Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dmw.exe - fake firefox - lenovo/data.js (new malware?)


  • Please log in to reply
10 replies to this topic

#1 Daluicis

Daluicis

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 12 December 2013 - 11:37 PM

Hello all,

 

I've the suspecion this malware is a new one. I can't find much information about it. I only found one thread here on Bleepingcomputers and one on a Dutch forum. I can't seem to find the one on Bleepingcomputers anymore though. (I used various keywords to look for information on this problem).

 

The situation is as next:

 

OS: Windows 7 (Ultimate)

 

- getting fake crash reports from "AMozilla about "AFirefox". Since the weird name and firefox keeps working perfectly fine, I went investigating it.

- Malware Bytes, Emsisoft anti-malware, spybot S&D, McAfee Antivirus Plus scans don't find anything

- relocated the fake crash report location "crashreporter.exe" to the location: C:\Program Files (x86)\Common Files\Lenovo

(my laptop is not from Lenovo)

- uploaded that file to virustotal: clean

- went on further investigation and noticed even without firefox running, a process is made (and remade immediatly if killed) "dmw.exe" with the description firefox (not to be confused with the legit dwm.exe)

- dmw.exe doesn't give any positives on virustotal

- investigated more and learned the dmw.exe process is started by the start up script: data.js in the very same lenovo folder. It's also connected to the process "wscript.exe" which has it's origin in: C:\Windows\SysWOW64

- the data.js file gives only 3 positives on virustotal: link report

- tried killed that start up script and the lenovo folder with various methods (Hijack This and McAffee schredder); they failed

- I ran tdskiller; no results

 

 

So this is a tough one and I am in need of some help.

 

Since I only realised today I'm infected (there is no doubt that I'm), I also realise a couple days ago my wireless connection had problems. And since then I lose connection at times. (I thought it was my provider being funny, or another wireless device interfering). The Lenovofolder was made on 09/12

 

 

 

*edit* I probably should have posted this in the other section with a DDS-logfile.
I'll await confirmation; or if a moderator could move this thread to the right section and asks, I'll add one. :)

 

 

*update* My tired mind (it's 6am20 here and haven't slept yet) didn't think about this before. :scratchhead: But I rebooted the laptop is safe modus and was able to destroy the Lenovo folder there.
After rebooting the laptop in normal modus, I got an error that data.js couldn't be loaded, which is a good thing of course. I'll have to check to remove that start up proces. What worries me still though is the connection with "wscript.exe". So I'm still looking for help/advice on this matter ;)


Edited by Daluicis, 13 December 2013 - 12:23 AM.


BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

    Almost Retired


  • Members
  • 10,044 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Victoria Australia
  • Local time:07:24 AM

Posted 13 December 2013 - 03:50 AM

Hello -

While you are here, we may as well have a quick look at a few scans -

 

Download Security Check by Screen317 from HERE
* Save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: If any security program requests permission to access the Internet, allow it to do so.

 

Next -

Download MiniToolBox, Save it to your desktop to run it.
Close any Firefox browsers you may have open
Checkmark the following boxes:
•Flush DNS
•Report IE Proxy Settings
•Reset IE Proxy Settings
•Report FF Proxy Settings
•Reset FF Proxy Settings
•List content of Hosts
•List IP configuration
•List last 10 Event Viewer log
•List Installed Programs
•List Users, Partitions and Memory size.
•List Minidump Files
 
Click Go and copy / paste the result (Result.txt).

 

 

Next - Empty Cache / Temp Files

Please download Temp File Cleaner by Old Timer
* Close ALL running applications as TFC will terminate them before attempting to clean up the temporary files.
* Double-click on the TFC icon.
* Vista / Windows 7 & 8 users Right click on the icon and select Run as Administrator
* When the program opens, click on the Start button. 
* TFC will terminate the Explorer process and all running applications and then begin the process of cleaning out all of your temp folders.
* When done, press OK and reboot your computer to finish the cleanup.

