How is my computer being "bugged"?

Someone has installed something on my computer (hidden file?)That copies all info typed or accessed including passwords, e-mails, IM, When I ctl/alt/d shows the following programs running: Reg32, avconsol, osa, Em exec, dssagent, rundll, systray, vsstat, vshwin32, rnaapp, and aim. Which programs are they using and how do I disable them. When I run/ and type in program name, I get a message that says the program is missing or can not find installed components.
Who is Participating?
gemartiConnect With a Mentor Commented:
This is a very interesting conversation. May I suggest a technique I use here at work on multi-user PC's that is quite complicated, but very effective in keeping unwanted programs from being run on a system?

Get into your registry (you guys help out here as I don't really have time to explain all this) and go to the following registry key:


If RestrictRun doesn't exist create this KEY (on the windows folder (left side of screen)in the regedit screen right click your mouse, select new "KEY" call the new key RestrictRun)
Select this new key and then on the right side of the screen all should be blank. You will need to enter alot of information, depending on the number of programs you run on your machine but you will be able to restrict what is run.

What ever program is not in the list will not run. So you will need to make sure you have all the vital programs for windows, Your office suite, IE Explorer or Netscape. To keep him from running a setup program you just leave it off this list. To keep KeyKey from running leave it off the list.

I suggest that you get a list of all the exe programs on your computer and add them to this key, except for setup.exe, install.exe, and keykey.exe
these can be added when you need to run them.


To add a value right click your mouse on the right side of the registry editor select NEW VALUE and type in a number (number sequentially) then right click on that number after it appears on the right side of the registry editor and select MODIFY and add the excecutable you need to run. See examples below:

Here is list of some programs I know you will will need to run. need to run:

How do you know it's beuing copied?
Where do you see it?

You can shut off those programs in System Configuration Utility>>
Startup Tab.

Bud's Win95 Win98 Tips and Troubleshooter
AVCONSOL, VSSTAT and VSHWIN are all to do with your virus checker (McAfee, if I'm not mistaken); RNAAPP relates to dial-up networking; OSA is something to do with Microsoft Office; RUNDLL and SYSTRAY are important system items which shouldn't be tampered with. The others I can't help you with.
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Sunshyn63Author Commented:
I am pretty computer illiterate. I am not sure where the systm configuration tab is and what it is exactly that I am suposed to be deleting.
the system configuration tab is part of msconfig. to start this click on start, then run and type msconfig in the dialog box and click ok, you are now in the ms configuration applet, click the startup tab and there is a list of programs that start once windows 98 has started up.

if you are worried that someone externally has installed something on your pc, it may be worth installing a firewall to prevent access to your pc from external means, i.e. the internet, you can get a relatively good one free from :-

hope this helps

sorry that url should read :- and not
Sunshyn63Author Commented:
The person that has "bugged" the computer is inside the home.
The question of how you know you are being bugged?

Is it through a modem, lan or recorded onto a file on your machine to be taken off at a later date?

Temporary solutions are:

get the very latest definitions for your Anti-Virus (even if it only 2 days only)

disconnect (physically unplug) from your network if you have one.

disconnect your modem from your phone line.

Monitor who else accesses your machine (I mean who sits at the keyboard and uses the machine).

Only connect your machine to the network or phone line when you need it.

OK, these are temporary, however, we will need to know more information. Such as which OS version, have you modem and/or network card, how you know you are being bugged and anything else that help us understand your position.

what makes you think you're being "bugged"?
Sunshyn63Author Commented:
My husband has been sending e-mail from my accounts (and had not been given the passwords) He also has been repeating conversations (verbatum) that I have had with my mother via e-mail and IM. He told me he has done something to the computer that logs keystrokes and copies all info. There has to be some way I can remedy this.
divorce him or find out what program he's using.

