wowexec.exe...trojan/virus??

Bob Brown · External Since: Feb 15, 2007 Posts: 44

wowexec.exe, shows in process viewer YET has ZERO bytes of ram
usage/cpu usage either.

I searched on google. I was unable to come to a conclusion as to
whether it's a virus/trojan. Many pages said maybe or yes, but not one
was sure.

Any clues on wowexec.exe ?

John John · External Since: Jun 05, 2004 Posts: 2625

Wowexec.exe (Windows on Windows subsystem) and Ntvdm.exe (NT Virtual DOS
Machine) are used to run 16-bit programs (DOS programs) in a virtual
environment. If they are being used you will see the programs indented
under the Ntvdm.exe entry in the Task Manager. Ntvdm.exe and
Wowexec.exe will remain in memory after you close the 16-bit
application, "in case" you want to launch another 16-bit program. If
these items are started when you boot the computer, but no associated
program is shown under them, check your startup items, some 16-bit
program is set to start and do something when the computer starts. That
"16-bit something" could be anything.

John

Bob Brown wrote:

> wowexec.exe, shows in process viewer YET has ZERO bytes of ram
> usage/cpu usage either.
>
> I searched on google. I was unable to come to a conclusion as to
> whether it's a virus/trojan. Many pages said maybe or yes, but not one
> was sure.
>
> Any clues on wowexec.exe ?

Wesley Vogel · External Since: Feb 23, 2004 Posts: 17940

wowexec.exe probably is not a trojan or virus but could be running because
you do have trojan or virus.

wowexec.exe should be in:
C:\WINDOWS\system32
and
C:\WINDOWS\system32\dllcache
or
C:\WINDOWS\ServicePackFiles\i386

command.com is the MS-DOS command interpreter and runs under ntvdm.exe (NT
Virtual Dos Machine). ntvdm.exe emulates an Intel 80286 machine running
MS-DOS. NT uses a VDM that contains an extra software layer called the
Win16 on Win32 (WOW) layer and wowexec.exe (Windows On Windows Execution
Process) supplies that extra layer.

command.com, it runs under ntvdm.exe, you will not see command.com listed in
the Task Manager.

ntvdm.exe and wowexec.exe should only run if you're running a 16-bit
application like command.com or some application that was placed on your
machine by a trojan/virus/worm. Something like CMD.COM, NETSTAT.COM,
PING.COM, REGEDIT.COM, TASKKILL.COM, TASKLIST.COM or TRACERT.COM.
None of these files are XP files.

CMD.COM, NETSTAT.COM, PING.COM, REGEDIT.COM, TASKKILL.COM, TASKLIST.COM or
TRACERT.COM are not real applications, they are added by a
trojan/virus/worm, but Windows thinks that they are 16-bit applications
because of the .com extension.

UPDATE your antivirus software and run a full system scan.

UPDATE whatever anti-spyware applications that you have and run a full
system scan with each one.

You might want to start in Safe Mode to run your antivirus and anti-spyware
software.

Running a full system antivirus scan or anti-spyware scan in Safe Mode can
be a good idea. Some viruses and other malware like to conceal themselves
in areas Windows protects while using them. Safe mode can prevent those
applications access and therefore unprotect the viruses or other malware
allowing for easier removal.

''In safe mode, you have access to only basic files and drivers
(mouse, monitor, keyboard, mass storage, base video, default system
services), just the minimum device drivers required to start Windows.''

Because of that some malware does not load in Safe Mode and is easier to get
rid of.

How to start Windows in Safe Mode Windows XP
http://www.bleepingcomputer.com/forums/index.php?showtutorial=61#winxo

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:hffcu298t5v991lckmtvntsbsqovhkhik1@bbb.org,
Bob Brown <.> hunted and pecked:
> wowexec.exe, shows in process viewer YET has ZERO bytes of ram
> usage/cpu usage either.
>
> I searched on google. I was unable to come to a conclusion as to
> whether it's a virus/trojan. Many pages said maybe or yes, but not one
> was sure.
>
> Any clues on wowexec.exe ?

foraminut · Joined: Nov 19, 2007 Posts: 1

It's a virus/trojan if there is a space before the name. Use Task Manager, Processes, click under User Name to sort by your account name; processes you have loaded appear in a nice list. You'll see one of two things if this is loaded:
without the quotes

" wowexec.exe" the Trojan
"wowexec.exe" the Microsoft driver which allows you to run 16 bit programs and browser extensions in 32 and 64 bit systems.