 

Thank You -


******************************************* Waiting for a reply ??

                                                                                            Press F5 to Refresh as you may have one waiting************************************************


#3 Daluicis

Daluicis
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 13 December 2013 - 09:24 AM

Hello Noknojon,

 

Thank you for your reply. Here are the log files requested:

 

 

 

 Results of screen317's Security Check version 0.99.77  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
McAfee Antivirus en antispyware   
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 SpywareBlaster 5.0    
 Spybot - Search & Destroy
 Java 7 Update 45  
 Adobe Flash Player 11.9.900.170  
 Adobe Reader XI  
 Mozilla Firefox (25.0.1)
````````Process Check: objlist.exe by Laurent````````  
 Spybot Teatimer.exe is disabled!
 Emsisoft Anti-Malware a2service.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 7%
````````````````````End of Log``````````````````````

 

 

 

 

MiniToolBox by Farbar  Version: 13-07-2013
Ran by Arne (administrator) on 13-12-2013 at 15:07:15
Running from "C:\Users\Arne\Desktop"
Microsoft Windows 7 Ultimate  Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP-configuratie

De DNS-omzettingscache is leeggemaakt.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================



========================= IP Configuration: ================================

Intel® Centrino® Wireless-N 135 = Draadloze netwerkverbinding (Connected)
Bluetooth-apparaat (Personal Area Network) = Bluetooth-netwerkverbinding (Media disconnected)
Realtek PCIe GBE Family Controller = LAN-verbinding (Media disconnected)


# ----------------------------------
# IPv4-configuratie
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
add route prefix=169.254.0.0/16 interface="iftype0_0" nexthop=192.168.0.170 metric=1 publish=Ja


popd
# Einde van IPv4-configuratie



Windows IP-configuratie

   Hostnaam  . . . . . . . . . . . . : Arne-laptop
   Primair DNS-achtervoegsel . . . . :
   Knooppunttype . . . . . . . . . . : hybride
   IP-routering ingeschakeld . . . . : nee
   WINS-proxy ingeschakeld . . . . . : nee
   DNS-achtervoegselzoeklijst. . . . : home

Draadloos LAN-adapter voor Draadloze netwerkverbinding:

   Verbindingsspec. DNS-achtervoegsel: home
   Beschrijving. . . . . . . . . . . : Intel® Centrino® Wireless-N 135
   Fysiek adres. . . . . . . . . . . : 0C-D2-92-6D-74-19
   DHCP ingeschakeld . . . . . . . . : ja
   Autom. configuratie ingeschakeld  : ja
   Link-local IPv6-adres . . . . . . : fe80::d519:266e:4b45:7b86%13(voorkeur)
   IPv4-adres. . . . . . . . . . . . : 192.168.0.170(voorkeur)
   Subnetmasker. . . . . . . . . . . : 255.255.255.0
   Lease verkregen . . . . . . . . . : vrijdag 13 december 2013 14:54:08
   Lease verlopen. . . . . . . . . . : vrijdag 13 december 2013 15:54:08
   Standaardgateway. . . . . . . . . : 192.168.0.1
   DHCP-server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 353161874
   DHCPv6-client DUID. . . . . . . . : 00-01-00-01-1A-2F-A0-69-00-90-F5-ED-48-7F
   DNS-servers . . . . . . . . . . . : 195.130.130.133
                                       195.130.131.133
   NetBIOS via TCPIP . . . . . . . . : ingeschakeld

Ethernet-adapter voor LAN-verbinding:

   Mediumstatus. . . . . . . . . . . : medium ontkoppeld
   Verbindingsspec. DNS-achtervoegsel:
   Beschrijving. . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Fysiek adres. . . . . . . . . . . : 00-90-F5-ED-48-7F
   DHCP ingeschakeld . . . . . . . . : ja
   Autom. configuratie ingeschakeld  : ja

Ethernet-adapter voor Bluetooth-netwerkverbinding:

   Mediumstatus. . . . . . . . . . . : medium ontkoppeld
   Verbindingsspec. DNS-achtervoegsel:
   Beschrijving. . . . . . . . . . . : Bluetooth-apparaat (Personal Area Network)
   Fysiek adres. . . . . . . . . . . : 0C-D2-92-6D-74-1D
   DHCP ingeschakeld . . . . . . . . : ja
   Autom. configuratie ingeschakeld  : ja

Tunnel-adapter voor isatap.home:

   Mediumstatus. . . . . . . . . . . : medium ontkoppeld
   Verbindingsspec. DNS-achtervoegsel: home
   Beschrijving. . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Fysiek adres. . . . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP ingeschakeld . . . . . . . . : nee
   Autom. configuratie ingeschakeld  : ja

