VM Compromised with all sites visited

Hi,

I understand the issue. Okay, so a couple of things to keep in mind:

In earlier versions, yes, the 'exclusion/white lists' were stored within the etc/honeyclient.xml file. However, since then, we've switched to using Capture HPC for real-time integrity checks.

As such, ALL exclusion lists are defined within ~/honeyclient/thirdparty/capture-mod/ directory on the MASTER VM. Specifically, they are described in the following 3 files:

~/honeyclient/thirdparty/capture-mod/RegistryMonitor.exl ~/honeyclient/thirdparty/capture-mod/FileMonitor.exl ~/honeyclient/thirdparty/capture-mod/ProcessMonitor.exl

For more information about what these files mean, please see Section 4.1 of this documentation:

https://projects.honeynet.org/capture-hpc/browser/capture-hpc/trunk/capture-client/ReadMe-HPC.txt

In short, it looks like your .exl files need to be updated. We have more recent version that you can use, available here:

http://www.honeyclient.org/trac/browser/honeyclient/trunk/thirdparty/capture-mod

Just download the 3 .exl files in trunk and copy them into your MASTER VM in your ~/honeyclient/thirdparty/capture-mod directory.

If you still experience false positives, please let us know what version of Internet Explorer you are using and we can proceed to troubleshoot further.

Regards,

— Darien

Thanks for the quick reply. I went ahead and downloaded the new version of the exl files from the link supplied, however it appears as though we are having the same problem. We are using version 6.0.2900.2180.xpsp_sp2 cipher strength 128-bit

Thanks again for the help!!

---

www.hotmail.com

Starting new session… 2008-07-10 12:20:11 INFO [HoneyClient::Manager::VM::init] (lib/HoneyClient/Manager/VM.pm:757) - Initializing VM daemon at PID: 10312 2008-07-10 12:20:11 INFO [HoneyClient::Manager::VM::Clone::new] (lib/HoneyClient/Manager/VM/Clone.pm:885) - Setting VM (/vm/master/master.vmx) as master. 2008-07-10 12:20:24 INFO [HoneyClient::Manager::VM::Clone::_init] (lib/HoneyClient/Manager/VM/Clone.pm:580) - Quick cloning master VM (/vm/master/master.vmx). 2008-07-10 12:21:16 INFO [HoneyClient::Manager::VM::Clone::_init] (lib/HoneyClient/Manager/VM/Clone.pm:649) - Initialized clone VM (bcd82ed5afc18c24a23a2216d6) using IP (10.0.0.142) and MAC (00:0c:29:54:f9:61). VM State Table: $VAR1 = {

'bcd82ed5afc18c24a23a2216d6' ⇒ {

'sources' ⇒ {

'00:0c:29:54:f9:61' ⇒ {

'10.0.0.142' ⇒ {

'tcp' ⇒ [

80, 443

]

}

}

}

}

};

Cannot encode 'sources' element as 'hash'. Will be encoded as 'map' instead Cannot encode 'value' element as 'hash'. Will be encoded as 'map' instead 2008-07-10 12:21:48 INFO [HoneyClient::Manager::get_urls] (lib/HoneyClient/Manager.pm:974) - Waiting for new URLs from database. Calling updateState()… Calling getStatus()… Result: $VAR1 = {

'links_remaining' ⇒ 1, 'is_running' ⇒ 0, 'links_processed' ⇒ 0, 'percent_complete' ⇒ '0.00%', 'is_compromised' ⇒ 0, 'relative_links_remaining' ⇒ 1, 'links_total' ⇒ 1

};

VM Integrity Check: OK! Cannot encode 'sources' element as 'hash'. Will be encoded as 'map' instead Cannot encode 'value' element as 'hash'. Will be encoded as 'map' instead VM State Table: $VAR1 = {

'bcd82ed5afc18c24a23a2216d6' ⇒ {

'targets' ⇒ {

'hotmail.com' ⇒ {

'tcp' ⇒ [

80

]

}

},

'sources' ⇒ {

'00:0c:29:54:f9:61' ⇒ {

'10.0.0.142' ⇒ {

'tcp' ⇒ [

80, 443

]

