prefetch, read and ran first complete.

I ran all the scans yesterday. A few items were found as you will be able to see from the logs. First thing this morning I ran 'Advanced System Optimizer' "Spyware Detective" and once again I have GhostKeyLogger object C:\windows\prefetch\ntvdm.exe-1a10a423.pf . It has not executed yet but I also have a modemspy object C:\windows\prefetch\win32hlp.exe "with some numbers following it". I deleted the last copy I had of it. I am sure it will show up again.

thx
Robert

 

Here are the remaining files.

 

Is there something I missed? This post has been noticably skipped. To the best of my ability I followed the instructions in Read and Run this first. If my issue is beyond your expertise then say so. Thx anyways.
Robert

 

---Quote
You need to uninstall Spyware Detective if it is the program telling you that those
two files are malware. That is ridiculous. They are required Windows System processes.
The real files are located in C:\windows\system32. You should get a better antispyware
program.
---End Quote---

Normally I would agree with you with regards to the prefetch files. But, I am still suspicious of
their presence. An example would be, tonight I ran a help file. This caused the prefetch file
WINHLP32.EXE-27E3937B.pf to be created. However when I ran Spyware Detective this file
WINHLP32.EXE-2C18E975.pf is identified as modemspy. I cannot at this time recreate this
behavior with ntvdm.exe. But I do not access that program directly ever. And the WINHLP32
also loads itself. I do not have to use winhelp in order for it to be loaded. Also if you
check the capabilities of both ModemSpy and GhostKeylogger you will note that both are
capable of stealth mode in which their processes are not detectable by Windows Task Manager
or any other tool that uses a similar method for determining running processes. And, finally,
running Spyware Detective on my wifes pc does not produce the same results. I therefore am
still very suspicious that the modemspy process and ghostkeylogger process are being started
on my pc and the prefetch file is my evidence.I am not saying that Spyware Detective is
conclusive by any means. Just as you use many different programs to look for different things,
so do I.


---Quote

*Do you know what the below two files are for? Is the iwlufklg.dll related to System
Mechanic?*

Code:
---------
"C:\WINDOWS\"
iwlufklg.dll Dec 15 2006 274 "iwlufklg.dll"
---End Quote---

//---------------------------------------------------------------
I do not think that it is related to System Mechanic. It's creation date is in December.
I installed System Mechanic in January, last week. I just moved that file to a different location.
It does not state who created it. Hex editor reveals only sonkite and a few other letters.
//---------------------------------------------------------------

---Quote

"C:\WINDOWS\system32\"
d84def~1.dll Feb 4 2007 80 "D84DEF6B6A.dll"

---End Quote---

//---------------------------------------------------------------
No idea. No name for the creator. And it appears to be attempting to be a hidden file.
Considering moving it. It is a very small file only 80 bytes. I moved it.
//---------------------------------------------------------------

---Quote
Do you know whether the below files are all part of *SPSS 15.0 for Windows Evaluation
Version* which was installed on Jan 10th?
---End Quote---

"C:\WINDOWS\system32\"
lsprst7.dll Jan 10 2007 205 "lsprst7.dll"
//------------------------------
Again an unknown file. 205 bytes Created at 12:53PM
//-----------------------------
nsprs.dll Jan 10 2007 0 "nsprs.dll"
//------------------------------
Again an unknown file. 0 bytes Created at 12:54PM
//-----------------------------
serauth1.dll Jan 10 2007 0 "serauth1.dll"
//------------------------------
Again an unknown file. 0 bytes Created at 12:54PM
//-----------------------------
serauth2.dll Jan 10 2007 0 "serauth2.dll"
//------------------------------
Again an unknown file. 0 bytes Created at 12:54PM
//-----------------------------
ssprs.dll Jan 10 2007 0 "ssprs.dll"
//------------------------------
Again an unknown file. 0 bytes Created at 12:54PM
//-----------------------------
sysprs7.dll Jan 10 2007 1025 "sysprs7.dll"
//------------------------------
Again an unknown file. 1 KB Created at 12:53PM
//-----------------------------


Uninstalled:
Java 2 Runtime Environment Standard Edition v1.2.2
and Mozilla Firefox (1.5.0.7)

Installed Current Version of Mozilla Firefox

Uninstalled Sunbelt Counterspy

Downloaded Pocket Killbox

Ran HJT and NewFiles

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {39B41CBB-DA5D-D5D3-7F95-872D66D8AC93}
- (no file)
O2 - BHO: (no name) - {39B41CBB-DA5D-D5D3-7F95-872D66D8AC93} - (no file)
O2 - BHO: TBSB09718 - {571E3F7F-B6B5-4350-ADDE-F16ED678E0D3} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
//-----------------------
020-Winlogon Notify: AutorunDisabled- C:\WINDOWS\
Is in that place now. Did not delete.
//-----------------------
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

fixed the rest.