Tunnel-adapter voor Teredo Tunneling Pseudo-Interface:

   Verbindingsspec. DNS-achtervoegsel:
   Beschrijving. . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Fysiek adres. . . . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP ingeschakeld . . . . . . . . : nee
   Autom. configuratie ingeschakeld  : ja
   IPv6-adres. . . . . . . . . . . . : 2001:0:9d38:6ab8:d:34ec:4d88:4c44(voorkeur)
   Link-local IPv6-adres . . . . . . : fe80::d:34ec:4d88:4c44%14(voorkeur)
   Standaardgateway. . . . . . . . . : ::
   NetBIOS via TCPIP . . . . . . . . : uitgeschakeld
Server:  roes.dnscache03.telenet-ops.be
Address:  195.130.130.133

Naam:    google.com
Addresses:  2a00:1450:4013:c01::64
      74.125.136.100
      74.125.136.101
      74.125.136.102
      74.125.136.113
      74.125.136.138
      74.125.136.139


Pingen naar google.com [74.125.136.139] met 32 bytes aan gegevens:
Antwoord van 74.125.136.139: bytes=32 tijd=200 ms TTL=47
Antwoord van 74.125.136.139: bytes=32 tijd=19 ms TTL=47

Ping-statistieken voor 74.125.136.139:
    Pakketten: verzonden = 2, ontvangen = 2, verloren = 0
    (0% verlies).

De gemiddelde tijd voor het uitvoeren van ‚‚n bewerking in milliseconden:
    Minimum = 19ms, Maximum = 200ms, Gemiddelde = 109ms
Server:  roes.dnscache03.telenet-ops.be
Address:  195.130.130.133

Naam:    yahoo.com
Addresses:  98.139.183.24
      206.190.36.45
      98.138.253.109


Pingen naar yahoo.com [98.138.253.109] met 32 bytes aan gegevens:
Antwoord van 98.138.253.109: bytes=32 tijd=197 ms TTL=51
Antwoord van 98.138.253.109: bytes=32 tijd=190 ms TTL=51

Ping-statistieken voor 98.138.253.109:
    Pakketten: verzonden = 2, ontvangen = 2, verloren = 0
    (0% verlies).

De gemiddelde tijd voor het uitvoeren van ‚‚n bewerking in milliseconden:
    Minimum = 190ms, Maximum = 197ms, Gemiddelde = 193ms

Pingen naar 127.0.0.1 met 32 bytes aan gegevens:
Antwoord van 127.0.0.1: bytes=32 tijd<1 ms TTL=128
Antwoord van 127.0.0.1: bytes=32 tijd<1 ms TTL=128

Ping-statistieken voor 127.0.0.1:
    Pakketten: verzonden = 2, ontvangen = 2, verloren = 0
    (0% verlies).

De gemiddelde tijd voor het uitvoeren van ‚‚n bewerking in milliseconden:
    Minimum = 0ms, Maximum = 0ms, Gemiddelde = 0ms
===========================================================================
Interfacelijst
 13...0c d2 92 6d 74 19 ......Intel® Centrino® Wireless-N 135
 12...00 90 f5 ed 48 7f ......Realtek PCIe GBE Family Controller
 11...0c d2 92 6d 74 1d ......Bluetooth-apparaat (Personal Area Network)
  1...........................Software Loopback Interface 1
 17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 routetabel
===========================================================================
Actieve routes:
Netwerkadres             Netmasker          Gateway        Interface Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.170     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      169.254.0.0      255.255.0.0         On-link     192.168.0.170     26
  169.254.255.255  255.255.255.255         On-link     192.168.0.170    281
      192.168.0.0    255.255.255.0         On-link     192.168.0.170    281
    192.168.0.170  255.255.255.255         On-link     192.168.0.170    281
    192.168.0.255  255.255.255.255         On-link     192.168.0.170    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.0.170    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.0.170    281
===========================================================================
Permanente routes:
  Netwerkadres             Netmask  Gateway-adres    Metric
      169.254.0.0      255.255.0.0    192.168.0.170       1
===========================================================================

