# DW15.exe spyware?



## bassetman (Jun 7, 2001)

My PC was very slow and jerky yesterday. I did a C+A+Del and saw DW15 running in the background. It took 3 tries to shut it down. A google search sad it was a form of spyware.

A search on PC also found dwse_en.exe in C:\Disk Wizard. Can anyone give me some info/help on this?

John


----------



## Rhettman5.1 (Sep 25, 2002)

Seems it's a gift from KaZzAa...Spybot should get it http://spybot.eon.net.au/ Rhett


----------



## $teve (Oct 9, 2001)

i think it something to do with microsofts error reporting.
but to be on the safe side download startuplist and we will take a look.

www.spywareinfo.com/downloads.php#startup

run the program and copy/paste the result here.


----------



## bassetman (Jun 7, 2001)

I was able to get rid of one problem (different name) w/spybot.

Here's the list:

StartupList report, 01/15/2003, 3:10:37 PM
StartupList version: 1.34.0
Started from : C:\STARTUP LIST\STARTUPLIST134\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v5.51 SP2 (5.51.4807.2300)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\FRESHDEVICES\FRESHDOWNLOAD\FD.EXE
C:\STARTUP LIST\STARTUPLIST134\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = c:\windows\scanregw.exe /autorun
SystemTray = SysTray.Exe
Norton Auto-Protect = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
EM_EXEC = C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Start WingMan Profiler =

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\AutoCADScript\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE "%1"

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\SYSTEM\IE4UINIT.EXE

[>PerUser_MSN_Clean] *
StubPath = c:\windows\msnmgsr1.exe

[PerUser_LinkBar_URLs] *
StubPath = c:\windows\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[>IEPerUser] *
StubPath = RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 10/1/2003, 12:58:46)

[rename]
NUL=C:\WINDOWS\DOWNLO~1\IEGATOR.DLL

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

@ECHO OFF
SET BLASTER=A220 I7 D1 H5 P330 T6
SET CTSYN=C:\WINDOWS
C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM
rem
rem *** DO NOT EDIT THIS FILE! ***
rem
rem This file was created by the System Configuration Utility as
rem a placeholder for your AUTOEXEC.BAT file. Your actual
rem AUTOEXEC.BAT file has been saved under the name AUTOEXEC.TSH.
rem

--------------------------------------------------

C:\CONFIG.SYS listing:

REM [Header] 
REM [CD-ROM Drive]
rem device=c:\realmode\oakcdrom.sys /D:mscd001 
rem device=c:\realmode\btdosm.sys 
rem device=c:\realmode\flashpt.sys
rem device=c:\realmode\btcdrom.sys /D:mscd001
rem device=c:\realmode\aspi2dos.sys
rem device=c:\realmode\aspi8dos.sys
rem device=c:\realmode\aspi4dos.sys
rem device=c:\realmode\aspi8u2.sys
rem device=c:\realmode\aspicd.sys /D:mscd001
[common]
dos=high,umb
buffers=40
device=c:\windows\himem.sys /testmemff
DEVICE=C:\WINDOWS\EMM386.EXE
REM ------------------
REM [Miscellaneous]
REM [SCSI Controllers]
REM [Display]
REM [Sound, MIDI, or Video Capture Card] 
REM [Mouse] 
REM ------------------
REM ******** CDROM DEVICE DRIVER *******************
DEVICE = C:\CDROM\CDROM.SYS /D:MSCD001 /V

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM
@echo off
REM Notes:
REM DOSSTART.BAT is run whenenver you choose "Restart the computer 
REM in MS-DOS mode" from the Shutdown menu in Windows. It allows 
REM you to load programs that you might not want loaded in Windows, 
REM (because they have functional equivalents) but that you do 
REM want loaded under MS-DOS. The two primary candidates for 
REM this are MSCDEX and a real mode driver for the mouse you ship
REM with your system. Commands that you want present in both Windows
REM and MS-DOS should be placed in the Autoexec.bat in the 
REM \Image directory of your reference server. Please note that for
REM MSCDEX you will need to load the corresponding real-mode CD 
REM driver in Config.sys. This driver won't be used by Windows 98
REM but will be available prior to and after Windows 98 exits.
REM
REM This file is also helpful if you want to F8 boot into MS-DOS 7.0
REM before Windows loads and access the CD-ROM. All you have to do
REM is press F8 and then run DOSSTART to load MSCDEX and your real
REM mode mouse driver (no need to remember the command line parameters
REM for these two files.
REM
REM - You MUST explicitly specify the CD ROM Drive Letter for MSCDEX.
REM - The string following the /D: statement must explicitly match 
REM the string in CONFIG.SYS following your CD-ROM device driver.
REM MSCDEX.EXE /D:OEMCD001 /l:d
REM REM REM MOUSE.EXE
REM REM C:\PROGRA~1\LOGITECH\MOUSEW~1\MOUSE.EXE
c:\windows\COMMAND\MSCDEX.EXE /D:MSCD001 /V 
REM C:\PROGRA~1\LOGITECH\MOUSEW~1\MOUSE.EXE
C:\PROGRA~1\LOGITECH\MOUSEW~1\MOUSE.EXE

