Login
▼
Register
Home
Help
Search
Login
Register
Adlice.com
Adlice forum
»
General Category
»
Malware removal help
»
dwm.exe Proc.Injected
« previous
next »
Print
Pages: [
1
]
Author
Topic: dwm.exe Proc.Injected (Read 12563 times)
0 Members and 1 Guest are viewing this topic.
September 09, 2016, 12:03:05 AM
khuntim
Newbie
Offline
9
Reputation:
0
dwm.exe Proc.Injected
«
on:
September 09, 2016, 12:03:05 AM »
How to tell if this is false positive and just Desktop Windows Manger? comes up Proc.Injected in C:\Windows\System32\dwm.exe
Thanks
Logged
Reply #1
September 09, 2016, 02:49:10 AM
Curson
Global Moderator
Hero Member
Offline
2809
Reputation:
100
Re: dwm.exe Proc.Injected
«
Reply #1 on:
September 09, 2016, 02:49:10 AM »
Hi khuntim,
The injection might be caused for multiple reasons.
Could you please copy/paste RogueKiller full report in your next reply ?
Regards.
Logged
Reply #2
September 09, 2016, 04:45:53 AM
khuntim
Newbie
Offline
9
Reputation:
0
Re: dwm.exe Proc.Injected
«
Reply #2 on:
September 09, 2016, 04:45:53 AM »
RogueKiller V12.6.1.0 (x64) [Sep 6 2016] (Premium) by Adlice Software
mail :
http://www.adlice.com/contact/
Feedback :
http://forum.adlice.com
Website :
http://www.adlice.com/download/roguekiller/
Blog :
http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Don [Administrator]
Started from : C:\Users\Don\Desktop\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 09/08/2016 19:14:45 (Duration : 00:11:04)
¤¤¤ Processes : 1 ¤¤¤
[Proc.Injected] dwm.exe(1880) -- C:\Windows\System32\dwm.exe[7] -> Found
¤¤¤ Registry : 4 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3142311046-1334442230-1924139417-1000\Software\Microsoft\Internet Explorer\Main | Start Page :
http://dell13.msn.com/?pc=DCJB
-> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3142311046-1334442230-1924139417-1000\Software\Microsoft\Internet Explorer\Main | Start Page :
http://dell13.msn.com/?pc=DCJB
-> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3142311046-1334442230-1924139417-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
http://dell13.msn.com/?pc=DCJB
-> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3142311046-1334442230-1924139417-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
http://dell13.msn.com/?pc=DCJB
-> Found
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ WMI : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000DM ST1000DM003-1ER1 SCSI Disk Device +++++
--- User ---
[MBR] 65b531c3537f31e45c3211ef8a06f7f8
[BSP] c104aa894c15d2f84e580a66f07857cf : HP|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 81920 | Size: 24802 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 50876416 | Size: 929026 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
Logged
Reply #3
September 09, 2016, 01:50:33 PM
Curson
Global Moderator
Hero Member
Offline
2809
Reputation:
100
Re: dwm.exe Proc.Injected
«
Reply #3 on:
September 09, 2016, 01:50:33 PM »
Hi khuntim,
Please follow the following process :
Download
Process Explorer
and save it to your desktop.
Click on the setup file (procexp.exe) and select
Run as Administrator
to start the tool.
When RogueKiller goes in a loop, locate the process named
dwm.exe
, do a right click on it and select
Create Dump > Create Full Dump...
Save the dump on your desktop and compress it.
Upload it to Dropbox, Google Drive or similar services and share the link in your next reply.
Regards.
Logged
Reply #4
November 09, 2016, 11:49:42 PM
khuntim
Newbie
Offline
9
Reputation:
0
Re: dwm.exe Proc.Injected
«
Reply #4 on:
November 09, 2016, 11:49:42 PM »
when roguekiller goes in a loop?
Logged
Reply #5
November 10, 2016, 09:35:02 PM
Curson
Global Moderator
Hero Member
Offline
2809
Reputation:
100
Re: dwm.exe Proc.Injected
«
Reply #5 on:
November 10, 2016, 09:35:02 PM »
Hi khuntim,
Sorry, this case don't apply to your issue.
You can just dump the process, regardless if RogueKiller is running or not.
Regards.
Logged
Reply #6
December 31, 2016, 06:56:24 AM
khuntim
Newbie
Offline
9
Reputation:
0
Re: dwm.exe Proc.Injected
«
Reply #6 on:
December 31, 2016, 06:56:24 AM »
this comes up on every scan on every PC
Logged
Reply #7
January 01, 2017, 03:00:41 PM
Curson
Global Moderator
Hero Member
Offline
2809
Reputation:
100
Re: dwm.exe Proc.Injected
«
Reply #7 on:
January 01, 2017, 03:00:41 PM »
Hi khuntim,
Could you please update RogueKiller to latest version and redo a scan ?
Then, please attach RogueKiller full report with your next reply.
Regards.
Logged
Reply #8
February 05, 2018, 08:19:18 PM
khuntim
Newbie
Offline
9
Reputation:
0
Re: dwm.exe Proc.Injected
«
Reply #8 on:
February 05, 2018, 08:19:18 PM »
using 12.12.3.0 and still get Proc.Injected C:\Windows\System32\dwm.exe on all my PCs?
Logged
Reply #9
February 05, 2018, 09:09:45 PM
Curson
Global Moderator
Hero Member
Offline
2809
Reputation:
100
Re: dwm.exe Proc.Injected
«
Reply #9 on:
February 05, 2018, 09:09:45 PM »
Hi khuntim,
Could you please attach RogueKiller JSON report with your next reply ?
Regards.
Logged
Print
Pages: [
1
]
« previous
next »
Adlice forum
»
General Category
»
Malware removal help
»
dwm.exe Proc.Injected