IPv6 routetabel
===========================================================================
Actieve routes:
 Indien metrische netwerkbestemming      Gateway
 14     58 ::/0                     On-link
  1    306 ::1/128                  On-link
 14     58 2001::/32                On-link
 14    306 2001:0:9d38:6ab8:d:34ec:4d88:4c44/128
                                    On-link
 13    281 fe80::/64                On-link
 14    306 fe80::/64                On-link
 14    306 fe80::d:34ec:4d88:4c44/128
                                    On-link
 13    281 fe80::d519:266e:4b45:7b86/128
                                    On-link
  1    306 ff00::/8                 On-link
 14    306 ff00::/8                 On-link
 13    281 ff00::/8                 On-link
===========================================================================
Permanente routes:
  Geen

========================= Event log errors: ===============================

Application errors:
==================
Error: (12/13/2013 03:04:39 PM) (Source: .NET Runtime) (User: )
Description: .NET Runtime version 4.0.30319.18408 - Er is een fout opgetreden tijdens de initialisatie van de koppelingsinfrastructuur voor de profiling-API. Dit proces staat niet toe dat een profiler wordt gekoppeld. HRESULT: 0x80004005.  Proces-id (decimaal): 7888. Bericht-id: [0x2509].

Error: (12/13/2013 02:54:27 PM) (Source: NvStreamSvc) (User: )
Description: NvStreamSvcNvVAD initialization failed [6]

Error: (12/13/2013 02:54:27 PM) (Source: NvStreamSvc) (User: )
Description: NvStreamSvcFailed to set NvVAD endpoint as default Audio endpoint [0]

Error: (12/13/2013 06:24:56 AM) (Source: .NET Runtime) (User: )
Description: .NET Runtime version 4.0.30319.18408 - Er is een fout opgetreden tijdens de initialisatie van de koppelingsinfrastructuur voor de profiling-API. Dit proces staat niet toe dat een profiler wordt gekoppeld. HRESULT: 0x80004005.  Proces-id (decimaal): 5216. Bericht-id: [0x2509].

Error: (12/13/2013 06:19:01 AM) (Source: Windows Search Service) (User: )
Description: De index kan niet worden geïnitialiseerd.


Details:
    De catalogus met de inhoudsindex is beschadigd.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (12/13/2013 06:19:01 AM) (Source: Windows Search Service) (User: )
Description: De toepassing kan niet worden geïnitialiseerd.

Context: toepassing Windows


Details:
    De catalogus met de inhoudsindex is beschadigd.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (12/13/2013 06:19:01 AM) (Source: Windows Search Service) (User: )
Description: Het object van de gegevensverzamelaar kan niet worden geïnitialiseerd.

Context: toepassing Windows, catalogus SystemIndex


Details:
    De catalogus met de inhoudsindex is beschadigd.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (12/13/2013 06:19:01 AM) (Source: Windows Search Service) (User: )
Description: De invoegtoepassing in <Search.TripoliIndexer> kan niet worden geïnitialiseerd.

Context: toepassing Windows, catalogus SystemIndex


Details:
    Kan element niet vinden.  (HRESULT : 0x80070490) (0x80070490)

Error: (12/13/2013 06:19:01 AM) (Source: Windows Search Service) (User: )
Description: De invoegtoepassing in <Search.JetPropStore> kan niet worden geïnitialiseerd.

Context: toepassing Windows, catalogus SystemIndex


Details:
    De catalogus met de inhoudsindex is beschadigd.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (12/13/2013 06:19:01 AM) (Source: Windows Search Service) (User: )
Description: De Windows Search-service kan de gegevens van het eigenschappenarchief niet laden.

Context: toepassing Windows, catalogus SystemIndex


Details:
    De database met de inhoudsindex is beschadigd.  (HRESULT : 0xc0041800) (0xc0041800)


System errors:
=============
Error: (12/13/2013 06:19:30 AM) (Source: Service Control Manager) (User: )
Description: De Windows Search-service kan vanwege de volgende fout niet worden gestart:
%%1053

Error: (12/13/2013 06:19:30 AM) (Source: Service Control Manager) (User: )
Description: Time-out (30000 seconden) tijdens het wachten op het verbinden van deze service: Windows Search.

Error: (12/13/2013 06:19:28 AM) (Source: Service Control Manager) (User: )
Description: De Windows Search-service kan vanwege de volgende fout niet worden gestart:
%%1053

Error: (12/13/2013 06:19:28 AM) (Source: Service Control Manager) (User: )
Description: Time-out (30000 seconden) tijdens het wachten op het verbinden van deze service: Windows Search.

