Three-week-long scan!

[gminpa]

I have two computers (both with XP SP3 & updates), which I'll simply call "older" and "newer."

About 10 days ago the older machine started acting strangely. All three keyboard status LED's would blink on, then off... sometimes on and then off a second time. Thereafter, the "typematic" or "keyboard repeat" rate became very slow. Holding down one key, to create a line of characters the width of the page, would take 7 or 8 seconds, instead of less than 2 seconds. Rebooting would eliminate the symptoms, but they would come back, anywhere from 5 minutes to 90 minutes after the reboot. Because of the keyboard & LED symptoms, I suspected a keylogger. I scanned with AVG, Ad-Aware, and 2 or 3 rootkit scanners; all came up negative. I downloaded SSnD and it reported VirtuMonde, also reported removing it. The next scan after reboot was clean, but eventually the symptoms came back. I decided to quit running the older machine, and try another approach.

I fired up the newer machine, upgraded to AVG 8 free, downloaded a fresh copy of SSnD. I unplugged the C:\ drive from the older machine, connected it to an ATA/USB adapter, and plugged it into the newer machine's USB port, while holding down {left shift} to prevent autorun/autoplay.

I started SSnD from the user interface, and told it to scan the E:\ drive (which was actually the older machine's boot drive, via the USB adapter). That scan did not find Virtumonde, but found a different infection this time (sorry, I have misplaced my notes with the name). Again, SSnD reported successful cleaning, and a new scan after reboot came up clean.

At that point, I was tempted to copy a few data files from the older boot drive to the newer machine. I opened My Computer, and verified seeing the E:\ drive there (again, the older boot drive via the USB adapter).

Just on a whim, I right clicked the drive, then selected "Scan with SSnD". A small window opened up in the middle of the screen, showed a big list of files, and started scanning. That was last Sunday, 6 days ago. As I write this, it is still scanning! The status bar shows 6 black rectangles, and it appears that the scan is roughly 1/3 complete. I would guess the complete scan of this 20 GB drive will take about three weeks!!!

I just checked, and it took nearly 90 seconds to scan one file, watv02nt.sys.

I can't believe the scan is this slow... are there any comments?

Also, the present slow scan has shown a few hits so far, as follows:

YOUR-machinename.ldb = Smitfraud-c.
regsvr32.exe = AdDestination
SpOrder.dll = webHancer
syssetup.inf = TinyBar.C

I've googled the descriptions of the above malware, and none if it matches the older machine's earlier symptoms. Any chance those are false positives?

Any comments or suggestions would be greatly appreciated!

THANKS IN ADVANCE!

[drragostea]

There is a misunderstanding because from your description you are using the Windows Explorer scanner from Spybot-Search&Destroy, and that scanner was not meant to be used for scanning whole drives, rather single files. Scanning a whole external drive wouldn't take three weeks but more that forever.

I am not clear on what could be problem for the keyboard problem. What does the LED light represent (Number lock? Activity?)? I never heard of the Virtumonde trojan hindering keyboard performance.

Besides AVG and Spybot I would suggest you scan your whole drive (your current computer and later your other drive from the older machine with another anti-spyware/virus tool. One is not enough.

[gminpa]

There is a misunderstanding because from your description you are using the Windows Explorer scanner from Spybot-Search&Destroy, and that scanner was not meant to be used for scanning whole drives, rather single files.

Well, sorry, I didn't see that stated anywhere. The option was there in the Windows Explorer window, so I used it.

Scanning a whole external drive wouldn't take three weeks but more that forever.

I still believe it will take about three weeks, less than four. After nine days, there are nine black rectangles in the status bar at the bottom of the SSnD window, a bit less than half of the status bar. I think it will take another 12 or 13 days. (There are only about 12GB of files on the drive, as I stored most files on a different physical drive.)

I am not clear on what could be problem for the keyboard problem. What does the LED light represent (Number lock? Activity?)?

As I said, all three LED's blink. As on all keyboards that I have seen, those represent "Num Lock," "Caps Lock," and "Scroll Lock." All three of them blink at the same time, just as they do when the machine is booting up. (But then, the typematic rate becomes very slow.)

Besides AVG and Spybot I would suggest you scan your whole drive (your current computer and later your other drive from the older machine with another anti-spyware/virus tool. One is not enough.

Although I didn't say so, I also scanned the older machine with one (or perhaps two) online scanners, as well as Windows Defender. I'm confident the newer machine is clean, it has had an AVG scan and an online scan. And it does not exhibit any of the strange symptoms, those happened only on the older machine when booting from its own C:\ drive.

THANKS!

[drragostea]

Maybe I exaggerated a bit when I said it would take forever, but it sure will take a long time (maybe a month). I feel that it would a waste of effort to continue scanning the when you now know that the single file scanner was not meant to scan whole drives.

