wowexec.exe...trojan/virus??

B

Bob Brown

wowexec.exe, shows in process viewer YET has ZERO bytes of ram
usage/cpu usage either.

I searched on google. I was unable to come to a conclusion as to
whether it's a virus/trojan. Many pages said maybe or yes, but not one
was sure.

Any clues on wowexec.exe ?
 
J

John John

Wowexec.exe (Windows on Windows subsystem) and Ntvdm.exe (NT Virtual DOS
Machine) are used to run 16-bit programs (DOS programs) in a virtual
environment. If they are being used you will see the programs indented
under the Ntvdm.exe entry in the Task Manager. Ntvdm.exe and
Wowexec.exe will remain in memory after you close the 16-bit
application, "in case" you want to launch another 16-bit program. If
these items are started when you boot the computer, but no associated
program is shown under them, check your startup items, some 16-bit
program is set to start and do something when the computer starts. That
"16-bit something" could be anything.

John
 
W

Wesley Vogel

wowexec.exe probably is not a trojan or virus but could be running because
you do have trojan or virus.

wowexec.exe should be in:
C:\WINDOWS\system32
and
C:\WINDOWS\system32\dllcache
or
C:\WINDOWS\ServicePackFiles\i386

command.com is the MS-DOS command interpreter and runs under ntvdm.exe (NT
Virtual Dos Machine). ntvdm.exe emulates an Intel 80286 machine running
MS-DOS. NT uses a VDM that contains an extra software layer called the
Win16 on Win32 (WOW) layer and wowexec.exe (Windows On Windows Execution
Process) supplies that extra layer.

command.com, it runs under ntvdm.exe, you will not see command.com listed in
the Task Manager.

ntvdm.exe and wowexec.exe should only run if you're running a 16-bit
application like command.com or some application that was placed on your
machine by a trojan/virus/worm. Something like CMD.COM, NETSTAT.COM,
PING.COM, REGEDIT.COM, TASKKILL.COM, TASKLIST.COM or TRACERT.COM.
None of these files are XP files.

CMD.COM, NETSTAT.COM, PING.COM, REGEDIT.COM, TASKKILL.COM, TASKLIST.COM or
TRACERT.COM are not real applications, they are added by a
trojan/virus/worm, but Windows thinks that they are 16-bit applications
because of the .com extension.

UPDATE your antivirus software and run a full system scan.

UPDATE whatever anti-spyware applications that you have and run a full
system scan with each one.

You might want to start in Safe Mode to run your antivirus and anti-spyware
software.

Running a full system antivirus scan or anti-spyware scan in Safe Mode can
be a good idea. Some viruses and other malware like to conceal themselves
in areas Windows protects while using them. Safe mode can prevent those
applications access and therefore unprotect the viruses or other malware
allowing for easier removal.

''In safe mode, you have access to only basic files and drivers
(mouse, monitor, keyboard, mass storage, base video, default system
services), just the minimum device drivers required to start Windows.''

Because of that some malware does not load in Safe Mode and is easier to get
rid of.

How to start Windows in Safe Mode Windows XP
http://www.bleepingcomputer.com/forums/index.php?showtutorial=61#winxo

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

WOWEXEC.EXE ?? wtf 5
100% CPU Usage unexplained 1
Possible Virus or Trojan? 3
ntjavaconsole.exe?? 4
Help!: What kind of virus/trojan survives a full OS reinstall? 7
Computer is annoyingly slow 3
Trojan from using VNC Viewer Software 15
HELP!! Available memory considerably low, No viruses, and already cleaned spyware 4

Top