}

}

}

}

};

Cannot encode 'sources' element as 'hash'. Will be encoded as 'map' instead Cannot encode 'value' element as 'hash'. Will be encoded as 'map' instead Calling run()… Sleeping for 2s… Calling getStatus()… Result: $VAR1 = {

'links_remaining' ⇒ 1, 'is_running' ⇒ 1, 'links_processed' ⇒ 0, 'percent_complete' ⇒ '0.00%', 'is_compromised' ⇒ 0, 'relative_links_remaining' ⇒ 1, 'links_total' ⇒ 1

};

Sleeping for 2s… Calling getStatus()… Result: $VAR1 = {

'links_remaining' ⇒ 1, 'is_running' ⇒ 1, 'links_processed' ⇒ 0, 'percent_complete' ⇒ '0.00%', 'is_compromised' ⇒ 0, 'relative_links_remaining' ⇒ 1, 'links_total' ⇒ 1

};

Sleeping for 2s… Calling getStatus()… Result: $VAR1 = {

'links_remaining' ⇒ 1, 'is_running' ⇒ 1, 'links_processed' ⇒ 0, 'percent_complete' ⇒ '0.00%', 'is_compromised' ⇒ 0, 'relative_links_remaining' ⇒ 1, 'links_total' ⇒ 1

};

Sleeping for 2s… Calling getStatus()… Result: $VAR1 = {

'links_remaining' ⇒ 1, 'is_running' ⇒ 1, 'links_processed' ⇒ 0, 'percent_complete' ⇒ '0.00%', 'is_compromised' ⇒ 0, 'relative_links_remaining' ⇒ 1, 'links_total' ⇒ 1

};

Sleeping for 2s… Calling getStatus()… Result: $VAR1 = {

'links_remaining' ⇒ 1, 'is_running' ⇒ 1, 'links_processed' ⇒ 0, 'percent_complete' ⇒ '0.00%', 'is_compromised' ⇒ 0, 'relative_links_remaining' ⇒ 1, 'links_total' ⇒ 1

};

Sleeping for 2s… Calling getStatus()… Result: $VAR1 = {

'links_remaining' ⇒ 1, 'is_running' ⇒ 1, 'links_processed' ⇒ 0, 'percent_complete' ⇒ '0.00%', 'is_compromised' ⇒ 0, 'relative_links_remaining' ⇒ 1, 'links_total' ⇒ 1

};

Sleeping for 2s… Calling getStatus()… Result: $VAR1 = {

'links_remaining' ⇒ 1, 'is_running' ⇒ 1, 'links_processed' ⇒ 0, 'percent_complete' ⇒ '0.00%', 'is_compromised' ⇒ 0, 'relative_links_remaining' ⇒ 1, 'links_total' ⇒ 1

};

Sleeping for 2s… Calling getStatus()… Result: $VAR1 = {

'links_remaining' ⇒ 1, 'is_running' ⇒ 1, 'links_processed' ⇒ 0, 'percent_complete' ⇒ '0.00%', 'is_compromised' ⇒ 0, 'relative_links_remaining' ⇒ 1, 'links_total' ⇒ 1

};

Sleeping for 2s… Calling getStatus()… Result: $VAR1 = {

'links_remaining' ⇒ 1, 'is_running' ⇒ 1, 'links_processed' ⇒ 0, 'percent_complete' ⇒ '0.00%', 'is_compromised' ⇒ 0, 'relative_links_remaining' ⇒ 1, 'links_total' ⇒ 1

};

Sleeping for 2s… Calling getStatus()… Result: $VAR1 = {

'links_remaining' ⇒ 1, 'is_running' ⇒ 1, 'links_processed' ⇒ 0, 'percent_complete' ⇒ '0.00%', 'is_compromised' ⇒ 0, 'relative_links_remaining' ⇒ 1, 'links_total' ⇒ 1

};

Sleeping for 2s… Calling getStatus()… Result: $VAR1 = {

'links_remaining' ⇒ 1, 'is_running' ⇒ 1, 'links_processed' ⇒ 0, 'percent_complete' ⇒ '0.00%', 'is_compromised' ⇒ 0, 'relative_links_remaining' ⇒ 1, 'links_total' ⇒ 1