I'm sorry but I really don't know what is causing your keyboard problems. I don't think keyloggers intervene with the physical keyboard itself. It coulod be a possibly defect keyboard.

[gminpa]

Maybe I exaggerated a bit when I said it would take forever, but it sure will take a long time (maybe a month).

Yep, that's what I've been saying, 3 to 4 weeks. It's been scanning now for 12 days, and half of the progress bar (32mm of a total 65mm) now has rectangles.

I feel that it would a waste of effort to continue scanning the when you now know that the single file scanner was not meant to scan whole drives.

But why does that make it useless? It has already found 7 suspect files (names like Smitfraud-c., Banker, etc.), which were not previously found when I started SSnN from the program menu.

I'm sorry but I really don't know what is causing your keyboard problems. I don't think keyloggers intervene with the physical keyboard itself. It coulod be a possibly defect keyboard.

I had the same problem about a year ago, and cured it with System Restore, so it was caused by some change in the software. But this year, System Restore returned a "cannot restore..." message for any date I tried.

Furthermore, I am presently using the same keyboard (and mouse) with the "newer computer" that I was previously using with the "older computer" and there is absolutely no sign of those symptoms now. So I feel strongly it was caused by some change in the older computer's software.

--

Also, in thinking back about the beginning of the problem, I believe it started shortly after I opened a .wmv file that my brother sent me. That file got past Windows Defender without any flags, and scanned clean with AVG. But is it possible that file connected with a remote server somewhere, which caused my machine to download some sort of malware? If you wish, I believe my brother still has the file and could EMail it to you for analysis.

THANKS AGAIN!

[drragostea]

Hm, well it can depend if the .wmv file is 'secretly' bundled with something unwanted... if not, can you think of any other things that might have caused the problem? Or you can always upload the file to VirusTotal to see if it is flagged by any of the AV products.

In what section is the flagged entries in Spybot's scanning window appearing in? Heuristics?

But why does that make it useless? It has already found 7 suspect files (names like Smitfraud-c., Banker, etc.), which were not previously found when I started SSnN from the program menu.

Sorry, if I implied it was 'useless' but I was not referring to the scanner being 'useless', but more like "no so much of a good idea" (unless you have lots and lots of time [the scanner is not optimized for huge files]). I have to say, you've changed my perspective of the scanner. I never thought about it actually finding stuff >_<.

It could possibly be old hardware, but they're Windows XP SP3 after all. If you were to put some high end, super laser keyboard and mouse on a Windows XP machine built in 2002-2004 it might not work so well after all. But that's just my guess.

Yep, that's what I've been saying, 3 to 4 weeks. It's been scanning now for 12 days, and half of the progress bar (32mm of a total 65mm) now has rectangles.

Well, you can keep scanning if you wish (and you have the time). It'll eventually end with Spybot showing you what it has found. Like I said before I was a bit curious in which section (Malware or Heuristics) Spybot flagged the files in.

[gminpa]

In what section is the flagged entries in Spybot's scanning window appearing in? Heuristics?

The first entry, (YOUR-machinename.ldb = Smitfraud-c.) was prior to the Heuristics section. I believe all the other entries have been within the Heuristics section.

It could possibly be old hardware, but they're Windows XP SP3 after all.

Nothing high end, they are both Celeron machines, 512GB RAM, XP with SP3. An old reliable PS2 keyboard and mouse. Nothing wireless, nothing USB.

Well, you can keep scanning if you wish (and you have the time). It'll eventually end with Spybot showing you what it has found.

I might as well let it run for 2 more weeks. Meanwhile, I am still using the same "newer" machine, for web browsing, EMail, etc. (But, overnight I turn off all the other apps, so that SSnD will perhaps run a bit faster.)

THANKS AGAIN!

[drragostea]

I'm sorry but your keyboard problem is beyond me. I've never encountered this issue.
-
The other entries detected like AdDestination could possibly be false positives. I'm not so sure advice to give you about it. Heuristics could be a potential false positive. You might need some advice from Team Spybot about the specific files. During the meantime, you can always dig through the hard drive and upload the flagged file to Virustotal to see if it is really infected.

[gminpa]

The keyboard issue is, indeed, very strange. I've seen it at least once before, yet nobody I know (including some IT people at a fairly large university) has heard of anything like it.

Yes, when the scan is finally finished, I will have to search through that hard drive, find all the flagged files (i.e. figure out which directories they are in), and then perhaps upload them for checking. I rather hope that I find something that is not a false positive, it might be the cause of the keyboard symptoms.

THANKS.

[drragostea]

Alright. Good luck then, I'll wait for your results.