ActMon is a commercial system monitoring application.
The application can be configured to log a variety of information and in particular may record keystrokes, monitor internet access and take screenshots of user activity.
When the application is installed, the following files may be created:
<System>\drivers\wskrnlc.sys
<System>\wskrnl.exe
<System>\wskrnlb.exe
<System>\wskrnlb.dll
<System>\wskrnlc.vxd
<System>\wskrnlc.dll
<System>\wskrnld.dll
<System>\wskrnle.dll
<System>\actmon.exe
<System>\actmon.chm
<Application Data>\syswin\SupportLog_<username>_<computer name>.txt
<Application Data>\syswin\#<username>#<computer name>#.dat
<Start Menu>\Programs\ActMon\ActMon Commander.lnk
<Start Menu>\Programs\ActMon\ActMon Manual.lnk
The file wskrnlc.sys is installed as a service "wskrnlc".
The following registry entries may be created to run components of the application on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
syswin
<System>\syswin.exe -at
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
wskrnl
<System>\wskrnl.exe -at
Registry entries may be created in the following locations:
HKLM\SOFTWARE\syswin\Shared
HKLM\SOFTWARE\wskrnl\Shared
The following registry entry is modified by the application:
HKLM\SYSTEM\<ControlSet>\Control\Class\
(4D36E96B-E325-11CE-BFC1-08002BE10318)\UpperFilters
where <ControlSet> is either CurrentControlSet or ControlSet<number>, for some number. This is a multi-string registry value, to which the application adds the string "wskrnlc".
IMPORTANT NOTE: This registry value must be repaired before the "wskrnlc.sys" file may be removed. Removing the application components before repairing this registry value may render the keyboard and mouse inoperable.