};

Sleeping for 2s… Calling getStatus()… Result: $VAR1 = {

'links_remaining' ⇒ 0, 'is_running' ⇒ 0, 'links_processed' ⇒ 1, 'percent_complete' ⇒ '100.00%', 'is_compromised' ⇒ 1, 'relative_links_remaining' ⇒ 0, 'links_total' ⇒ 1, 'fingerprint' ⇒ {

'last_resource' ⇒ 'http://hotmail.com/', 'time_at' ⇒ '2008-07-10 12:21:37.640', 'os_processes' ⇒ [

{

'pid' ⇒ '1016', 'regkeys' ⇒ [

{

'value_type' ⇒ 'REG_SZ', 'value_name' ⇒ 'PnpInstanceID', 'value' ⇒ 'PCI\\VEN_1022&DEV_2000&SUBSYS_20001022&REV_10\\3&61AAA01&0&88', 'name' ⇒ 'HKLM\\SYSTEM\\ControlSet003\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\{BA9EBA5F-172D-4013-90E5-59D0853B0A49}\\Connection', 'time_at' ⇒ '2008-07-10 12:21:37.640', 'event' ⇒ 'SetValueKey'

}, {

'value_type' ⇒ 'REG_SZ', 'value_name' ⇒ 'PnpInstanceID', 'value' ⇒ 'PCI\\VEN_1022&DEV_2000&SUBSYS_20001022&REV_10\\3&61AAA01&0&88', 'name' ⇒ 'HKLM\\SYSTEM\\ControlSet003\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\{BA9EBA5F-172D-4013-90E5-59D0853B0A49}\\Connection', 'time_at' ⇒ '2008-07-10 12:21:37.640', 'event' ⇒ 'SetValueKey'

}, {

'value_type' ⇒ 'REG_DWORD', 'value_name' ⇒ 'Epoch', 'value' ⇒ '4d', 'name' ⇒ 'HKLM\\SYSTEM\\ControlSet003\\Services\\SharedAccess\\Epoch', 'time_at' ⇒ '2008-07-10 12:21:41.218', 'event' ⇒ 'SetValueKey'

}, {

'value_type' ⇒ 'REG_DWORD', 'value_name' ⇒ 'Epoch', 'value' ⇒ '4e', 'name' ⇒ 'HKLM\\SYSTEM\\ControlSet003\\Services\\SharedAccess\\Epoch', 'time_at' ⇒ '2008-07-10 12:21:41.218', 'event' ⇒ 'SetValueKey'

}, {

'value_type' ⇒ 'REG_DWORD', 'value_name' ⇒ 'Epoch', 'value' ⇒ '4f', 'name' ⇒ 'HKLM\\SYSTEM\\ControlSet003\\Services\\SharedAccess\\Epoch', 'time_at' ⇒ '2008-07-10 12:21:41.218', 'event' ⇒ 'SetValueKey'

}, {

'value_type' ⇒ 'REG_DWORD', 'value_name' ⇒ 'Epoch', 'value' ⇒ '50', 'name' ⇒ 'HKLM\\SYSTEM\\ControlSet003\\Services\\SharedAccess\\Epoch', 'time_at' ⇒ '2008-07-10 12:21:41.296', 'event' ⇒ 'SetValueKey'

}, {

'value_type' ⇒ 'REG_SZ', 'value_name' ⇒ 'PnpInstanceID', 'value' ⇒ 'PCI\\VEN_1022&DEV_2000&SUBSYS_20001022&REV_10\\3&61AAA01&0&88', 'name' ⇒ 'HKLM\\SYSTEM\\ControlSet003\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\{BA9EBA5F-172D-4013-90E5-59D0853B0A49}\\Connection', 'time_at' ⇒ '2008-07-10 12:21:41.312', 'event' ⇒ 'SetValueKey'

}

],

'name' ⇒ 'C\WINDOWS\\system32\\svchost.exe', 'process_files' ⇒ []

