Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Anyone else observing change in "explorer.exe" settings in HKLM

  1. #1

    Anyone else observing change in "explorer.exe" settings in HKLM

    I'm dealing with a "probable" infection affecting 2 large network segments with around 4000 odd machines. Our firewalls and IPS show no major activity in last 2 weeks. I went through VM copies of machines currently deployed but I've found nothing. I'm to an extent convinced that this is not due to infection, however there is one thing which has changed on ALL the machines (when i say all - around 400 machines where load load point analysis was done are being considered.)

    Registry value: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" is set to "". but it should be "explorer.exe".

    Is anyone else noticing the same in their environment? Ill check with my counterparts in different group companies today morning (4 AM here) but i wanted to see if anyone else is going through a network clog and is seeing this same registry change.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi there ByTe,

    Sorry for the delay in replying, but time zones, sleep and ............the usual suspects?

    I have looked at my home setup and two small clients'.............no sign of this here. I seem to recall that you could make this adjustment so that if "" was detected it then opened a new shell specific to a user or possibly user group? You had to define this somewhere so if you search for the registry string you mentioned you will probably find the M$ article, and where to look for what the system will now do?

    I seem to recall that the general idea was to cut the login time caused by loading explorer.exe and possibly stop users going where the shouldn't (albeit a Smith & Wesson is a better solution for the latter)

    To be honest with you mate I don't like the looks of this?.............My first (CYA) move would be to isolate one of the machines and run a few online AV scanners against it..............then MalwareBytes and SpyBot S&D for good measure.

    I would also ask myself "who within the organisation is empowered to make such changes?"

    Has someone tried to do something "clever"?????????

    As ever, Good Luck mate!

  3. #3
    Shadow Programmer mmelby's Avatar
    Join Date
    Jul 2002
    Location
    Ft. Myers, FL
    Posts
    291
    We are not seeing any issues here (about 4000 PC's). I checked a couple of random devices and that reg key has "explorer.exe" in it.

    Good luck.
    Work... Some days it's just not worth chewing through the restraints...

  4. #4
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,253
    Sorry Mate nothing on my networks
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  5. #5
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    Hey Byte,

    Checked internally and called a few clients and nothing different, all set to explorer.exe.

    I would go with Nihil and run some online scans.

    Malwarebytes is usually the king with registry finds.
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  6. #6
    Well i slept for 14 hours straight plus maybe another 6 hours.. which i think is weird for me. Anyway all machines here are showing this. i am not sure why.. I made a VM copy of one of the machine but didnt find anything in it..

    Whatever it is for the first time is going out of my net..

    Thanks for the response guy.. Appreciate it.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  7. #7
    Senior Member SnugglesTheBear's Avatar
    Join Date
    Jun 2010
    Posts
    133
    Hey sorry for the late response on the subject, Just got back in from vegas
    I would look into the registry file deeper. If this was somebody trying to be clever he could have had regedit display "" via a null character in the name and thus hide what the actual registry value in the name is. I don't ever recall hearing exactly what Nihil is talking about but the article I think he is referring to is here http://msdn.microsoft.com/en-us/libr...dded.5%29.aspx

    though I didn't see any indication of "" going to another value >.< Then again I am slightly rushed today.

    Anywho, I suggest looking into that registry value with a program that isn't regedit, like the REG command on the command prompt, if you haven't already done so in order to see if somebody is hiding some secret path =P

    Also are you on a VISTA or up windows version? If so, then you should know the HKLM is virtualized and the actual values are stored in HKCU\Softwate\Classes\VirtualStore\Machine\Software\
    Last edited by SnugglesTheBear; August 3rd, 2010 at 06:12 PM.

  8. #8
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hey Snuggles:
    Just got back in from vegas
    do you still own your own shirt sir?

    ByTe: I don't know what is going on mate............maybe we have a "first" (zero day?)...................this is what this site used to be like........we used to have some fun times?

    ByTe: I am an old fart...............so I can't remember that much (like the five lakhs I owe you?)......................

    And how many of us know what a lakh is?

    I was talking back in the days when I was doing embedded XP............I guess that would be about 2002?

    Snuggles: what you linked to was pretty much what I was talking about, from what little I remember

  9. #9
    Senior Member SnugglesTheBear's Avatar
    Join Date
    Jun 2010
    Posts
    133
    Quote Originally Posted by nihil View Post
    Hey Snuggles: do you still own your own shirt sir?
    nah, but I got some other person's shirt and in my defense, it is a much nicer shirt

  10. #10
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    Have you run any online scans?

    Ver interested in the outcome of this.
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

Similar Threads

  1. Securing 2000 Pro
    By akachuckie in forum The Security Tutorials Forum
    Replies: 8
    Last Post: February 24th, 2005, 01:47 AM
  2. Another Hijack this log...
    By The Duck in forum Spyware / Adware
    Replies: 14
    Last Post: February 24th, 2005, 12:27 AM
  3. Hijackthis Log
    By Malen Nasharan in forum AntiVirus Discussions
    Replies: 2
    Last Post: October 27th, 2004, 10:26 PM
  4. Still trying to fix smartsearch
    By helpme2 in forum Spyware / Adware
    Replies: 5
    Last Post: June 25th, 2004, 05:13 AM
  5. Yet More Nerd Humor!
    By PhirePhreak in forum AntiOnline's General Chit Chat
    Replies: 11
    Last Post: April 16th, 2002, 04:38 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •