PDA

View Full Version : Windows.Explorer FP in beta.sbi 6 January 2006?



Rosenfeld
2006-01-06, 17:34
The latest (6 January) beta.sbi flags as red

Windows.Explorer: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-3090935711-3204504469-1825801191-1007\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff!=W=0

In the registry the data for the NoLogOff binary is 01 00 00 00 (= no log off enabled)

Why is that considered bad? I think this must be a false positive?

There is only one user account on this stand alone PC and the key refers to that account (did not flag the same setting in HKCU, though). Despite that setting, log off [user name] still appears in the start menu, possibly because there is no equivalent setting in HKLM key?

Not sure if this is relevant, but I disabled fast user switching since I don't need it and because with fast user switching enabled Spybot updates uncheck all the checked cookies in the ignore cookies list, which is a nuisance if I forget to check them again before letting Spybot delete the unchecked ones (I keep site autologin cookies).

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-06-01 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-01-06 Includes\Beta.sbi (*)
2005-02-16 Includes\Beta.uti (*)
2006-01-06 Includes\Cookies.sbi (*)
2006-01-06 Includes\Dialer.sbi (*)
2006-01-06 Includes\Hijackers.sbi (*)

Yodama
2006-01-09, 13:55
hi,

actually this is no fp (at least it would not be) but it appears, that the key is not effective.
If NoLogoff is set to 1 (true) it is supposed to have the following effect:

"When the value of this entry is 1, users cannot log off of the system by using any method, including programs run from the command line, such as scripts. A value of 1 also disables or removes all menu items and buttons that log the user off of the system."

I just tested it on a WinXP and Win2000 machine and it does not appear to be working :confused: : logging off , shutting down and restarting is possible

I added this to detection because of a trojan that also changed this setting and some other stuff , indicating that it was trying to turn the computer into a zombie.

This entry appears to have no relation to fast userswitching , I have also disabled fast userswitching and have not encountered the entry beeing flagged.

I am going to make some more testing with this entry, if it proves to be realy ineffective, it will be removed from Beta-detection and not go into normal detection.

Rosenfeld
2006-01-10, 05:11
Thanks for info. I've no idea how/why/when NoLogOff was set to 1 on my system, and I don't mind changing it to 0 if it won't break anything; I have one user account (admin rights), guest account is disabled, I'm set up to bypass the welcome screen; the only time I need to be able to log off my account from the start menu (other than when shutting down) is if in safe mode I want to log on as the system administrator, which is very rarely (I have XP home, so that account is only accessible in safe mode). I'll try and let spybot fix it, see if anything happens. If NoLogOff = 1 could be a sign of malware (though then presumably not on its own), then you might want to go on checking for it anyway.

LoneLurker
2006-01-10, 22:07
"Yodama,"

I was sent here by "md usa spybot fan" because you are handling this problem. Except I am on Win98SE and the indication for "Windows.Explorer" (in bright RED) has the registry "HKEY_USERS\.DEFAULT\Software\Microsoft . . \Explorer\NoLogOff!=W=0" is shown as '0' and is set to '0'. I thought it was only shown in RED if changed and set to '1'. I have checked in three different places in the registry where "Policies" can be set and they are all set to '0'. Is this correct action?

Yodama
2006-01-11, 15:19
hi LoneLurker,

the entry "HKEY_USERS\.DEFAULT\Software\Microsoft\...\Policies\Explorer\NoLogOff!=W=0"
means that Spybot checked if the data for NoLogOff is not equal to 0.
That means it will alert if it is anything else than 0, typically a valid value would be 1.
If the data you have are set to 0 , it is fine.

The reason for this flagging even if the data is 0 , could be that the datatype may be different (note the detection on this is looking for Reg_DWord).

After Testing I found out what was really meant by the description of this Regsitry Value. If the value is set to 1 , only logging off for the current user is not possible, shutting down and rebooting is still available.

--> will be removed from detection

LoneLurker
2006-01-11, 22:48
hi LoneLurker,

the entry "HKEY_USERS\.DEFAULT\Software\Microsoft\...\Policies\Explorer\NoLogOff!=W=0"
means that Spybot checked if the data for NoLogOff is not equal to 0.
That means it will alert if it is anything else than 0, typically a valid value would be 1.
If the data you have are set to 0 , it is fine.

The reason for this flagging even if the data is 0 , could be that the datatype may be different (note the detection on this is looking for Reg_DWord).

After Testing I found out what was really meant by the description of this Regsitry Value. If the value is set to 1 , only logging off for the current user is not possible, shutting down and rebooting is still available.

--> will be removed from detection

"Yodama,"

Thank you for this info, I am the lone user of this system so I do not logout, I had that disabled. After investigating this ALERT my 'LogOut' has reappeared and now I know why. Problem solved and thank you for explaning.