On the school system where I work, the computer in my room has been backing up the desktop of this computer (Win 98SE) to the main server (Windows/Novell) into a file specifically for Pegasus Email data only.

The tech co-ordinator and I have both been through this machine with a fine toothed comb and cannot figure out why.

The real issue is that this slows down backups of those data folders on the server - plus - WHY is it doing this? This computer is the only one on the entire network doing this - out of a couple hundered machines!

What I did find last week was that my "cookies" folder was also getting backed up - BUT the data in the cookies folder being saved to the server did not match what was on this computer. Instead it contained 567 cookie files with user names of people who have not even been at this school in a couple of years.

What is suspected is that that former student had planted some sort of backdoor/keystroke recorder a few years back and this was what was causing the funny behavior. Unfortunately, the tech co-ordinator does not remember the fix for when this was discovered on other computers a couple of years ago.

What happens is that every time this computer is restarted/shutdown/booted/ogged off and on/etc. it looks for and saves data from this machine. It includes not only a cookies file that does not match the one on this computer, but saves a folder of "Application Data" (with copies of the applications that are represented on the desktop with shortcuts), as well as copies of any folders that may appear on the desktop other than the recycle bin.

I finally just deleted my user from the computer last week. This cured the problem for 1 day, but now it has returned. The only plus is that the cookies folder no longer contains all of those 567 supposed mystery cookie files.

This is driving my tech co-ordinator batty. Anyone have any ideas or suggestions?

I am afraid to try to back everything important up and F-disk this thing - as I don't know what particular file is causing this....

Here's a link I found for an online test for this sort of thing: DO YOU HAVE PARASITES?

No parasites. AdAware and SpyBot both come up clean. Every anti-virus software I can find turns up clean reports.

It has been suggested that this is the result of a keystroke logger + backdoor that was installed by a nefarious student a few years ago.

So far, no luck in finding a solution.

It would seem to be loading at startup; have you looked at your startup list to see if there is anything suspicious in there? If you have NT or above, you have some system monitoring tools available to see what processes are running. Do you have firewall that monitors what is using the internet connection? ZoneAlarm provides a blinking icon for whatever program is talking . You could use the search feature (WinKey+F) and search for all files created or modifed when you started up your machine.

I hope there is some help hidden in there.

GrimJack

Is there a remote possibility that it's something on the Novell server, rather than the desktop? Normally, the configuration file for backups is stored on the server, although I've never used Novell so I can't be sure.

Another thought: a keylogger wouldn't determine what gets backed up (it would create log files hourly/daily) but it could be configured to send the logs to a remote location. Try a free firewall and log all the activity for a week or so to see what outbound connections are being opened.

As far as a backdoor, even if there was a port open, there would have to be something on the firewall/router end to route connections from the outside to that IP:port, and I don't think a student would have that access. It's possible it opens a connection to the outside and listens, but again, some simple logging on the firewall should point that out. After that, you should have a good idea which backdoor is in use by using Google to find the port/backdoor match, then find the way to remove it.

Or, reimage the system if an image was created, or wipe the drive and reload the O/S.

The possibilities are numerous...

are there perhaps some files left in C:\windows\temporary internet files\ ?

Just the expected cookie files and such. I don't see anything suspicious.