PDA

View Full Version : Windows.Explorer detect in latest signatures



pudelein
2006-08-18, 20:05
The latest update (08/11/2006) of the SSD detections reports the presence of Windows.Explorer as a possible threat on my Windows XP Home SP2 system, running SSD 1.4. The Registry key value involved is alleged to control display of the "Log Off" button on the Start menu. On my system, this value has no effect whatever! It can be altered, for example, by TweakUI, but there is still no effect. Neither 0 (show) not 1 (hide) affect that button. There was a flurry about this detection several months ago referring to it in the context of a beta version of SSD, but it has only just appeared in the stable version today. I have marked it to be ignored in future on my system.

Incidentally, the button can be controlled in a very similar way using a different value in the same key

md usa spybot fan
2006-08-18, 21:26
pudelein:

Is this detection that you were getting?

Windows.Explorer: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff!=W=0
That was written up in the following thread:
Windows.Explorer FP in beta.sbi 6 January 2006?
http://forums.spybot.info/showthread.php?t=1519
If so, according to Yodama (http://forums.spybot.info/member.php?u=223)'s explanation of the intended purpose of that entry, although the registry entry does not seem to have any adverse affect on you system at the current time, by not fixing the registry entry you could leave yourself open to the possibility that Microsoft will fix the underlying code to use that registry entry and that would affect your ability to logoff of your system. Also note:


I added this to detection because of a trojan that also changed this setting and some other stuff , indicating that it was trying to turn the computer into a zombie.
I personally do not even have "NoLogOff" entry in the following registry key on my system (Microsoft Windows XP Home Edition - 5.1.2600 Service Pack 2 Build 2600):

HKEY_USERS\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

pudelein
2006-08-18, 21:40
Yes, that's the ticket and also the "beta" item I referred to.

Of course, Microsoft could change the underlying code to do almost anything without warning. And, of course, on a single-user system logging off (though not shutting down) is hardly ever interesting; I do actually want to prevent this. However, logging off is always possible through the Task Manager or Process Explorer (which I use instead) in the rare event that I might want to do this. I just wanted to alert the community to this subject so others will be able to decide what they want to do.

Thanks for your comments, though, MD

md usa spybot fan
2006-08-19, 00:53
pudelein:

I am curious about the following statement:


The Registry key value involved is alleged to control display of the "Log Off" button on the Start menu.
Can you point me to where you found the information that inferred that the registry entry was intended (designed) to control the display of the "Log Off" button on the Start menu as opposed to preventing the user's the ability to logoff the system entirely no matter what the methodology?

I personally can not find any information on intended use of the "NoLogOff" registry entry since it does not seem to have any affect on a user's the ability to logoff. Moreover, I can't even find if the entry was ever intended for use by Microsoft (although it appears that something set the value in your system and that Yodama (http://forums.spybot.info/member.php?u=223) indicated that the value is being set by unnamed Trojans).

pudelein
2006-08-20, 02:24
Well, MD, contraary to what I said before, I went back and allowed SSD to fix the Windows.Explorer issue. What it does is to clear out that NoLogOff value (that is, replaces 1 by 0). This was verified by examination with regedit. Then I looked at TweakUI (I have version 2.10.0.0, for WinXP SP1 and higher). Clicking on "Explorer" opens a list of several adjustments that can be made: one of these is "Allow LogOff on Start Menu". According to TweakUI this option, which was unchecked before yesterday, is now checked. If one checks it, the value in the Registry will change. However, there is another was to suppress that LogOff button: in the same Registry key, add a new DWORD value StartMenuLogOff and set it to 1 to hide that button or to 0 to display it. This tweak actually works as expected. Reverting the one that TweakUI knows about has no effect at all on the button. Mine was hidden when SSB fixed the value it jnew about; the button did not appear.

Also, googling for NoLogOff showed numerous comments about the subject. I did not take notes. Sorry about that.