Due to continual spamming, forum registrations are now by Invitation Only. Hopefully this will be only a temporary measure to combat spammers.

If you want an invitation contact forumapplication @ camstudio . org

Sorry for the inconvenience.

C:\Windows\Desktop Manager\dwm.exe

edited June 2011 in Support
Hi,
Have very recently installed Camstudio and it seems to be very good.
There is one thing, though.
A security notification concerning "C:\Windows\Desktop Manager\dwm.exe" appeared, asking for internet access. The file and its folder appear to have been installed at the same time as Camstudio, so I assumed that there might be a connection. After 'googling', it appears that others have the same question.
The concern is that 'dwm.exe' is a system file that should be in the "C:\Windows\System32" folder, and that any alternative placement gives rise to suspicions of malware.
Some clarification about the nature of this file, and its connection to Camstudio, if any, would be welcome.
Thank you.

Comments

  • theoria,

    Where did you get your version of CamStudio? We have a "rogue" file out there lately.

    The one here is known to work well. http://sourceforge.net/projects/camstudio/files/stable/

    Use r294. I would suggest un-installing CamStudio first.

    Terry
  • Thank you for your reply.
    I'm pretty sure I got it from here: http://camstudio.org/
    The installation file is "CamStudio_Setup_v2.6b_r294_(build_24Oct2010).exe".
    The "C:\Windows\Desktop Manager\dwm.exe" is still there. My security software is blocking it from the internet, though.
    Is the file meant to be there? If not, I can delete it.
    I can send the installation file, if necessary.
  • edited June 2011
    theoria,

    Uninstall that copy and go get a fresh copy here: http://sourceforge.net/projects/camstudio/files/stable/ ... and delete that odd file, or at least rename it to something so it cannot be found.

    That one should work OK. If needs be, right-click on the CamStudio icon and select "Run as an Administrator"

    Terry
  • Desktop Window Manager is not installed with legitimate copies of Cam Studio.

    If you are running Windows Vista / Windows 7, there is a dwm.exe desktop window manager that is part of the operating system. It is unlikely that commercial AV would warn against files that exist on factory fresh installations of windows. It is also suspicious because dwm.exe should be in system32, not Desktop Manager.

    My gut feeling is that you are dealing with a piece of malware. I just verified the CamStudio_Setup_v2.6b_r294_(build_24Oct2010).exe currently on sourceforge does not install any rogue software (specifically nothing by the name of dwm.exe). If you got Cam Studio from another website its possible that our installer has been troganized. Its also possible that you were infected by some other means at approximately the same time you installed CamStudio.

    I would recommend following your AV products recommendations to quarantine / remove the offending dwm files. If you have further issues with it, its probably best to contact your AV vendor directly.
  • edited July 2011
    I've also had the same malware installed.

    I've checked my browser history and I can confirm that I have downloaded camstudio installer using the link given on the "download" page of the official camstudio site.

    That download link was directing to a fake project site on sourceforge named "camstudios" (note the extra "s") . I've been able to find the link in my browser history

    More details in the following thread:

    http://camstudio.org/forum/discussion/697/another-project-on-sourceforge-with-a-similar-name/p1

    I think than Camstudio team should give better information on that problem, maybe via an announce on the home page of the site: It's pretty possible that number of people have installed this malware without notice

    It has started to be detected by MSAV only since yesterday, and at that time *no others* anti-virus vendors (apart from McAfee-GW-Edition, according to Virustotal site) were detecting it. This mean that me (and probably many others) have this threat running in background for around 4 weeks.

    So every one having downloaded Camstudio around middle to end of June should be advised to scan their PC (maybe by downloading and running "Microsoft safety scanner" which is now able to remove this threat).

    [EDIT] Microsoft detect the malware as "TrojanDownloader:Win32/Deewomz.A"
  • edited July 2011
    I agree with CoolRaoul. I did an initial install of the effected download, and assumed dwm.exe was something CamStudio had started to include. After CoolR posted this warning at other forums, I checked again. Assuming SourceForge wasn't hacked, I am guessing the download redirects link at hxxp://camstudio.org/ were. Not sure if this site is part of this group, or someone benefiting from the links and info.

    Some analysis of the malware involved:

    http://www.threatexpert.com/report.aspx?md5=f8248796d64a7ecb3e6942cdbdec94d8

    http://www.virustotal.com/file-scan/report.html?id=910287bf82fb51f53ed6cbb83b7c91ffffd8e09172e1dfdc45c0164c3b14d765-1311101968

    For the moment, folks who accidentally installed this malware version should of course uninstall CamStudio. And also do these changes:


    1 - Open Task Manager (Ctrl - Alt - Delete), and if dwm.exe shows under the Processes tab, right click it and End Process.

    2 - Open a command prompt (Start - Run, type cmd and press OK), type the following at the prompt and press Enter after each:

    sc config USmsServ start= disabled

    sc delete USmsServ

    Then type exit and press Enter to close that.

    3 - Locate the following file, and delete it:

    C:\Windows\Desktop Manager\dwm.exe

    Then delete the Desktop Manager folder.

    Infected persons should assume their personal data may have been compromised, and should consider changing all secure login passwords.
  • Jintan and CoolRaoul,

    I wrote Nick about your findings immediately upon reading the above, and he posted a link in the yellow "support" box on the main page leading to the following blog post:

    http://camstudio.org/blog/removing-malware-camstudio

    Please keep us informed of anything else you discover about this! So sorry you had to go through that - my laptop was infected as well from testing the wrong program installation.

    Terry
Sign In or Register to comment.