}, {

'pid' ⇒ '4', 'regkeys' ⇒ [

{

'value_type' ⇒ 'REG_SZ', 'value_name' ⇒ 'ActiveService', 'value' ⇒ 'HTTP', 'name' ⇒ 'HKLM\\SYSTEM\\ControlSet003\\Enum\\Root\\LEGACY_HTTP\\0000\\Control', 'time_at' ⇒ '2008-07-10 12:21:37.812', 'event' ⇒ 'SetValueKey'

}

],

'name' ⇒ 'System', 'process_files' ⇒ []

}, {

'pid' ⇒ '640', 'regkeys' ⇒ [

{

'value_type' ⇒ 'REG_SZ', 'value_name' ⇒ 'ActiveService', 'value' ⇒ 'SSDPSRV', 'name' ⇒ 'HKLM\\SYSTEM\\ControlSet003\\Enum\\Root\\LEGACY_SSDPSRV\\0000\\Control', 'time_at' ⇒ '2008-07-10 12:21:38.46', 'event' ⇒ 'SetValueKey'

}, {

'value_type' ⇒ 'REG_DWORD', 'value_name' ⇒ , 'value' ⇒ '9', 'name' ⇒ 'HKLM\\SYSTEM\\ControlSet003\\Control\\ServiceCurrent', 'time_at' ⇒ '2008-07-10 12:21:40.765', 'event' ⇒ 'SetValueKey'

}, {

'value_type' ⇒ 'REG_SZ', 'value_name' ⇒ 'ActiveService', 'value' ⇒ 'ALG', 'name' ⇒ 'HKLM\\SYSTEM\\ControlSet003\\Enum\\Root\\LEGACY_ALG\\0000\\Control', 'time_at' ⇒ '2008-07-10 12:21:40.984', 'event' ⇒ 'SetValueKey'

}

],

'name' ⇒ 'C\WINDOWS\\system32\\services.exe', 'process_files' ⇒ []

}, {

'pid' ⇒ '1636', 'regkeys' ⇒ [

{

'value_type' ⇒ 'REG_SZ', 'value_name' ⇒ 'Cache', 'value' ⇒ 'C\Documents and Settings\\admin\\Local Settings\\Temporary Internet Files', 'name' ⇒ 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders', 'time_at' ⇒ '2008-07-10 12:21:38.921', 'event' ⇒ 'SetValueKey'

}, {

'value_type' ⇒ 'REG_SZ', 'value_name' ⇒ 'Cookies', 'value' ⇒ 'C\Documents and Settings\\admin\\Cookies', 'name' ⇒ 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders', 'time_at' ⇒ '2008-07-10 12:21:39.15', 'event' ⇒ 'SetValueKey'

}, {

'value_type' ⇒ 'REG_SZ', 'value_name' ⇒ 'History', 'value' ⇒ 'C\Documents and Settings\\admin\\Local Settings\\History', 'name' ⇒ 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders', 'time_at' ⇒ '2008-07-10 12:21:39.62', 'event' ⇒ 'SetValueKey'

}

],

'name' ⇒ 'C\Program Files\\Messenger\\msmsgs.exe', 'process_files' ⇒ []

}, {

'pid' ⇒ '1544', 'regkeys' ⇒ [

{

'value_type' ⇒ 'REG_BINARY', 'value_name' ⇒ 'LogonTime', 'value' ⇒ '1257379a9e2c81', 'name' ⇒ 'HKLM\\SYSTEM\\ControlSet003\\Control\\Print\\Providers', 'time_at' ⇒ '2008-07-10 12:21:41.203', 'event' ⇒ 'SetValueKey'

}, {

'value_type' ⇒ 'REG_LINK', 'value_name' ⇒ 'SymbolicLinkValue', 'value' ⇒ '\\Registry\\Machine\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers', 'name' ⇒ 'HKLM\\SYSTEM\\ControlSet003\\Control\\Print\\Printers', 'time_at' ⇒ '2008-07-10 12:21:41.390', 'event' ⇒ 'SetValueKey'

}, {

'value_type' ⇒ 'REG_DWORD', 'value_name' ⇒ 'TypesSupported', 'value' ⇒ '7', 'name' ⇒ 'HKLM\\SYSTEM\\ControlSet003\\Services\\Eventlog\\System\\Print', 'time_at' ⇒ '2008-07-10 12:21:41.390', 'event' ⇒ 'SetValueKey'

