***MY COMPUTER IS SPYING ON ME***

[exodus300]

I was just playing around with my computer, when I found several (over 160) .dat files in the following folders:

C:\WINDOWS\SYSTEM\shelldata\cfg\5
C:\WINDOWS\SYSTEM\shelldata\cfg\6
C:\WINDOWS\SYSTEM\shelldata\cfg\8
C:\WINDOWS\SYSTEM\shelldata\cfg\8

The filenames are all obviously the names of windows, for example:

ninemsn Member Directory - Edit Your Profile - Microsoft Internet Explorer.dat
Microsoft .NET Passport Member Services -- Change Password - Microsoft Internet Explorer.dat
Please retype your password - Microsoft Internet Explorer.dat
MSN Hotmail - Compose - Microsoft Internet Explorer.dat
(msn user's screen name) - Conversation.dat

There are also several files whose filename is a number and 'c', eg. 25c.dat

The scary thing is, upon opening these files in notepad, I see recorded keystrokes, eg:

oldmsnpassword[TAB]newmsnpassword[TAB]newmsnpasswro[BACKSPACE][BACKSPACE]ord[RETURN]

This is kinda scary, because there is lots of stuff I've typed in there... such as (parts of) MSN conversations, passwords (in plain view) etc.

I like to keep my computer clean, so I often go into MSCONFIG and switch off unnecessary stuff. Here are all the entries in my registry for startup:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MessengerPlus2"="\"C:\\Program Files\\Messenger Plus! 2\\MsgPlus.exe\" /WinStart"
"msgsvc32"="\"C:\\My Documents\\Programming\\Message Service\\msgsvc32.exe\""
"msnmsgr"="\"C:\\PROGRAM FILES\\MSN MESSENGER\\MSNMSGR.EXE\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"IconLock"="C:\\Program Files\\IconLock\\ICONLOCK.EXE"
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"GhostStartTrayApp"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"MessengerPlus2"="\"C:\\Program Files\\Messenger Plus! 2\\MsgPlus.exe\""
"ccEvtMgr"="C:\\Program Files\\Common Files\\Symantec Shared\\ccEvtMgr.exe"
"ScriptBlocking"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Script Blocking\\SBServ.exe\" -reg"
"SchedulingAgent"="mstask.exe"
"GhostStartService"="C:\\PROGRAM FILES\\NORTON SYSTEMWORKS\\NORTON GHOST\\GHOSTSTARTSERVICE.EXE"
"CSINJECT.EXE"="C:\\Program Files\\Norton SystemWorks\\Norton CleanSweep\\CSINJECT.EXE"
"SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\SymTray.exe \"Norton SystemWorks\""


I usually wouldn't even have that many items there, but I installed Norton SystemWorks and I don't know which ones I can switch off without breaking it.

Here are all the items that show up when I press Ctrl+Alt+Del (done while typing this):

Explorer
Ccapp
Msnmsgr
Lexpps
Mdm
Monwow
Csinsm32
Ghoststarttrayapp
Systray
Ghoststartservice
Csinject

More info on the files -
Creation dates are all 15 or 16 March 2003
Modified dates are the same


So, what's the deal? Where did these files come from? Why is my computer spying on me?

[Thanks in advance|Hope I helped you]
Exodus300

 

[xkjdhdg]

Well first uncheck MS messager from starting and the message service.
Monwow - Norton Clean Sweep, Lexapps - Lexmark Printer Port Scanner, Mdm - Machine Debug Manager( note if you are not writing software turn this off)
Cinsm32 - Norton Clean Sweep Install Monitor, Csinject - Norton Clean Sweep, Ghost(any) process Norton Ghost.
I would make a restore point and then del all 0f the *.dat files. It appears someone has been writing software on your machine. The shelldata directory under SYSTEM
is for storing machine configurations when testing software.
If you think you have SPYWARE go to

http://www.download

com and download ADAWARE 6
It will tell you real fast and it will fix it for you. Have you scanned your system for viruses? I would go to the Norton web site and see if any virus leave a foot print like you have. Are you running a firewall if not you need to!!

 

[bostonpat]

Have you scanned your system for spyware? Spybot will find any!

 

[markwr]

The following info is as of 9/7/03 3:20pm EST

Regarding: "Trojan.CDance.A" virus

The Logfile of the excellent freeware program HijackThis
v1.96.4 included this in my micro's startup environment:
O4 - HKLM\..\Run: [Microsoft Tray] C:\KAZAA\BIKO.EXE

It's infected with the "Trojan.CDance.A" virus according to
Kazaa's BullDog lite virus checker (Norton Antivirus does
not know of that virus as of 9/7/2003 2pm EST). I found two
.EXE files downloaded via Kazaa on my micro that had that
virus (I had not had BullDog turned on at the time), with
file sizes of 869,400 bytes and 869,402 bytes. Run a windows
search on your hard drives for *.exe, sort by size, and look
for files around 850K (K=1024 bytes). They are suspect
files. Do not run them unless you goal is to track how the
virus proceeds. If you do run it, I believe it does the
following (and probably more). It creates the 3 files:
WINDOWLOG.DAT
WEBSITES.DAT (hidden attribute)
APPLOG.DAT (hidden attribute)
in your \WINDOWS\SYSTEM\SHELLDATA\CFG\ directory, and then
creates 1 or 2 directories named "5" or "6" of maybe some
other single digit, and starts placing *.DAT logs in those
directories as you work on your micro. It also places
some thing in your Windows startup like "Run: [Microsoft
Tray]..." (see above), which I had the HijackThis utility
remove for me. I then archived and removed all the new .DAT
files and directories (that were on or after the date/time
stamp of when I first ran the infected .EXE). BTW, when you
run the .EXE, nothing seems to happen, but if you then try
to delete the .EXE file, you can't because it's in memory.
You have to either remove it from your startup, and reboot,
or boot to DOS or safe mode before you can delete it.

I hope this information helps anyone struggling with the
Trojan.CDance.A virus. Good luck and have a great day.

 

[jokersmild]

Sounds like you might also have "Sub7". A nifty little program that does the things that you describe.