Info regarding a recent close call due to mysterious spyware
on my Win98se system. I could not find much info on Google
Web or Google groups so I am posting this to get more info
and to share/warn others. Had I not caught it in time it would have
crashed my system. Not sure if this is a virus or spyware.

I started Norton Disk Doctor and went to brush my teeth
while it was running. Typically NDD would be finished
by the time I had come back. However, it was "hung"
on a folder named "data". I thought maybe this folder was
very large so I waited for several seconds but it remained
stuck. I rebooted then restarted Disk Doctor. Same thing again.
I searched my C: drive for "data" (lower case) since Disk Doctors'
status bar indicated the same in the status bar. Found the only
"data" folder in lower case at "C:\windows\system\data". I opened
the folder in Windows explorer and discovered over 9,000 files for a
total of
535 Mb in size. The files were in in two specific formats (see message
below).
This seemed very odd so I googled for about 20 minutes and found only
one post which matched my experience. See post below . . .

______________________
http://groups.google.com/groups?hl=e...0a %40phx.gbl


I kept going back to the "data" folder to examine the files/dates and
noticed that something was activly creating new files every minute or
less.
By examining the total date range of all files in the folder I
discovered
that this process had only been happening for several days. Logic, and
some
simple mathematics, dictated that my hard drive would soon be
overflowing
with these files. Quickly I did a three-finger-salute (Ctrl+Alt+Del)
to bring
up the task manager. Nothing out of the ordinary there. Exited TM and
typed "msinfo32" in the Run Dialog. Went to Software Environment-->
Running Tasks and saw "keep.exe" standing out like a sore thumb.
Long story short, I booted to DOS and renamed keep.exe then deltreed
the data folder. I rebooted back to Win98 and cleaned my registry
of all references to keep.exe, etc... Then I went to my second home
computer (also Win98se) and looked in C:\windows\system. There
is NO "data" folder there.

So, what the hell is this thing? I'm going to need to change all my
passwords
because one of the dependencies was winsock.dll so I assume it was
key-logging me and sending it somewhere. (I know, I know - I should
use
a firewall. I've gotten too comfortable w/ my router's NAT security.)

Here is a summary of info on related files I found in the
C:\windows\system folder. I found them by seaching for files
with the same date & time.

The following files . . .
- keep.exe
- keephk.dll
- keepwb.dll
- inst.dat
- KEEPr.exe

All files . . .
- are placed in the c:\windows\system folder
- have a shared date (on my system the date is 4/23/03)
- keep.exe creates then writes it's files to C:\windows\system\data.

The main executable, "keep.exe", runs invisibly at startup from
a location in the registry. It will not show up in the task manager.

I hope this is helpful to someone.
David

You can use a program such as Process Viewer 2000 to see everything running
on your computer.
http://www.blehq.org/

You might try emailing the guy in the post you linked to. Maybe he figured
something out, it was quite awhile ago.

You could try sending the file(s) to an Anti-Virus company to check them out
(You should zip them first).
Or send them to Kevin at BOClean:
kevinmca@nsclean.com
He's very responsive and will let you know if it is some sort of Trojan.
Plus BOClean is a very good Anti-Trojan program that is reasonably priced.

--
Ron & Ree Williams - http://www.ronree.com/
"If women didn't exist, all the money in the world would have no
meaning." - Aristotle Onassis

Thanks. I found some info on "keeper.exe" at pestpatrol.com. I'm
pretty sure this is a variant of that trojan. Here's the URL . . .

http://www.pestpatrol.com/PestInfo/k/keeper.asp


"Ron & Ree" <post@ERASEronree.com> wrote in message news:<R50kc.57675$H65.12073@newssvr25.news.prodigy .com>...

If you haven't cleaned it yet you might try the following:
Free on-line Trojan scanner:
http://www.trojanscan.com/
Free Anti-Trojan program:
http://www.emsisoft.com/en/software/free/

Some of the other Anti-Trojan programs have 30 day trials too. (Trojan
Hunter, TDS-3, etc.)
Also you could still submit it to Kevin or whichever Anti-Virus product you
use. Then if it is a new variant they can update their signature files to
recognize it.

I never really trusted PestPatrol. It came up with way too many false
positives on my system. They used to identify everything from joke programs,
scanners, hex editors, etc. as trojans, which they were not. But the last
time I tried the program they had improved in that reguard.
--
Ron & Ree Williams - http://www.ronree.com/
"If we don't succeed, we run the risk of failure." - Dan Quayle

Thanks to all. Yes, I cleaned it out just fine. First time I ever got
a trojan or virus.

"Ron & Ree" <post@ERASEronree.com> wrote in message news:<fvekc.57837$3d3.28751@newssvr25.news.prodigy .com>...