Quote:
It seems weird though that the only weird registry value that stands out is the shell one. I would figure that if an attacker was trying to be very stealthy they would just patch explorer.exe or whatever file they were most concerned with and not change the registry in such a blatant way. It kind of makes me lean a little on the side of windows being windows, but it is definitely something I want more info about.............
I agree, I can't quite figure out what it is supposed to achieve. Makes me wonder if there might not be another explorer.exe on the systems? Is the original still there and where it should be? AFAIK the explorer value is there by default but if it were null or blank then explorer.exe is the default shell anyway???