Error: (12/13/2013 06:19:28 AM) (Source: Service Control Manager) (User: )
Description: De Windows Search-service kan vanwege de volgende fout niet worden gestart:
%%1053

Error: (12/13/2013 06:19:28 AM) (Source: Service Control Manager) (User: )
Description: Time-out (30000 seconden) tijdens het wachten op het verbinden van deze service: Windows Search.

Error: (12/13/2013 06:19:06 AM) (Source: Service Control Manager) (User: )
Description: De Windows Search-service kan vanwege de volgende fout niet worden gestart:
%%1053

Error: (12/13/2013 06:19:06 AM) (Source: Service Control Manager) (User: )
Description: Time-out (30000 seconden) tijdens het wachten op het verbinden van deze service: Windows Search.

Error: (12/13/2013 06:19:06 AM) (Source: Service Control Manager) (User: )
Description: De Windows Search-service kan vanwege de volgende fout niet worden gestart:
%%1053

Error: (12/13/2013 06:19:06 AM) (Source: Service Control Manager) (User: )
Description: Time-out (30000 seconden) tijdens het wachten op het verbinden van deze service: Windows Search.


Microsoft Office Sessions:
=========================
Error: (12/13/2013 03:04:39 PM) (Source: .NET Runtime)(User: )
Description: .NET Runtime version 4.0.30319.18408 - Er is een fout opgetreden tijdens de initialisatie van de koppelingsinfrastructuur voor de profiling-API. Dit proces staat niet toe dat een profiler wordt gekoppeld. HRESULT: 0x80004005.  Proces-id (decimaal): 7888. Bericht-id: [0x2509].

Error: (12/13/2013 02:54:27 PM) (Source: NvStreamSvc)(User: )
Description: NvStreamSvcNvVAD initialization failed [6]

Error: (12/13/2013 02:54:27 PM) (Source: NvStreamSvc)(User: )
Description: NvStreamSvcFailed to set NvVAD endpoint as default Audio endpoint [0]

Error: (12/13/2013 06:24:56 AM) (Source: .NET Runtime)(User: )
Description: .NET Runtime version 4.0.30319.18408 - Er is een fout opgetreden tijdens de initialisatie van de koppelingsinfrastructuur voor de profiling-API. Dit proces staat niet toe dat een profiler wordt gekoppeld. HRESULT: 0x80004005.  Proces-id (decimaal): 5216. Bericht-id: [0x2509].

Error: (12/13/2013 06:19:01 AM) (Source: Windows Search Service)(User: )
Description:
Details:
    De catalogus met de inhoudsindex is beschadigd.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (12/13/2013 06:19:01 AM) (Source: Windows Search Service)(User: )
Description: Context: toepassing Windows


Details:
    De catalogus met de inhoudsindex is beschadigd.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (12/13/2013 06:19:01 AM) (Source: Windows Search Service)(User: )
Description: Context: toepassing Windows, catalogus SystemIndex


Details:
    De catalogus met de inhoudsindex is beschadigd.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (12/13/2013 06:19:01 AM) (Source: Windows Search Service)(User: )
Description: Context: toepassing Windows, catalogus SystemIndex


Details:
    Kan element niet vinden.  (HRESULT : 0x80070490) (0x80070490)
Search.TripoliIndexer

Error: (12/13/2013 06:19:01 AM) (Source: Windows Search Service)(User: )
Description: Context: toepassing Windows, catalogus SystemIndex


Details:
    De catalogus met de inhoudsindex is beschadigd.  (HRESULT : 0xc0041801) (0xc0041801)
Search.JetPropStore

Error: (12/13/2013 06:19:01 AM) (Source: Windows Search Service)(User: )
Description: Context: toepassing Windows, catalogus SystemIndex


Details:
    De database met de inhoudsindex is beschadigd.  (HRESULT : 0xc0041800) (0xc0041800)


