Author Topic: dwm.exe Proc.Injected  (Read 12563 times)

0 Members and 1 Guest are viewing this topic.

September 09, 2016, 12:03:05 AM

khuntim

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
dwm.exe Proc.Injected
« on: September 09, 2016, 12:03:05 AM »
How to tell if this is false positive and just Desktop Windows Manger? comes up Proc.Injected in C:\Windows\System32\dwm.exe

Thanks

Reply #1September 09, 2016, 02:49:10 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: dwm.exe Proc.Injected
« Reply #1 on: September 09, 2016, 02:49:10 AM »
Hi khuntim,

The injection might be caused for multiple reasons.
Could you please copy/paste RogueKiller full report in your next reply ?

Regards.

Reply #2September 09, 2016, 04:45:53 AM

khuntim

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: dwm.exe Proc.Injected
« Reply #2 on: September 09, 2016, 04:45:53 AM »
RogueKiller V12.6.1.0 (x64) [Sep  6 2016] (Premium) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Don [Administrator]
Started from : C:\Users\Don\Desktop\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 09/08/2016 19:14:45 (Duration : 00:11:04)

¤¤¤ Processes : 1 ¤¤¤
[Proc.Injected] dwm.exe(1880) -- C:\Windows\System32\dwm.exe[7] -> Found

¤¤¤ Registry : 4 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3142311046-1334442230-1924139417-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://dell13.msn.com/?pc=DCJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3142311046-1334442230-1924139417-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://dell13.msn.com/?pc=DCJB  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3142311046-1334442230-1924139417-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell13.msn.com/?pc=DCJB  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3142311046-1334442230-1924139417-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell13.msn.com/?pc=DCJB  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000DM ST1000DM003-1ER1 SCSI Disk Device +++++
--- User ---
[MBR] 65b531c3537f31e45c3211ef8a06f7f8
[BSP] c104aa894c15d2f84e580a66f07857cf : HP|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 81920 | Size: 24802 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 50876416 | Size: 929026 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Reply #3September 09, 2016, 01:50:33 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: dwm.exe Proc.Injected
« Reply #3 on: September 09, 2016, 01:50:33 PM »
Hi khuntim,

 Please follow the following process :
  • Download Process Explorer and save it to your desktop.
  • Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  • When RogueKiller goes in a loop, locate the process named dwm.exe, do a right click on it and select Create Dump > Create Full Dump...
  • Save the dump on your desktop and compress it.
  • Upload it to Dropbox, Google Drive or similar services and share the link in your next reply.
Regards.

Reply #4November 09, 2016, 11:49:42 PM

khuntim

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: dwm.exe Proc.Injected
« Reply #4 on: November 09, 2016, 11:49:42 PM »
when roguekiller goes in a loop?

Reply #5November 10, 2016, 09:35:02 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: dwm.exe Proc.Injected
« Reply #5 on: November 10, 2016, 09:35:02 PM »
Hi khuntim,

Sorry, this case don't apply to your issue.
You can just dump the process, regardless if RogueKiller is running or not.

Regards.

Reply #6December 31, 2016, 06:56:24 AM

khuntim

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: dwm.exe Proc.Injected
« Reply #6 on: December 31, 2016, 06:56:24 AM »
this comes up on every scan on every PC

Reply #7January 01, 2017, 03:00:41 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: dwm.exe Proc.Injected
« Reply #7 on: January 01, 2017, 03:00:41 PM »
Hi khuntim,

Could you please update RogueKiller to latest version and redo a scan ?
Then, please attach RogueKiller full report with your next reply.

Regards.

Reply #8February 05, 2018, 08:19:18 PM

khuntim

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: dwm.exe Proc.Injected
« Reply #8 on: February 05, 2018, 08:19:18 PM »
using 12.12.3.0 and still get Proc.Injected C:\Windows\System32\dwm.exe on all my PCs?

Reply #9February 05, 2018, 09:09:45 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: dwm.exe Proc.Injected
« Reply #9 on: February 05, 2018, 09:09:45 PM »
Hi khuntim,

Could you please attach RogueKiller JSON report with your next reply ?

Regards.