Sample screen shot of a trojan in action caught by PC Logger! This trojan modifies the following registry (see Figure 1) and its actions (step by step) being captured in Figure 2

Figure 1 - registry changes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\req 
	"Asynchronous"=dword:00000001
	"DllName"="C:\\WINDOWS\\system32\\req.dat"
	"Impersonate"=dword:00000000
	"Logon"="MachineLogon"
	"Logoff"="MachineLogoff"

HKEY_CLASSES_ROOT\CLSID\1C044AAD-7955-4cbd-8175-501A165C4E5D 

	InprocServer32=C:\WINDOWS\system32\req.dat
	LocalServer32=C:\WINDOWS\system32\req.dat

Figure 2 - PCLogger logs the intrusion events

02/04/2005 Directory New C:\WINDOWS\system32 req.dat
02/04/2005 Directory New C:\WINDOWS\system32 req.exe
02/04/2005 ActiveX COM New {1C044AAD-7955-4cbd-8175-501A165C4E5D} Inproc=C:\WINDOWS\system32\req.dat;Local=C:\WINDOWS\system32\req.dat
02/04/2005 WinLogon New req DllName=C:\WINDOWS\system32\req.dat;
03/04/2005 Auto Run New HKLM/Software\Microsoft\Windows\CurrentVersion\Run MessengerPlus3="C:\Documents and Settings\Ricky\My Documents\Vincent\Other\MsgPlus.exe"
03/04/2005 Installs New MsgPlus! Plugin Messenger Plus! 3 v
03/04/2005 File Associations New ple MsgPlus.Encrypted="C:\Documents and Settings\Ricky\My Documents\Vincent\Other\MsgPlus.exe" /LOG:%1"

Removal Hints

First thing to remove is req.dat. However, you cannot use SafeMode to remove it. The reason: winlogon (a Microsoft system program) will load req.dat in memory immediately once you have logged on. You must either stop winlogon from loading req.dat or you need to remove req.dat without logging on (e.g. from an NT service)
Back to PC Logger
Copyright (c) 2001-2005 Soft Trek (Software Development) Australia. All Rights Reserved