I had to shell to DOS to delete it from windows\system\dllcache, as it would not allow itself to be deleted otherwise. In the process, though, I lost the real (read, good) one.

foraminut

greyknight17 · Joined: Feb 03, 2003 Posts: 5651 Location: Brooklyn, NY

I have seen in on many occasions (I think ALL occasions) where wowexec.exe had a space before it. So I highly doubt that means it's infected. I don't recall seeing the wowexec.exe infected before. I wouldn't worry about it.

gsawiris · Joined: Jan 20, 2008 Posts: 1

wowexec.exe is a part the operating system, and supports the use of 16-bit processes within Windows NT, 2000, XP and later version of Windows.This program is important for the stable and secure running of your computer and should not be terminated
gsawiris
http://labanimalscience.com

Pilm · Joined: May 26, 2009 Posts: 1

Someone said:

It's a virus/trojan if there is a space before the name.
" wowexec.exe" the Trojan
"wowexec.exe" the Microsoft driver which allows you to run 16 bit programs and browser extensions in 32 and 64 bit systems.

This is certainly not true. The space simply indicates a 16-bit sub-process being reported in the Windows Task Manager Processes Tab. In the case of wowexec.exe, this is a sub-process of process ntvdm.exe. You can prove it to yourself by ending process ntvdm.exe, and when it ends it will take wowexec.exe with it (and any 16-bit program you were using). You can also count the number of process and you'll see that the number of processes reported don't include any sub-processes (ones prefixed with a space).

As others have said, the 16-bit program that started this process could be anything, a harmless program you were using or a virus program someone installed on your PC. If you terminate ntvdm.exe and it comes back (without you running a 16-bit process yourself), then you probably have a background virus restarting it. In addition you should probably restart your PC and make sure ntvdm.exe doesn't restart then. But before ripping your hair out make sure you don't have any 16-bit programs in your Startup group.

Pilm

YarsRevenge · Joined: Aug 19, 2009 Posts: 1

I found an old Mustek scanner packed away in my closet and decided to see if it still worked. The scanner came out long before XP but I was lucky to find some XP drivers on the official Mustek website that were released in 2002. Anyway, after running the driver install software I decided to check my running processes (I have a habit of doing this when I run/install new things) and for the first time ever the process wowexec.exe was running. In the task manager it has a space before it so it is offset just a bit and has "00" CPU usage and no number at all for mem usage. After restarting my system it was gone... so apparently nothing with the driver installation has told it to load in startup. Don't mean to drag this out or anything lol. Anyway, when I run photoshop and try to import from this device (Mustek 600 iii EP Plus scanner) and the scanners Twain applet (or whatever it is called) window opens the "wowexec.exe" process starts again as well as another process called "ui.exe" which is also offset with a space in front of it. BTW, I just did all this like 10 minutes ago... I came across this thread because I was curious as to why that odd looking process needed to run all of a sudden.

So, from what ppl are saying about "wowexec.exe" being used for 16bit makes sense to me as the driver and scanner software is pretty old and that is what started calling the "wowexec.exe" process on my machine. I am doubtful that there are any virii or Trojans using this process on your machine. More than likely you have some old software or driver package or something that is loading at startup and XP needs to run "wowexec.exe" to handle it. I guess you could go through the trouble of locating the culprit but I wouldn't worry over it.

jane21nyct · Joined: Nov 06, 2009 Posts: 1

I had a (space) before wowexe.exe on my task managaer and my CPU was running high until I would end it, and then my computer would start running better. I went to C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe and looked ot the programs I had running at start up and unclicked 2 that were for 16 bit applications. After restarting the computer - the ntvdp software and the wowexe.exe were not runnning anhymore and never came back spontaneously. From this I can say wowexe.exe was not a trojan but simply an application you can do without!
Jane.