=========================== Installed Programs ============================

Adobe Flash Player 11 Plugin (Version: 11.9.900.170)
Adobe Reader XI (11.0.05) - Nederlands (Version: 11.0.05)
Apple Application Support (Version: 2.3.6)
Apple Mobile Device Support (Version: 7.0.0.117)
Apple Software Update (Version: 2.1.3.127)
Audacity 2.0.5 (Version: 2.0.5)
Bonjour (Version: 3.0.0.10)
Canon Easy-WebPrint EX (Version: 1.3.5.0)
Canon IJ Network Scanner Selector EX
Canon IJ Network Tool (Version: 3.1.0)
Canon IJ Scan Utility
Canon MG4200 series MP Drivers (Version: 1.01)
Canon My Image Garden (Version: 1.0.0)
Canon My Image Garden Design Files (Version: 1.0.0)
Canon My Printer (Version: 3.0.0)
CCleaner (Version: 4.08)
D3DX10 (Version: 15.4.2368.0902)
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Emsisoft Anti-Malware (Version: 8.1)
Football Manager 2014
Gebruikersregistratie voor Canon MG4200 series
GeForce Experience NvStream Client Components (Version: 1.6.28)
Intel® Management Engine Components (Version: 9.0.0.1310)
Intel® Processor Graphics (Version: 9.18.10.3257)
Intel® Rapid Storage Technology (Version: 12.0.0.1083)
Intel® SDK for OpenCL - CPU Only Runtime Package (Version: 3.0.0.66956)
Intel® USB 3.0 eXtensible Host Controller Driver (Version: 2.5.0.19)
Intel® Trusted Connect Service Client (Version: 1.27.757.1)
iTunes (Version: 11.1.3.8)
Java 7 Update 45 (Version: 7.0.450)
Java Auto Updater (Version: 2.1.9.8)
Junk Mail filter update (Version: 16.4.3508.0205)
K-Lite Codec Pack 10.1.5 Full (Version: 10.1.5)
Malwarebytes Anti-Malware versie 1.75.0.1300 (Version: 1.75.0.1300)
Mass Effect
McAfee AntiVirus Plus (Version: 12.8.856)
Microsoft .NET Framework 4.5.1 (Nederlands) (Version: 4.5.50938)
Microsoft .NET Framework 4.5.1 (NLD) (Version: 4.5.50938)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (Dutch) 2010 (Version: 14.0.6029.1000)
Microsoft Office Excel MUI (Dutch) 2010 (Version: 14.0.6029.1000)
Microsoft Office Groove MUI (Dutch) 2010 (Version: 14.0.6029.1000)
Microsoft Office InfoPath MUI (Dutch) 2010 (Version: 14.0.6029.1000)
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.6029.1000)
Microsoft Office OneNote MUI (Dutch) 2010 (Version: 14.0.6029.1000)
Microsoft Office Outlook MUI (Dutch) 2010 (Version: 14.0.6029.1000)
Microsoft Office PowerPoint MUI (Dutch) 2010 (Version: 14.0.6029.1000)
Microsoft Office Professional Plus 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (Dutch) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (German) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proofing (Dutch) 2010 (Version: 14.0.6029.1000)
Microsoft Office Publisher MUI (Dutch) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared 64-bit MUI (Dutch) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared MUI (Dutch) 2010 (Version: 14.0.6029.1000)
Microsoft Office Word MUI (Dutch) 2010 (Version: 14.0.6029.1000)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Movie Maker (Version: 16.4.3508.0205)
Mozilla Firefox 25.0.1 (x86 nl) (Version: 25.0.1)
Mozilla Maintenance Service (Version: 25.0.1)
MSVCRT (Version: 15.4.2862.0708)
MSVCRT_amd64 (Version: 15.4.2862.0708)
MSVCRT110 (Version: 16.4.1108.0727)
MSVCRT110_amd64 (Version: 16.4.1109.0912)
Nexus Mod Manager (Version: 0.45.7)
NVIDIA GeForce Experience 1.8 (Version: 1.8)
NVIDIA Grafisch stuurprogramma 331.82 (Version: 331.82)
NVIDIA Install Application (Version: 2.1002.142.992)
NVIDIA LED Visualizer 1.0 (Version: 1.0)
NVIDIA Network Service (Version: 1.0)
NVIDIA Optimus Update 10.10.5 (Version: 10.10.5)
NVIDIA PhysX (Version: 9.13.0725)
NVIDIA PhysX systeemsoftware 9.13.0725 (Version: 9.13.0725)
NVIDIA ShadowPlay 10.10.5 (Version: 10.10.5)
NVIDIA Update 10.10.5 (Version: 10.10.5)
NVIDIA Update Core (Version: 10.10.5)
NVIDIA Virtual Audio 1.2.12 (Version: 1.2.12)
NVIDIA-configuratiescherm 331.82 (Version: 331.82)
Opera 12.16 (Version: 12.16.1860)
Photo Common (Version: 16.4.3508.0205)
Photo Gallery (Version: 16.4.3508.0205)
Realtek Ethernet Controller Driver (Version: 7.67.1226.2012)
Realtek High Definition Audio Driver (Version: 6.0.1.7027)
Realtek PCIE Card Reader (Version: 6.2.9200.27036)
SHIELD Streaming (Version: 1.6.75)
Sid Meier's Civilization V
Skype™ 6.11 (Version: 6.11.102)
Spybot - Search & Destroy (Version: 2.2.25)
SpywareBlaster 5.0 (Version: 5.0.0)
Steam
Synaptics Pointing Device Driver (Version: 16.3.4.0)
The Elder Scrolls V: Skyrim
Total War: ROME II
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition
Update for Microsoft Filter Pack 2.0 (KB2810071) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition
Update for Microsoft Office 2010 (KB2825640) 32-Bit Edition
Update for Microsoft Office 2010 (KB2826026) 32-Bit Edition
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2810072) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2553145) 32-Bit Edition
Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition
Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition
Update for Microsoft Word 2010 (KB2837593) 32-Bit Edition
Vuze (Version: 5.2.0.0)
Winamp (Version: 5.666 )
Windows Live Communications Platform (Version: 16.4.3508.0205)
Windows Live Essentials (Version: 16.4.3508.0205)
Windows Live ID Sign-in Assistant (Version: 7.250.4311.0)
Windows Live Installer (Version: 16.4.3508.0205)
Windows Live Mail (Version: 16.4.3508.0205)
Windows Live MIME IFilter (Version: 16.4.3508.0205)
Windows Live Photo Common (Version: 16.4.3508.0205)
Windows Live PIMT Platform (Version: 16.4.3508.0205)
Windows Live SOXE (Version: 16.4.3508.0205)
Windows Live SOXE Definitions (Version: 16.4.3508.0205)
Windows Live UX Platform (Version: 16.4.3508.0205)
Windows Live UX Platform Language Pack (Version: 16.4.3508.0205)
Windows Live Writer (Version: 16.4.3508.0205)
Windows Live Writer Resources (Version: 16.4.3508.0205)
WinRAR 5.01 bèta 1 (64-bit) (Version: 5.01.1)

