BleepingComputer.com: C:\windows\system32\appcert\wnl32.dll Being Execute

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Rules

When posting your problem, do not run and post a ComboFix log. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

If you have not received help after three days, please post a link to your topic HERE.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

C:\windows\system32\appcert\wnl32.dll Being Execute CPU 100% XP SP2

#1 User is offline   UnixMan 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 3
  • Joined: 05-March 08

Posted 05 March 2008 - 04:29 PM

My computer was slow so decided to do some investigation and found that c:\windows\system32\appcert\wnl32.dll and c:\windows\system32\appcert\wnl32.dll.dll appear as files that are being executed repeatedly like several times per second by explorer.exe. Found this with filemon utility.

Can't find anything in the registry that would do this.

Things I have done:

1. booted in safe mode - issue still there
2. booted with msconfig settings in diagnostic startup and selective startup - same issue
3. no obvious processes other then explorer.exe are using CPU
4. looked through the whole registry for that dll name - nothing!
5. used filemon utility to tell me what files being opened and found
c:\windows\system32\appcert\wnl32.dll
c:\windows\system32\appcert\wnl32.dll.dll being executed several times per second.
NOTE: these files DO NOT exist so they get a NOT FOUND on execution!! ..Thats whats sending my machine to 100% is the executions.

Any ideas??

thanks


Mod Edit: Topic moved to more appropriate forum, TY hamluis~ TMacK

This post has been edited by TMacK: 05 March 2008 - 05:08 PM

#2 User is online   hamluis 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Moderator
  • Posts: 30,359
  • Joined: 03-September 05
  • Gender:Male
  • Location:Killeen, TX

Posted 05 March 2008 - 04:59 PM

A quick scan of Google indicates that the files in question are malware, http://www.google.com/search?hl=en&q=a...G=Google+Search

I suggest posting in the Am I Infected forum, rather than the XP Home/Professional Forum, at this website.

Louis
Am I Infected, What Do I Do?
Preparation Guide, Malware Log Topics
Using The Report Button
Discussion Forum Rules
Misplaced Malware Logs

#3 User is offline   UnixMan 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 3
  • Joined: 05-March 08

Posted 05 March 2008 - 07:14 PM

well, being a daring type person I found some advice that said to run tis combofix utility so I ran it..Took a while and then rebooted and created a report. Well, the issue is gone? Not sure what comboifx did but it fixed the issue..

Here is the combofix report. Don't see anything in here that means anything to me:

ComboFix 08-03-05.1 - rwilkins 2008-03-05 18:54:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.545 [GMT -5:00]
Running from: L:\data\H\data\downloads\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\inf\ultra.inf
C:\WINDOWS\system32\appcert
C:\WINDOWS\system32\plugin1.dat
C:\WINDOWS\system32\SysPr.prx

.
((((((((((((((((((((((((( Files Created from 2008-02-05 to 2008-03-05 )))))))))))))))))))))))))))))))
.

