could be that on COmodo???
DOes comodo uses temporary files? For what? And what could be that riskware? Just a-squared being too diligent with a clean advertising (I do NOT like the new COmod bar on the last release, at all, make COmodo seems like c series software), or it can be related to the dwmapi.dl which in this case could be malware?
The toolbar that Comodo “ASKS” to install during it’s installation routine, is flagged as Adware by almost all AV and AntiMalware programs, so that’s what you’re seeing as Riskware".
It’s very simple if you don’t want the toolbar installed just uncheck the option during Comodo’s installation, it’s that simple. The toolbar is completely safe but since it does serve advertising, it is (and most likely always will be), listed as Adware by all the relevant anti-whatever programs.
It’s also in no way related to the dwmapi.dll issue either.
To answer your other question…kind of, most programs read the file properties of a certain file to display their name, but that doesn’t mean that it’s now Vista’s fault because this file’s properties will show as .dll and not .dl.
This used to be common when some programs reported a file name a number of years back, back in the 8.3 days, and things were commonly abbreviated, including the extension but I don’t know why it was done this way with Comodo’s message. All I can think of is that it’s a simple Interface issue and is mispelled.
.DL files extensions are suspicious expecialy if you cannot find those files.
It looks an infection to me.
Please post a screenshot of those CFP alerts.
If the alerts mention C:\Windows\System32\MSCTF.DL and you found only MSCTF.DLL in that System32 folder then you should try to create there a new file named MSCTF.DL .
Please note that if windows don’t show file extensions for registered application (eg text files are only displyed by name and you can only tell the file type looking at the icon or at the file properties) you need to disable that “hide file extension” feature first.
If you cannot create a MSCTF.DL file, write something in it and save it again then it could be a rootkit.
Please note that I cannot guarantee that this method works on vista as described but it will surely work on XP machines.