}, {

'value_type' ⇒ 'REG_DWORD', 'value_name' ⇒ 'TypesSupported', 'value' ⇒ '7', 'name' ⇒ 'HKLM\\SYSTEM\\ControlSet003\\Services\\Eventlog\\System\\TCPMon', 'time_at' ⇒ '2008-07-10 12:21:41.484', 'event' ⇒ 'SetValueKey'

}, {

'value_type' ⇒ 'REG_SZ', 'value_name' ⇒ 'EventMessageFile', 'value' ⇒ '%SystemRoot%\\System32\\tcpmon.dll', 'name' ⇒ 'HKLM\\SYSTEM\\ControlSet003\\Services\\Eventlog\\System\\TCPMon', 'time_at' ⇒ '2008-07-10 12:21:41.484', 'event' ⇒ 'SetValueKey'

}, {

'value_type' ⇒ 'REG_DWORD', 'value_name' ⇒ 'BeepEnabled', 'value' ⇒ '0', 'name' ⇒ 'HKLM\\SYSTEM\\ControlSet003\\Control\\Print', 'time_at' ⇒ '2008-07-10 12:21:41.484', 'event' ⇒ 'SetValueKey'

}

],

'name' ⇒ 'C\WINDOWS\\system32\\spoolsv.exe', 'process_files' ⇒ []

}, {

'pid' ⇒ '740', 'regkeys' ⇒ [

{

'value_type' ⇒ 'REG_DWORD', 'value_name' ⇒ 'ProxyEnable', 'value' ⇒ '0', 'name' ⇒ 'HKLM\\SYSTEM\\ControlSet003\\Hardware Profiles\\0001\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings', 'time_at' ⇒ '2008-07-10 12:25:43.109', 'event' ⇒ 'SetValueKey'

}

],

'name' ⇒ 'C\Program Files\\Internet Explorer\\iexplore.exe', 'process_files' ⇒ []

}

]

}

};

WARNING: VM HAS BEEN COMPROMISED! 2008-07-10 12:26:03 WARN [HoneyClient::Manager::runSession] (lib/HoneyClient/Manager.pm:760) - VM Compromised. Last Resource (http://hotmail.com/) 2008-07-10 12:26:03 INFO [HoneyClient::Manager::runSession] (lib/HoneyClient/Manager.pm:767) - Saving fingerprint to 'fingerprint.dump'. 2008-07-10 12:26:04 INFO [HoneyClient::Manager::runSession] (lib/HoneyClient/Manager.pm:779) - Archiving VM… 2008-07-10 12:26:15 INFO [HoneyClient::Manager::VM::snapshotVM] (lib/HoneyClient/Manager/VM.pm:4418) - Snapshotting VM (/vm/clones/bcd82ed5afc18c24a23a2216d6/master.vmx) to (/vm/snapshots/bcd82ed5afc18c24a23a2216d6-20080710T122615.tar.gz).

One thing I did notice is that some of the items which are triggering are under ControlSet001 in the filter you guys have but the one alerts are 003 on my device? Maybe change the filter to ControlSet003 or make an addition.

thanks again for the help

Yeah, it looks like you're right. Okay, so the .exl files are basically regular expressions that match according to the registry keys and processes who make those changes.

In general, if you're seeing benign activity that you want to update, just edit the corresponding .exl file (in this case: ~/honeyclient/thirdparty/capture-mod/RegistryMonitor.exl) and make the corresponding changes there.

There is one major "gotcha" that I should state up front, when editing ANY of the .exl files:

For each entry, all elements on a single line are separated by A SINGLE TAB — not spaces. If you try to create a new line using spaces to separate each field instead of TABS, then the Capture code will fail. This is a known issue.

So, to address your latest comment, try the following:

1. Open up ~/honeyclient/thirdparty/RegistryMonitor.exl in the MASTER VM
2. Look for all lines that have ControlSet001 in them. For example:

+   SetValueKey C:\\WINDOWS\\system32\\svchost\.exe HKLM\\SYSTEM\\ControlSet001\\.+

3. Change those lines to read:

+   SetValueKey C:\\WINDOWS\\system32\\svchost\.exe HKLM\\SYSTEM\\ControlSet.+\\.+

4. Save the RegistryMonitor.exl

Let me know if that works.