========================= Memory info: ===================================

Percentage of memory in use: 33%
Total physical RAM: 8112.01 MB
Available physical RAM: 5416.92 MB
Total Pagefile: 16222.2 MB
Available Pagefile: 13328.74 MB
Total Virtual: 4095.88 MB
Available Virtual: 3962.71 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:111.69 GB) (Free:14.01 GB) NTFS
2 Drive d: () (Fixed) (Total:465.76 GB) (Free:420.88 GB) NTFS

========================= Users: ========================================

Gebruikersaccounts voor \\ARNE-LAPTOP

Administrator            Arne                     Gast                     
De opdracht is voltooid.

========================= Minidump Files ==================================

No minidump file found


**** End of log ****
 

 

 

I'm not entirely sure on this installed program:

Junk Mail filter update (Version: 16.4.3508.0205)

 

I didn't installed anything alike. It's also not in the list of programs in Ccleaner. I have windows live mail installed. Are those two connected? Seems odd.

 

 

I'm still unsure about wscript.exe as dmw.exe and data.js were sure connected to it. I disabled the start up proces for data.js with ccleaner, as you see in this screenshot, it's connected to wscript.exe:

 

http://i.imgur.com/l7C2CnG.png



#4 Daluicis

Daluicis
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 13 December 2013 - 12:58 PM

Here is the other dmw.exe thread on Bleepingcomputers:

http://www.bleepingcomputer.com/forums/t/516804/think-dmwexe-is-a-backdoor-of-some-type-help-needed/page-3

 

Someone bumped it as he also got infected. I hope it's not gonna get mass spread.



#5 Roodo

Roodo

  • Members
  • 760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 PM

Posted 13 December 2013 - 01:37 PM

What computer system do you have?