2008-03-05 18:44 . 2008-03-05 18:47 <DIR> d-------- C:\VundoFix Backups
2008-03-05 12:08 . 2008-03-05 12:21 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-02-18 10:16 . 2008-02-18 10:16 37 --a------ C:\WINDOWS\WPR.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-05 22:08 --------- d-----w C:\Documents and Settings\rwilkins\Application Data\uTorrent
2008-03-05 20:41 --------- d-----w C:\Program Files\Tiger Gaming
2008-03-05 17:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\BOC425
2008-03-04 17:14 --------- d-----w C:\Documents and Settings\rwilkins\Application Data\AVG7
2008-03-02 12:44 --------- d-----w C:\Documents and Settings\rwilkins\Application Data\Canon
2008-02-14 08:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-22 00:18 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-22 00:06 --------- d-----w C:\Documents and Settings\recovery\Application Data\AVG7
2008-01-20 15:31 3,532 ----a-w C:\drmHeader.bin
2008-01-20 02:30 --------- d-----w C:\Documents and Settings\rwilkins\Application Data\SSH
2008-01-17 18:58 --------- d-----w C:\Documents and Settings\recovery\Application Data\Yahoo!
2008-01-17 18:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-17 18:57 --------- d-----w C:\Documents and Settings\recovery\Application Data\Windows Desktop Search
2008-01-09 02:04 --------- d-----w C:\Documents and Settings\rwilkins\Application Data\Comodo
2008-01-09 01:36 --------- d-----w C:\Documents and Settings\rwilkins\Application Data\Wireshark
2008-01-07 20:42 --------- d-----w C:\Documents and Settings\rwilkins\Application Data\UnH Solutions
2008-01-07 20:35 --------- d-----w C:\Program Files\IBM Learning Services
2008-01-07 20:29 --------- d-----w C:\Documents and Settings\rwilkins\Application Data\Skype
2008-01-07 20:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-01-07 03:35 --------- d-----w C:\Documents and Settings\rwilkins\Application Data\SUPERAntiSpyware.com
2008-01-07 03:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-07 03:34 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-06 23:57 --------- d-----w C:\Program Files\Internet ExplorerXXX
2008-01-06 23:43 --------- d-----w C:\Program Files\Windows Defender
2008-01-06 23:42 --------- d-----w C:\Program Files\Windows Desktop Search
2008-01-06 23:42 --------- d-----w C:\Program Files\QuickTime
2008-01-05 22:02 --------- d-----w C:\Program Files\WinPcap
2008-01-05 20:01 --------- d-----w C:\Documents and Settings\rwilkins\Application Data\PrevxCSI
2008-01-05 19:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-05 15:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2002-09-11 14:26 63,730 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MSSOverlay]
@={b75ab0c8-03d5-4592-9821-a48d54d66b14}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IE Privacy Keeper"="d:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" [2005-12-03 14:52 1015808]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 13:29 40960]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2003-06-23 19:32 1409024]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 00:08 28672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 09:54 282624]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-08-18 20:56 4841472]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-06 08:22 57344]
"mssSort"="D:\Program Files\Maxtor\Maxtor Quick Start\msssort.exe" [2005-07-15 13:29 1335296]
"MaxBackSchedule"="D:\Program Files\Maxtor\Maxtor Quick Start\maxbackservice.exe" [2005-10-06 09:22 172032]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 18:05 257088]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 02:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 02:07 114688]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"COMODO Firewall Pro"="D:\Program Files\Comodo\firewall\cfp.exe" [ ]
"BOC-425"="d:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [2007-11-26 10:38 342272]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 08:17 579072]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-16 00:00 335872]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 13:43 88363 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"SchedulingAgent"="C:\WINDOWS\system32\mstask.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-23 07:17 219136]

C:\Documents and Settings\rwilkins\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06 29696]
AutoStart IR.lnk - D:\Program Files\WinTV\Ir.exe [2006-08-20 20:36:38 102455]
Instant Update Reminder.lnk - C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe [2006-08-20 20:54:01 529920]
Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-03-21 08:00:00 65588]
NDAS Device Management.lnk - C:\Program Files\NDAS\System\ndasmgmt.exe [2006-03-20 16:40:20 220160]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-10-19 14:55:04 110080]
WinZip Quick Pick.lnk - D:\Program Files\WinZip\WZQKPICK.EXE [2006-08-21 16:07:40 122880]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-10-19 14:53 293888]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cmdAgent"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"D:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Program Files\\TruePoker\\Client.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\WINDOWS\\system32\\MediaServerDump\\LiveUpdate\\OLUpdate.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"D:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"L:\\utils\\linksys_alt_firmware\\wallwatcher\\WallWatcher.exe"=

R0 lfsfilt;Lean File Sharing;C:\WINDOWS\system32\DRIVERS\lfsfilt.sys [2006-03-20 16:40]
R0 lpx;LPX Protocol;C:\WINDOWS\system32\DRIVERS\lpx.sys [2006-03-20 16:39]
R3 ax88772;ASIX ax88772 USB2.0 to Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ax88772.sys [2004-08-06 02:17]
R3 iComp;Hauppauge WinTV PVR USB2 Encoder;C:\WINDOWS\system32\DRIVERS\HCWUSB2.sys [2004-11-24 12:35]
R3 ndasbus;NDAS Bus Driver;C:\WINDOWS\system32\DRIVERS\ndasbus.sys [2006-03-20 16:39]
S3 drhard;DRHARD;C:\WINDOWS\system32\DRIVERS\DRHARD.SYS [2005-12-01 10:49]
S3 ndasscsi;NDAS SCSI Miniport Driver;C:\WINDOWS\system32\DRIVERS\ndasscsi.sys [2006-03-20 16:39]
S3 Winacusb;Winacusb;C:\WINDOWS\system32\DRIVERS\winacusb.sys [2002-07-31 17:48]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-06 00:01:52 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 18:59:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
d:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-05 19:03:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-06 00:02:56
.
2008-03-04 18:49:43 --- E O F ---

#4 User is offline   Orange Blossom 

  • OBleepin Investigator
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Moderator
  • Posts: 29,396
  • Joined: 14-July 06
  • Gender:Not Telling
  • Location:Bloomington, IN

Posted 06 March 2008 - 02:19 AM

ComboFix logs should not to be posted outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed.
The BC Staff
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom
An ounce of prevention is worth a pound of cure
SuperAntiSpyware, SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users