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\FRESHD~1\FRESHD~1\FDCATCH.DLL - {206E52E0-D52E-11D4-AD54-0000E86C26F6}
(no name) - C:\WINDOWS\DOWNLOADED PROGRAM FILES\WEBBUG.DLL - {3A6514CD-A457-11D4-8AF3-000102686B79}
(no name) - C:\PROGRAM FILES\URL ORGANIZER\URLORGIE.DLL - {C6CEAC32-D45C-11D4-94AF-0050BABD5FD6}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Windows Critical Update Notification.job
Norton AntiVirus Weekly Scan.job
Run LiveUpdate (for Norton AntiVirus).job
Run LiveUpdate (for Norton AntiVirus)(2).job

--------------------------------------------------

Enumerating Download Program Files:

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R1024/V31Controls/x86/w98/en/actsetup.cab

[Bugnosis]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\WEBBUG.DLL
CODEBASE = http://www.bugnosis.org/downloads/webbug.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2002060602/housecall.antivirus.com/housecall/xscan53.cab

[sys Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PCPITSTOP.DLL
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[Microsoft Office Tools on the Web Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\OUTC.DLL
CODEBASE = http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37612.4500231482

[{FFFF0003-0001-101A-A3C9-08002B2F49FB}]
CODEBASE = http://stat.trafficadvance.net/dialer/303437.exe

--------------------------------------------------
End of report, 10,375 bytes
Report generated in 2.080 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## $teve (Oct 9, 2001)

yep.....run spybot(update it 1st)
you have a couple of unwanted entries,a dialer and IEGATOR.
spybot should get rid of them both.
let us know.


----------



## bassetman (Jun 7, 2001)

TY for your response!
I would feel better if you pointed out the dialer prog probs!


John


----------



## $teve (Oct 9, 2001)

the last codebase entry....anything with the word "dialer" is suspect.
...stat.trafficadvance.net/dialer/303437.exe 

just update and run spybot.


----------



## bassetman (Jun 7, 2001)

Weird, I have the latest updates on spybot and I didn't notice this in the list.

John


----------



## bassetman (Jun 7, 2001)

I can't find it in the spybot list, is there a location I can remove it from manually?

John


----------



## bassetman (Jun 7, 2001)

This is what adaware found running:

Started memory scan
====================
Running processes:

#:1 : C:\WINDOWS\SYSTEM\KERNEL32.DLL

#:2 : C:\WINDOWS\SYSTEM\MSGSRV32.EXE

#:3 : C:\WINDOWS\SYSTEM\MPREXE.EXE

#:4 : C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

#:5 : C:\WINDOWS\SYSTEM\mmtask.tsk

#:6 : C:\WINDOWS\EXPLORER.EXE

#:7 : C:\WINDOWS\SYSTEM\SYSTRAY.EXE

#:8 : C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE

#:9 : C:\WINDOWS\SYSTEM\WMIEXE.EXE

#:10 : C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

#:11 : C:\WINDOWS\SYSTEM\DDHELP.EXE

#:12 : C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE

#:13 : C:\WINDOWS\SYSTEM\PSTORES.EXE

#:14 : C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\NETSCAPE.EXE

#:15 : C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE

#:16 : C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

#:17 : C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE

#:18 : C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY 1.1\SPYBOTSD.EXE

#:19 : C:\PROGRAM FILES\LAVASOFT AD-AWARE\AD-AWARE.EXE

Memory scan result:
Total modules found:19
Suspicious modules found:0

It says nothing suspicious, but I don't know what a couple of those are.

Could they be a problem that Adawre isn't updated to see?

JOhn


----------



## UberTechie (May 1, 2003)

Bassetman

Your startup list is all legitimate. You have no spyware processes. DW15 is an internet explorer (& microsoft apps in general) Error Control program, the one that pops up and asks if it should send an error report to microsoft. When internet explorer encounters a problem, sometimes it will pop up and say "internet explorer has encountered a problem and needs to be closed. Send error report/Don't send". there is a little check box, 'restart internet explorer'. If you have this selected, DW15 will run. DW15 remembers the address you were at before IE crashed (only if possible), and/or restarts internet explorer. Remember, this is microsoft. Your system was acting jerky and messing up because Internet Explorer most likely wasn't closed (the process.exe would show up in a process viewer most likely). Just restart your computer.

P.S.
If DW15 cannot contact microsoft servers, it hangs until the connection times out, using a lot of system resources in the meantime (sometimes windows will read the program as not responding). Yay microsoft!


----------



## Terabyte (Oct 8, 2003)

I have the same problem. It started after I DL the latest SP from win update and installed Spybot, pop up stopper, and Tracs eraser pro which also cleans index.dat file so I cant be traced. I also installed a viewer for the index.dat file which changed my search engine so I uninstalled it. (you should see the info thats in that file!!) I don't know which one caused it because it started 2 days after. DW15 error report application is always running when I lock up. I'm going to try reloading IE6.02 in case my file is corrupt. System file checker, Internet repair tool, and my other sys utilities did not fix the problem. We are definitely being traced


----------



## $teve (Oct 9, 2001)

John.......all your running processes shown are legit.
The dialer will cause no problem but if you want to find and nuke it,its in your downloaded programs folder.


----------



## bassetman (Jun 7, 2001)

Thanks $teve.


----------



## $teve (Oct 9, 2001)

Your welcome mate.

:up:


----------

