Constantly scanning accessed same file in system32 but no Evil reported

[El_Barto]

Hello Folks,

I'm new here so forgive me if I've missed something covering this already.  I've been trawling the forum for the last couple of hours and I can't find any clear reference to this trouble.

I just got rid of Norton and put on Avast Pro.  I ran a thorough scan and it found a couple of old worms which were safely out of the way in old e-mail archive files from years ago, no current problems present.

Except something's very odd.  The little sys tray icon spins almost constantly.  The handy On-Access Scanner Message reporting popup tells me that something is repeatedly accessing this file;

C:\WINDOWS\system32\mslbsystl.dat

over and over, sometimes repeatedly several times, sometimes with a little rest of a second or to at the most.

Even more worrying is that every last keyboard press accesses;

C:\WINDOWS\system32\mslmlkbd.dll

If the first is deleted, the accessing stops.  And then it's back after a reboot.

If the second is deleted, it reappears in system32 immediately.

This stinks to me of malware and terrifyingly a keylogger?

Googling both file names ONLY finds mention of those files in a small number of pages, all virus related.

Norton didn't find this.  Avast seems oblivious.  I also downloaded a-Squared Security Centre and it's also happy that there's no suspicious activity in memory or on C.

I also submitted both these files to a website somebody mentioned on here which runs it through loads of virus scanners, and not one had any result there either.

Coincidentally, Windows now crashes right at the very end of its shutdown procedure, a blue screen of death caused by the windows logon process.  Hadn't installed anything new, so that's a nuisance.  But is it coincidence...?

Obviously this is really worrying.  Can anybody give me an expert opinion?

Thanks for now,

John

UPDATE:  I've saved a text file over each of those two files and made them read-only.  The accessing has stopped immediately and hasn't been back.  But the question remains, what process was using them and what for?  I've got a complete drive image of my laptop from a few weeks ago which I can change out and copy over what's changed (mostly just Outlook email data), but then I'll have the hassle of uninstalling norton, putting avast in, blah blah.  I'd prefer to solve the problem than run away from it.

[Lisandro]

avast malfunction (detection or cleaning) could do to a bad Norton removal as you know...
Anyway, did you run an avast boot time scanning?
I will suggest you download, install, update and scan with AVGantispyware (old ewido) and SuperAntispyware for trojan removal.

[DavidR]

A google search for your mslbsystl.dat returns several hits as you found http://www.google.com/search?q=mslbsystl.dat and could be an indication of another trojan, Delf, http://www.sophos.com/virusinfo/analyses/trojdelfkp.html, check the Advanced tab.

-- Most Delf Trojans add a Startup entry:  Startup Entry Name, SysService  - Process Name, SysService.exe
Use Task Manager to End the Process. Also to end the startup entry, Windows Start, Run, type 'msconfig without the quotes, in the new window select the Startup Tab, find the SysService entry and uncheck it.

A google search for mslmlkbd.dll again returns similar hits http://www.google.com/search?q=mslmlkbd.dll, this is just one, http://fileinfo.prevx.com/adware/qqf49a56314109-MSLM29014661/MSLMLKBD.DLL.html.