wowexec.exe...trojan/virus??

Bob Brown · External Since: Feb 15, 2007 Posts: 44

wowexec.exe, shows in process viewer YET has ZERO bytes of ram
usage/cpu usage either.

I searched on google. I was unable to come to a conclusion as to
whether it's a virus/trojan. Many pages said maybe or yes, but not one
was sure.

Any clues on wowexec.exe ?

John John · External Since: Jun 05, 2004 Posts: 2625

Wowexec.exe (Windows on Windows subsystem) and Ntvdm.exe (NT Virtual DOS
Machine) are used to run 16-bit programs (DOS programs) in a virtual
environment. If they are being used you will see the programs indented
under the Ntvdm.exe entry in the Task Manager. Ntvdm.exe and
Wowexec.exe will remain in memory after you close the 16-bit
application, "in case" you want to launch another 16-bit program. If
these items are started when you boot the computer, but no associated
program is shown under them, check your startup items, some 16-bit
program is set to start and do something when the computer starts. That
"16-bit something" could be anything.

John

Bob Brown wrote:

> wowexec.exe, shows in process viewer YET has ZERO bytes of ram
> usage/cpu usage either.
>
> I searched on google. I was unable to come to a conclusion as to
> whether it's a virus/trojan. Many pages said maybe or yes, but not one
> was sure.
>
> Any clues on wowexec.exe ?

Wesley Vogel · External Since: Feb 23, 2004 Posts: 17940

wowexec.exe probably is not a trojan or virus but could be running because
you do have trojan or virus.

wowexec.exe should be in:
C:\WINDOWS\system32
and
C:\WINDOWS\system32\dllcache
or
C:\WINDOWS\ServicePackFiles\i386

command.com is the MS-DOS command interpreter and runs under ntvdm.exe (NT
Virtual Dos Machine). ntvdm.exe emulates an Intel 80286 machine running
MS-DOS. NT uses a VDM that contains an extra software layer called the
Win16 on Win32 (WOW) layer and wowexec.exe (Windows On Windows Execution
Process) supplies that extra layer.

command.com, it runs under ntvdm.exe, you will not see command.com listed in
the Task Manager.

ntvdm.exe and wowexec.exe should only run if you're running a 16-bit
application like command.com or some application that was placed on your
machine by a trojan/virus/worm. Something like CMD.COM, NETSTAT.COM,
PING.COM, REGEDIT.COM, TASKKILL.COM, TASKLIST.COM or TRACERT.COM.
None of these files are XP files.

CMD.COM, NETSTAT.COM, PING.COM, REGEDIT.COM, TASKKILL.COM, TASKLIST.COM or
TRACERT.COM are not real applications, they are added by a
trojan/virus/worm, but Windows thinks that they are 16-bit applications
because of the .com extension.

UPDATE your antivirus software and run a full system scan.

UPDATE whatever anti-spyware applications that you have and run a full
system scan with each one.

You might want to start in Safe Mode to run your antivirus and anti-spyware
software.

Running a full system antivirus scan or anti-spyware scan in Safe Mode can
be a good idea. Some viruses and other malware like to conceal themselves
in areas Windows protects while using them. Safe mode can prevent those
applications access and therefore unprotect the viruses or other malware
allowing for easier removal.

''In safe mode, you have access to only basic files and drivers
(mouse, monitor, keyboard, mass storage, base video, default system
services), just the minimum device drivers required to start Windows.''

Because of that some malware does not load in Safe Mode and is easier to get
rid of.

How to start Windows in Safe Mode Windows XP
http://www.bleepingcomputer.com/forums/index.php?showtutorial=61#winxo

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:hffcu298t5v991lckmtvntsbsqovhkhik1@bbb.org,
Bob Brown <.> hunted and pecked:
> wowexec.exe, shows in process viewer YET has ZERO bytes of ram
> usage/cpu usage either.
>
> I searched on google. I was unable to come to a conclusion as to
> whether it's a virus/trojan. Many pages said maybe or yes, but not one
> was sure.
>
> Any clues on wowexec.exe ?

foraminut · Joined: Nov 19, 2007 Posts: 1

It's a virus/trojan if there is a space before the name. Use Task Manager, Processes, click under User Name to sort by your account name; processes you have loaded appear in a nice list. You'll see one of two things if this is loaded:
without the quotes

" wowexec.exe" the Trojan
"wowexec.exe" the Microsoft driver which allows you to run 16 bit programs and browser extensions in 32 and 64 bit systems.

I had to shell to DOS to delete it from windows\system\dllcache, as it would not allow itself to be deleted otherwise. In the process, though, I lost the real (read, good) one.

foraminut

greyknight17 · Joined: Feb 03, 2003 Posts: 4869 Location: Brooklyn, NY

I have seen in on many occasions (I think ALL occasions) where wowexec.exe had a space before it. So I highly doubt that means it's infected. I don't recall seeing the wowexec.exe infected before. I wouldn't worry about it.

gsawiris · Joined: Jan 20, 2008 Posts: 1

wowexec.exe is a part the operating system, and supports the use of 16-bit processes within Windows NT, 2000, XP and later version of Windows.This program is important for the stable and secure running of your computer and should not be terminated
gsawiris
http://labanimalscience.com