I assume he lives with you?  or is this happening over the internet?
by the way, if you go for the divorce make sure YOU keep the computer.
Run regedit and check if there is anything weird looking under:


If there is remove the entry and you should fix the problem.
I know that most programs that log keystrokes do not show up as a running program.  This is just an FYI.  You might want to go to the start menu, hit the run button and type sysedit --hit enter.  From there look at your autoexec.bat file and see if anything in there looks unusual.
for that matter, go to start | run and type msconfig

click the startup tab and tell us what's listed there.
Sunshyn63Author Commented:
ok...under sysedit...there is C:\PROGRA~1\NETWOR~1\MCAFEE~1\SCAN.EXE C:\
rem TShoot:
under msconfig startup there are: Taskbar display controls, Scan Registry, System tray, Load Power Profile, Em_exec, avconsoleEXE, VsecomrEXE, SsstateEXE, Vsshwinn32EXE, McAffeewebscananx, QuickenSE Message, Billminder, Real Tray, pp3100B, MS office shortcut bar, Resource Meter.

Sunshyn63Author Commented:
ok...under sysedit...there is C:\PROGRA~1\NETWOR~1\MCAFEE~1\SCAN.EXE C:\
rem TShoot:
under msconfig startup there are: Taskbar display controls, Scan Registry, System tray, Load Power Profile, Em_exec, avconsoleEXE, VsecomrEXE, SsstateEXE, Vsshwinn32EXE, McAffeewebscananx, QuickenSE Message, Billminder, Real Tray, pp3100B, MS office shortcut bar, Resource Meter.

Go under start|settings|control panel.  Click add remove programs and make sure nothing called keykey or keyghost are listed.  They seem to be the pretty big key logging programs.  If one is listed click add/remove.
Go to a DOS prompt; it should default to c:\windows.  Type cd.. , then hit enter key.

Type dir>cdrive.txt

then hit the Enter key.  type cd.. --enter key. Type cd progra~1 --enter key.

type dir>cprogram.txt

then hit the Enter key.  Please attach the file (c:\cdrive.txt and c:\program files\cprogram.txt) to an e-mail message and send it to
why not share it here?  this is a knowledge sharing community right?
Sunshyn63Author Commented:
I do not know how to go to a DOS prompt. Thank you all for your help. I am not sure how all of this expert stuff works, but I hope I can do something for you.
Sunshyn63Author Commented:
I do not know how to go to a DOS prompt. Thank you all for your help. I am not sure how all of this expert stuff works, but I hope I can do something for you.
First off, there are a number of ways he could be capturing the information; via a keylogger as you suspect or possibly through the use of a utility such as Back Orifice, Netbus, or the like.  If he is retrieving the information physically at your machine, then you should disallow him access as  a first step by going into your BIOS and invoking a password to be required at bootup.  While this can also be bypassed at least three different ways, it won't be captured by any program and may keep him at bay until you sterilize your system.  Current antivirus software should be able to pick up on any of the previously mentioned programs.  There are a couple of keyloggers that run a little stealthier than others; I.E. don't show up as a running process, don't show as a running application, etc.  AV software should find and eradicate them nonetheless.  Once you rid of the offending program you should take measures to keep the <er, person> off of your system.
Sunshyn63Author Commented:
You are all being a great help and I thank you for your patience, but I don't know what a bios is either. I really only know how to e-mail and use programs like word/excel/ etc. I do know he retrieves the information from this computer while I am out of the house.
I am guessing her and her husband share the computer, so giving him no rights to the computer would not be good.  Most computers also have a way to reset the bios quite quickly, so a bios password would not be secure enough.  To go to a DOS prompt start|program| and scroll down to ms-dos prompt.  You can do it while in windows.  If you happen to get a full screen dos prompt, type exit at the prompt when finished.  Sorry 1cell about telling her to email them to me, I figured it would be a long list.
OK, let's get real here.  You can do anything you want to stop the current problem.  However, since you guys share the computer, he can also do what ever he wants to afterwards.  Not trying to get personal but, have you talked to your husband about how this is an invasion of your privacy which you do not appreciate?  Have you thought about retaliation?  load your own key logger and follow what HE does.  Then, you will know how he's doing it and you can play along.

Unfortunatley, anything you do can be undone when you leave the house unless you want to block other people from using your computer.
Sunshyn63Author Commented:
I have no problem changing the bios and creating a password, but I can't find how to do that. He has locked me out of the computer numerous times. When he gets home and reads all of this he will surly lock me out again. When I go to start/programs I do not see anything for am MS dos prompt.
Good call 1cell, I agree.  Sunshyn63, here is a link for keykey a key logging program, make sure you don't create a desktop icon.

