July 30th, 2010, 12:13 AM
Anyone else observing change in "explorer.exe" settings in HKLM
I'm dealing with a "probable" infection affecting 2 large network segments with around 4000 odd machines. Our firewalls and IPS show no major activity in last 2 weeks. I went through VM copies of machines currently deployed but I've found nothing. I'm to an extent convinced that this is not due to infection, however there is one thing which has changed on ALL the machines (when i say all - around 400 machines where load load point analysis was done are being considered.)
Registry value: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" is set to "". but it should be "explorer.exe".
Is anyone else noticing the same in their environment? Ill check with my counterparts in different group companies today morning (4 AM here) but i wanted to see if anyone else is going through a network clog and is seeing this same registry change.
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
By akachuckie in forum The Security Tutorials Forum
Last Post: February 24th, 2005, 01:47 AM
By The Duck in forum Spyware / Adware
Last Post: February 24th, 2005, 12:27 AM
By Malen Nasharan in forum AntiVirus Discussions
Last Post: October 27th, 2004, 11:26 PM
By helpme2 in forum Spyware / Adware
Last Post: June 25th, 2004, 06:13 AM
By PhirePhreak in forum AntiOnline's General Chit Chat
Last Post: April 16th, 2002, 05:38 AM