We also have a small utility script that can try to create the corresponding exclusion list entries for you, called ~/honeyclient/bin/capture_out2exclude.pl, which you could also try running. It should create 3 corresponding .txt files that you can then use to update your .exl files.

Once you've ended up updating your .exl files so that there are no false positives, please attach them to this ticket and we'll be sure to incorporate your changes in future versions of the code.

Thanks,

— Darien

Ok, got rid of all but one of the falses. Not quite sure why this msmsgs.exe still triggers an alert when it is correctly being filtered. Output and corrensponding entry from the Registery.exl FILE shown below.

---

www.google.com

---

'fingerprint' ⇒ {

'last_resource' ⇒ 'http://google.com/', 'time_at' ⇒ '2008-07-11 08:48:18.406', 'os_processes' ⇒ [

{

'pid' ⇒ '1636', 'regkeys' ⇒ [

{

'value_type' ⇒ 'REG_SZ', 'value_name' ⇒ 'Cache', 'value' ⇒ 'C\Documents and Settings\\admin\\Local Settings\\Temporary Internet Files', 'name' ⇒ 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders', 'time_at' ⇒ '2008-07-11 08:48:18.406', 'event' ⇒ 'SetValueKey'

}, {

'value_type' ⇒ 'REG_SZ', 'value_name' ⇒ 'Cookies', 'value' ⇒ 'C\Documents and Settings\\admin\\Cookies', 'name' ⇒ 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders', 'time_at' ⇒ '2008-07-11 08:48:18.421', 'event' ⇒ 'SetValueKey'

}, {

'value_type' ⇒ 'REG_SZ', 'value_name' ⇒ 'History', 'value' ⇒ 'C\Documents and Settings\\admin\\Local Settings\\History', 'name' ⇒ 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders', 'time_at' ⇒ '2008-07-11 08:48:18.421', 'event' ⇒ 'SetValueKey'

}

],

'name' ⇒ 'C\Program Files\\Messenger\\msmsgs.exe', 'process_files' ⇒ []

}

]

}

};

WARNING: VM HAS BEEN COMPROMISED!

---

Entry from .exl file + SetValueKey C\Program Files\\Messenger\\msmsgs\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\.+

thanks again

Okay, I see the issue. The problem is that the ending regular expression (.+) indicates 1 or more characters have to appear after the last backslash (\). In this case, the changes occur within the top level "Shell Folders" and not in any sub-directories.

To fix the issue, you need to replace the regular expression (.+) with (.*). The (.*) expression indicates to match on 0 or more characters after the last backslash (\), which should match the entries you've seen.

I've just committed r1682 which solves this problem. This is essentially what I changed:

OLD:

+      SetValueKey     C:\\Program Files\\Messenger\\msmsgs\.exe       HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\.+
+      DeleteValueKey  C:\\Program Files\\Messenger\\msmsgs\.exe       HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\.+

NEW:

+      SetValueKey     C:\\Program Files\\Messenger\\msmsgs\.exe       HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\.*
+      DeleteValueKey  C:\\Program Files\\Messenger\\msmsgs\.exe       HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\.*

Please let me know if this solves your issue.

Thanks,

— Darien

Oops. Okay, I think I made a slight mistake; r1683 corrects it. Essentially, I forgot to get rid of the final backslash (\) before adding on the (.*). This version should fix your issue.

OLD:

+      SetValueKey     C:\\Program Files\\Messenger\\msmsgs\.exe       HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\.+
+      DeleteValueKey  C:\\Program Files\\Messenger\\msmsgs\.exe       HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\.+

NEW:

+      SetValueKey     C:\\Program Files\\Messenger\\msmsgs\.exe       HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders.*
+      DeleteValueKey  C:\\Program Files\\Messenger\\msmsgs\.exe       HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders.*

— Darien

Closing ticket, since no new issues have been reported.