-
July 29th, 2010, 11:13 PM
#1
Anyone else observing change in "explorer.exe" settings in HKLM
I'm dealing with a "probable" infection affecting 2 large network segments with around 4000 odd machines. Our firewalls and IPS show no major activity in last 2 weeks. I went through VM copies of machines currently deployed but I've found nothing. I'm to an extent convinced that this is not due to infection, however there is one thing which has changed on ALL the machines (when i say all - around 400 machines where load load point analysis was done are being considered.)
Registry value: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" is set to "". but it should be "explorer.exe".
Is anyone else noticing the same in their environment? Ill check with my counterparts in different group companies today morning (4 AM here) but i wanted to see if anyone else is going through a network clog and is seeing this same registry change.
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
-
July 30th, 2010, 11:49 AM
#2
-
July 30th, 2010, 05:38 PM
#3
We are not seeing any issues here (about 4000 PC's). I checked a couple of random devices and that reg key has "explorer.exe" in it.
Good luck.
Work... Some days it's just not worth chewing through the restraints...
-
July 30th, 2010, 08:02 PM
#4
Sorry Mate nothing on my networks
09:F9:11:02:9D:74:E3:5B 8:41:56:C5:63:56:88:C0
-
August 2nd, 2010, 07:30 AM
#5
Hey Byte,
Checked internally and called a few clients and nothing different, all set to explorer.exe.
I would go with Nihil and run some online scans.
Malwarebytes is usually the king with registry finds.
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
August 2nd, 2010, 02:55 PM
#6
Well i slept for 14 hours straight plus maybe another 6 hours.. which i think is weird for me. Anyway all machines here are showing this. i am not sure why.. I made a VM copy of one of the machine but didnt find anything in it..
Whatever it is for the first time is going out of my net..
Thanks for the response guy.. Appreciate it.
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
-
August 3rd, 2010, 04:13 PM
#7
Hey sorry for the late response on the subject, Just got back in from vegas
I would look into the registry file deeper. If this was somebody trying to be clever he could have had regedit display "" via a null character in the name and thus hide what the actual registry value in the name is. I don't ever recall hearing exactly what Nihil is talking about but the article I think he is referring to is here http://msdn.microsoft.com/en-us/libr...dded.5%29.aspx
though I didn't see any indication of "" going to another value >.< Then again I am slightly rushed today.
Anywho, I suggest looking into that registry value with a program that isn't regedit, like the REG command on the command prompt, if you haven't already done so in order to see if somebody is hiding some secret path =P
Also are you on a VISTA or up windows version? If so, then you should know the HKLM is virtualized and the actual values are stored in HKCU\Softwate\Classes\VirtualStore\Machine\Software\
Last edited by SnugglesTheBear; August 3rd, 2010 at 06:12 PM.
-
August 3rd, 2010, 07:29 PM
#8
-
August 3rd, 2010, 09:39 PM
#9
Originally Posted by nihil
Hey Snuggles: do you still own your own shirt sir?
nah, but I got some other person's shirt and in my defense, it is a much nicer shirt
-
August 4th, 2010, 07:40 AM
#10
Have you run any online scans?
Ver interested in the outcome of this.
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
Similar Threads
-
By akachuckie in forum The Security Tutorials Forum
Replies: 8
Last Post: February 24th, 2005, 01:47 AM
-
By The Duck in forum Spyware / Adware
Replies: 14
Last Post: February 24th, 2005, 12:27 AM
-
By Malen Nasharan in forum AntiVirus Discussions
Replies: 2
Last Post: October 27th, 2004, 10:26 PM
-
By helpme2 in forum Spyware / Adware
Replies: 5
Last Post: June 25th, 2004, 05:13 AM
-
By PhirePhreak in forum AntiOnline's General Chit Chat
Replies: 11
Last Post: April 16th, 2002, 04:38 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|