Have fun with it.
Sounds like he is a real jerk to do all this to you.  Is this a game or is he really this mean?
Sunshyn63Author Commented:
I have had numerous talks to him about the invasion of privacy, but he continues to invade. Locking him out of the home computer does nothing to "hurt" him as he has computer access at work. After the ways that I have been hurt, locking him off the computer seems mild. He will be home in about 2 hours and I need to do something fast. Locking him out and finding a free key logger seems to be the best solution. But..I have no idea how to go about doing any of that.
Sunshyn63Author Commented:
we are going to be going through a divorce. He does this to find out what I have been telling my family members. I need a free program as he has also taken away ccards and drained all bank accounts.
Take the keyboard and hide it.  While your at it take the mouse and the power cable that you plug into the wall for the computer also.  Tommorow, take the computer to a local computer consultant and have them reinstall everything on the computer from scratch and have them install a program called LOCKIT.  Unlike the BIOS password, there is no getting around this one.
Whoops!  Here is a free package, that is relatively small.  Hopefully you can get it installed before he gets to your computer.  If not take the keyboard, mouse and power cable for the night and install it tommorow.
Your husband may not be running a monitoring program at all.  If your computer is set to save passwords (if you don't enter you password each time you log into your email programs) then he has access to send from your account.  Additionally, he can open your email profile under his side by copying your info to his appropriate directory.  I know ICQ stores logs of chat sessions on the computer, and IM might do this also.  If so, he can read these files at his leisure.  Your safest bet for privacy is to go to your local library and use their internet access.  If you don't have an online email account (hotmail or yahoo), make one and only use it from the library.  Whatever you do, don't let these programs save passwords if they prompt you to do so.  Just read your prompts carefully.  Delete emails from your inbox, sent folder, and deleted items folder using your email program.
i like celtics ideas.  rmeoving the keyboard, etc will definately stop the problem until you can get something done permanently.  The other thing to mention is that this type of activity will strengthen your divorce case.  If you have proof of him sending emails from your account and accessing your private information, maintain that proof.  It shows maliscious intent on his part.

Anyway, first things first.  Set the BIOS password.
1)  restart the computer and look for the instruction which says press F2 to enter setup (might not be F2, could be Del, F1, etc) and press it when it says
2)  You are now in your BIOS or CMOS setup.  Use your arrow keys to navigate until you find Security or Password category and enter a password there.
3)  Exit saving changes by hitting F10 from the original screen.  You might have to hit escape to get back to it or there might also be an Exit tab at the top right.  Just make sure you exit, saving changes.
4)  the system should boot.  if it does not ask you for a password, restart the system to verify that it does ask for one.  If it does not, you need to repeat the above steps.  If there is a User and an Admin password, use both.

let us know if you have problems
Yikes, guys and gals...this is a newbie, lets give her some basic instructions step by step, and keep it as simple as possible. What ya say?
Suny, use ctl + alt+ delete (holding down all three keys) one time
this opens the close program box, Close all your programs EXCEPT Systray and Explorer by highlighting one program and clicking "end task".  Doing this for all but systray and explorer will also close your virus protections (Mcafee)  program so I stronly recommend as long as the protection program is off you do not download anything to your system.
To disable those programs first Check for the "startup folder"  Click "start", Highlight programs folder, look for the folder called "Startup" if you see icons in this folder these are all programs that are starting when you start the computer.  To find out what programs they are, hightlight one program, right click on it and it will open a window that tells you what primary folder it is in on your computer, usually that will be the actual name of the software.
Hopes this helps.
oops...if you choose to disable any of the programs in the "Starup" folder  delete the icon by right clicking and choosing "delete" This will keep the program(s) from starting up, though they can be run or another short cut can be put in the startup file. If you happen to find and identify the program being used to "bug" your system, you can go into the control panel choose "add/remove" programs and remove the program from the computer. Of course, it can be reinstalled.
Also if you using AOL..your personal filing cabinet is accessible off line just by opening AOL and choosing personal filing cabinet. Any mail you have read and not deleted will be in this cabinet so anyone with access to the computer can read it.
Sunshyn63Author Commented:
ok...I went to down;aod and install keykey. Said the program already exists. I tried to overright it and when it called for a password, it must still be using the one that was originally installed...What do I do now? If I uninstall and reinstall, will it allow me to put in my own passward? Talk fast..he is due home in less than an hour. Taking tha keyboard will only cause him to remove stuff from the computer to allow me no access once I reconnect the taking out memory chips etc...
what you do is uninstall keykey since that's obviously what your husband is using.

