Sample screen shot of a Hijacker in action caught by PC Logger! This hijacker modifies the following registry (see Figure 1) and its actions (step by step) being captured in Figure 2
Figure 1 - registry changes
HKCU\Software\Microsoft\Internet Explorer\Main
Default_Search_URL=http://%69%65%2D%73%65%61%72%63%68%2E%63%6F%6D/%68%6F%6D%65%2E%68%74%6D%6C
HOMEOldSP=http://searchmyrequest.com
Search Bar=http://searchmyrequest.com/sp.php
Search Page=http://searchmyrequest.com/sp.php
HKCU\Software\Microsoft\Internet Explorer\Search
(Default)=http://%69%65%2D%73%65%61%72%63%68%2E%63%6F%6D/%73%72%63%68%61%73%73%74%2E%68%74%6D%6C
CustomizeSearch=http://%69%65%2D%73%65%61%72%63%68%2E%63%6F%6D/%73%72%63%68%61%73%73%74%2E%68%74%6D%6C
SearchAssistant=http://searchmyrequest.com/sp.php
Figure 2 - PCLogger logs the intrusion events
| 3/4/2004 |
Directory |
New |
C:\WINDOWS |
awinrar.exe |
| 3/4/2004 |
Auto Run |
New |
HKLM/Software\Microsoft\Windows\CurrentVersion\Run |
pmdfhnfdi7=c:\WINDOWS\doit.exe |
| 3/4/2004 |
Directory |
New |
C:\WINDOWS |
doit.exe |
| 3/4/2004 |
Directory |
New |
C:\WINDOWS |
sh.exe |
| 3/4/2004 |
Auto Run |
New |
HKCU/Software\Microsoft\Windows\CurrentVersion\Run |
aimboot=%SystemRoot%\awinrar.exe |
| 3/4/2004 |
Directory |
Deleted |
C:\WINDOWS |
doit.exe |
| 3/4/2004 |
Directory |
Deleted |
C:\WINDOWS |
sh.exe |
| 3/4/2004 |
Directory |
New |
C:\WINDOWS |
awinrar.doc |
| 3/4/2004 |
Directory |
Deleted |
C:\WINDOWS |
awinrar.exe |
| 3/4/2004 |
Directory |
New |
C:\WINDOWS |
deleteme.doc |
| 3/4/2004 |
Directory |
Deleted |
C:\WINDOWS |
awinrar.doc |
| 3/4/2004 |
Directory |
Deleted |
C:\WINDOWS |
deleteme.doc |
Back to PC Logger