While Scott and a few others have pointed out that wowexec.exe is a legitimate process, I would be concerned if it is using a leading space in the file name. I've seen trojans that use number 1s instead of lowercase Ls in a filename such as "rund11" (as opposed to rundll) to masquerade as a legitimate app when viewed through task manager. I guess it's possible to use a leading space for a similar effect.
Brownfox -----Original Message----- From: Vachon, Scott [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 11, 2001 11:47 AM To: [EMAIL PROTECTED] Subject: RE: Win2K and Lview.exe -- am I infected? >I discovered that I can go to Task Manager -- Processes, and kill the >process " wowexec.exe" (with the leading space) and everything will be >restored to normal behavior. >Any idea if I have been infected with something and what I can do about >it? I don't think you are infected. The wowexec.exe is used (and my explanation may be somewhat off) to run legacy (or 16 bit) programs on the newer Microsoft OS's. As it was explained to me, it is a virtual dos window to run the program in. Unfortunately, this doesn't always function well and you get a lock up or slow down (I believe it accesses the kernel directly and thus the effect on the entire system). If you watch the processes tab of the task manager window when you open the program, you will see the CPU spike to 95-100 percent utilization ! You should find a version of the program you are running that is compatible with the OS and/or 32 bit vs. 16 bit. Disclaimer: My own two cents, probably a little off but, in the ballpark. ~S~