Hopefully, it's under Add/Remove Programs in Control Panel.  To find out:
1)  double click my computer
2)  double click control panel
3)  double click add/remove programs
4)  look through the install/uninstall list for keykey or anything similar
5)  click on the entry to highlight it then click on the add/remove button.

if it's not in add/remove programs, you can remove it manually by the following

go to start | find | files or folders and search for KKMON.EXE    

note the folder it is located in, ie. c:\program files\keykey

find program titled uninst.exe in the same location and run it.  this will remove the program

Files associated with this program are:

VKEYKEYD.VXD --> the KeyKey driver for Windows 95/98
- KEYKEY.SYS   --> the KeyKey driver for Windows NT/2000
- KEYKEY.EXE   --> the KeyKey Converter (for reporting)
- KKMON.EXE    --> KeyKey Monitor program
- INSTALL.EXE  --> Installation program
- UNINST.EXE   --> Uninstallation program
the uninst.exe by default is in c:\program files\keykey

do a find files for keykey.  when the reults come up, double click on the keykey folder.  Find the uninst.exe and double click it.

it's possible that he renamed the folder during installation but it's out there somewhere.
For what you're asking:

1.  Password "crackers" can be downloaded just about anywhere on the internet for free. We use them at work for workstation users who've lost DUN passwords, Network passwords, etc.

2.  These programs do NOT need to be installed on the computer they're being used on.

3.  If this is what's being used, you have no solution.

Sunshy, try what 1cell is suggesting to remove the keykey program. If the keykey program file can't be located through add/remove programs, try using "find" start
2. Click "find"
3. click "files and folders" the Box labeld "named" type in keykey.exe
5. click "find now"
6. When key key executable program show up in the large box it will show in folder (name) write it down.

Next steps will be to go to the folder by using Win Explorer (do you know how to use Win Explorer?) assuming you do double click the folder check it for the files names and make sure they are related to keykey and if they are
right click on the WHOLE folder and select delete. This will get rid of the program in it's "home" location.

1cell, thanks for the step by step !
DONT just delete the folder, that will leave orphan registry entries.  use the uninst.exe frmo the folder you find.
hmmm 1cell, orphan registry entries are dos you can use
scanreg /fix       and the optimize the registry with scanreg /opt.
Also at the dos prompt
Take the computer and throw it out the window or talk to family members on the phone instead of e-mail. Run up a large phone bill and make him pay for it. Tell the divorce court judge that you had to use the phone because he bugged you.
Lock him out.
WinShield Secure PC
Security is a big Issue Now-a Days
Here's One of the Best Security Applications I've seen.

Bud's Win95 Win98 Tips and Troubleshooter
Sunshyn63Author Commented:
Thanks you all! I am trying to figure out how I can give all of you points. You have all been a big help to me!
so did you get the program removed?
is your husband pissed?
does that make you smile?
don't leave us hanging, you gotta finish this story for us.
Sunshyn63Author Commented:
I got the program removed. Thanks for all of your help.
Sunshyn63Author Commented:
I will give you more details once our divorce is final. I will also give you all points after I figure out how to do that.
Sunshyn63Author Commented:
I will give you more details once our divorce is final. I will also give you all points after I figure out how to do that.
Sunshy, I'd suggest now you put a password on the system through the bios. Hopefully, that would prevent him from doing the same again. Just let us know if you want to I'm confident we can tell you. :-)
Simple solution.

Delete the program.......delete the husband.

then reboot life.

I wanna hear his side of the story.

Mr. Objective

Community Support has reduced points from 100 to 25
Reducing points to allow for them to be split among the experts.

Customer Service
Sunshyn63Author Commented:
Thank You!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.