#6 Daluicis

Daluicis
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 13 December 2013 - 01:42 PM

BTO 15CL58, adjusted. Certainly not a Lenovo



#7 noknojon

noknojon

    Almost Retired


  • Members
  • 10,044 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Victoria Australia
  • Local time:07:24 AM

Posted 13 December 2013 - 03:10 PM

Hi -

What is "dwm.exe" And Why Is It Running ?  This seems to bee one concern -
Desktop Window Manager (dwm.exe) is the compositing window manager that gives you all those pretty effects in Windows

If you open up Task Manager, you can see the dwm.exe process in the list, typically taking somewhere between 30-50MB of memory :
The size of the DWM process is controlled by the number of windows that you have open, since each window requires a buffer in memory to store the contents of the window. If you have a large number of very large windows open, DWM will use more memory.

 

Run a Disk Check on your C: drive in Windows 7:

• Click Start and open My Computer
• Right-click on C: (or your hard drive letter) and select Properties
• Click on the Tools tab
• Under Error-checking click the Check Now... button
• Mark the 2 boxes next to Automatically fix file system errors and Scan for and attempt recovery of bad sectors
• Click on the Start button
• When the message box pops up, click the Schedule disk check button and Restart your computer
• Once your computer restarts it will check the drive, don't press any keys so that it is allowed to do so
This will take (on average) 1 to 2 hours depending on your system, so please let it finish.
DO NOT force a reboot once started or you may lose data and can damage the computer
NOTE - If this is a Laptop please plug it into a reliable power source, as batteries may fail.
The computer will reboot to normal mode once it has completed all 5 stages -

 

Post back any error messages that may occur during the scan -

 

Thank You -


******************************************* Waiting for a reply ??

                                                                                            Press F5 to Refresh as you may have one waiting************************************************


#8 Daluicis

Daluicis
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 13 December 2013 - 03:26 PM

Hi -

What is "dwm.exe" And Why Is It Running ?  This seems to bee one concern -
Desktop Window Manager (dwm.exe) is the compositing window manager that gives you all those pretty effects in Windows

If you open up Task Manager, you can see the dwm.exe process in the list, typically taking somewhere between 30-50MB of memory :
The size of the DWM process is controlled by the number of windows that you have open, since each window requires a buffer in memory to store the contents of the window. If you have a large number of very large windows open, DWM will use more memory.

 

You've got the wrong file. ;) As I said myself dwm.exe is a legit file:

 

 


- went on further investigation and noticed even without firefox running, a process is made (and remade immediatly if killed) "dmw.exe" with the description firefox (not to be confused with the legit dwm.exe)

 

 

Currently I was able to remove the entire Lenovo folder in safe modus and since then the process hasn't returned.
The only file I didn't remove, which data.js and dmw.exe used, is wscript.exe in the windows folder.

 

I'm wondering if that file is infected as it's been used to activate this malware.



#9 noknojon

noknojon

    Almost Retired


  • Members
  • 10,044 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Victoria Australia
  • Local time:07:24 AM

Posted 13 December 2013 - 03:53 PM

As an extra - We crossed in posting / composing answers. Very early here, plus I was still on the F/fox forum and here (running 2 systems)

I have been looking around the dmw.exe and all other related problems on Firefox forum.

The best answer they gave was to Fully uninstall Firefox and reinstall if you wanted it -

 

Remember that Firefox is an Add-on Program and not a default Windows program. I only remind you because of the people at F/fox forum saying to remove and reinstall if you have similar problems, and this removes all extensions.

 

Do / did you get all of the same problems with Internet Explorer, as this is the first way to look at a problem, followed by a Full Scan with Malwarebytes' Anti-Malware Free (aka MBAM) and your Antivirus.

 

Thanks -

EDIT - That final clean up by Broni is one of the better ones ...............


Edited by noknojon, 13 December 2013 - 03:54 PM.

******************************************* Waiting for a reply ??

                                                                                            Press F5 to Refresh as you may have one waiting************************************************


#10 Daluicis

Daluicis
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 13 December 2013 - 04:05 PM

Thanks :)

 

I consider this issue resolved



#11 Klaus2m5

Klaus2m5

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 14 December 2013 - 11:38 AM

I just had the same problem. The Lenovo folder was created when I installed K-lite codec pack. Removed Run key from registry for ...\Lenovo\data.js, reboot & removed Lenovo folder. The extra copies of dwm.exe 32 did not re-appear in the process list.

 

Probably some trojan backdoor!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users