Deleted:
C:\Program Files\Common Files\AppPatch
C:\Program Files\ Common Files\assembly

//--------------------------------------------------------------
Since my post I have continued to look for a solution to my possible problem.
On 2/20/07 I ran all of the tests on Sheilds Up. Except for responding to pings
my computer appears to be in a complete stealth mode online. I then installed
Zone Alarm and uninstalled Norton System Works 2005, updated. No unfamiliar
processes have tried to communicate from my pc. I also installed What's Running
and WinSonar. WinSonar is a bit squirrelly but I was unable to identify an unknown
process attempting to run. Also, I uninstalled Sunbelt Counterspy. When I did so
Norton said a malicious script was being run so I blocked it. This totally
screwed up my modem and caused repeated minidumps. Everytime I would attempt
to dial into my isp my pc would shut down and a minidump would occur. I then
reinstalled Sunbelt Counterspy, updated it, ran it and reuninstalled it. The
minidumps continued. It seemed that a program had more control over my modem
than I did. And, I was unable to determine what settings were used to do this.
This morning I purchased a new USB modem and this seems to have eliminated that
problem for now.
//--------------------------------------------------------------

Files attached


Thx Robert


I just noticed the question about wheather I disabled my dial up wizard. No I did not and I did not see this part of your post in my initial reciept of your reply. That may be one part of why my modem has been acting so squirrelly.

 

I included a HJT log file from before the fix and after the fix. I always err on the side of giving too much information whenever possible. Question, if Spyware Detective is incorrect, is there another definite way to find out if modemspy or Ghostkeylogger are hiding on my HD?

 

I am repeatedly removing the files. And yes, they keep coming back. They are prefetch files. They are created by the windows memory management process to facilitate a faster start up the next time they are accessed. Once a prefetch file is created the program is already running on my system. Spyware Detector does not identify every win32hlp.exe(plus some numbers).pf file as modem spy.
This file "WINHLP32.EXE-27E3937B.pf " is not identified as modemspy.
This file "WINHLP32.EXE-2C18E975.pf " is always identified as modemspy. Note the 2C18E975. That number is always the same for the file identified as modemspy. I know you may think I am being a bit thick. But, I am still concerned about their presance.

Is there a program that can read a prefetch file and identify the program it was created from?

 

Alrighty now,
Well, I ran the sysclean scan. The log file is attached. Nothing showed up. I installed a new USB modem Wednesday. I had not seen Modemspy or Ghostkeylogger most of the week. Tonight though, Modemspy showed up again, in the form of the prefetch file WINHLP32.EXE-2C18E975.pf. I also have the file WINHLP32.EXE-27E3937B.pf in my prefetch folder. I am attaching both for you to examine or share with someone that can dig into them. I scanned the file WINHLP32.EXE-2C18E975.pf at http://virusscan.jotti.org/ but it is clean according to the scan. My guess is that Ghostkeylogger is still on my hd as well. It has not showed up yet. Hope you had a good weekend. I look forward to your return.

My theory here is that someone modified the modemspy files for install on the victom hd so that they would pretend to be normal system files. It is possible. In fact, Ghostkeylogger web site suggests for insertion onto an unsuspecting pc that the three files required by ghostkeylogger be changed to any name they want, as long as the three file have the same basic name. Myfile.dll, Myfile.exe and the other one. I will need to look at their documentation again to recall the third required file. My problem lies in the idea that modemspy and Ghostkeylogger are in stealth mode and cannot be found without more expertise than I have. I'm sure there is a way but I assume it is a secret that few would like to see revealed.

Thx
Robert

 

I have another dumb question. Why, when I moved the WINHLP32.exe file from the WINDOWS\System32 folder did it almost immediately recreate itself? And the same question applies to the ntdvm.exe file in the same folder.
Ghostkeylogger was detected a few minutes ago as this file, NTVDM.EXE-1A10A423.pf.

 

chaslang,
I do appreciate your assistance in attempting to determine what is going on on my pc. I have learned alot. I am also beginning to study assembly, because I do realize that most of us do not have a clue what goes on inside our pc's. I am beginning to accept the idea that there is nothing on my hd except a program that is showing false positives. I have found other programs that have shown other false positives that I was more readily able to dismiss a such. Btw except is spelled accept. And I am willing to accept this possibility. Besides, I have a firewall blocking all access to the net and I do not even have an email client that could phone home if it wanted to. Though you provided much insight into the ways to scan and analyse the contents of my hd for viruses I never felt that you addressed my primary concern regarding keyloggers that run in stealth mode. This would not have been a case where I dled the program to play with it and then could not figure out how to remove it. It was potentailly a situation where a keylogger was secretly installed on my hd and I had no idea where to find it or what to look for when I began this process. I hope in the future you can be a bit more empathetic to the concerns of one like me and not quite so demeaning. Thanks again for your very useful assistance. You have been a great help. My current running processes is down to 32 from 43. I am happy.

Have a Great Day!
Robert