PDA

View Full Version : What is this?



monkeys
2008-08-19, 17:50
I just did a scan today, and here's what came up:

Hint of the Day: Click the bar at the right of this to see more information! ()


Microsoft.Windows.Security.InternetExplorer: [SBI $A3433CBF] Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-3116376176-3369187908-3964339836-1005\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe


--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-07-07 TeaTimer.exe (1.6.0.20)
2008-08-04 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-07-07 advcheck.dll (1.6.1.12)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-07-07 SDHelper.dll (1.6.0.12)
2008-06-19 sqlite3.dll
2008-07-07 Tools.dll (2.1.5.7)
2008-08-05 Includes\Adware.sbi (*)
2008-08-12 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-06-03 Includes\Dialer.sbi (*)
2008-08-05 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-07-30 Includes\Hijackers.sbi (*)
2008-08-12 Includes\HijackersC.sbi (*)
2008-08-05 Includes\Keyloggers.sbi (*)
2008-08-12 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-08-05 Includes\Malware.sbi (*)
2008-08-12 Includes\MalwareC.sbi (*)
2008-08-05 Includes\PUPS.sbi (*)
2008-08-12 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-08-12 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-08-12 Includes\Spyware.sbi (*)
2008-08-12 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-08-05 Includes\Trojans.sbi (*)
2008-08-12 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

What is this registry change? I did a scan last night, and nothing came up. The only thing I can remember doing between the last night's scan and today's is uninstalling and installing of Adobe Reader stuff.

monkeys
2008-08-19, 18:51
Looked it up, and it looks like Internet Options>Advanced>Scroll down to Security>uncheck Allow active content to run in files on my computer fixes it. My question now is, what could have changed this registry entry between last night and today? I uninstalled older versions of Adobe Reader and installed Adobe Reader 9 which came with Acrobat.com and Adobe AIR, could any of this have done it?

blues
2008-08-19, 18:58
i have this detection too sometimes, i suspect it is ccleaner or utorrent, or maybe it is adobe as you say. java, spywareblaster or something else, who knows?

doesnt this setting when checked mean that any website can install anything they want on the computer?

drragostea
2008-08-19, 19:06
doesnt this setting when checked mean that any website can install anything they want on the computer?

It does partially sound like it. I usually use 'Restore to Advanced Settings' option so everything will be back to default. I wouldn't want any funny or sneaky stuff running on my computer without my knowledge.

blues
2008-08-19, 19:15
this is what i have, and some of them is changing the setting:mad:

flash, java, hostsman, avast, "revo uninstaller", izarc (it happened before i installed revo and izarc) utorrent, cdburnerxp, "adobe reader" "auslogics disk defrag" "auslogics registry defrag" imgburn, superantispyware, spywareblaster and of course spybot.

what do you have monkeys?

drragostea
2008-08-19, 19:17
I have a fraction of the programs that you use, but none of them seem to have affect the configuration of the Advanced Options. :scratch:

I remember that when you first reformat, the settings in IE are not in default.

monkeys
2008-08-19, 19:17
Flash player, Java, Adobe Reader 9 (That for some reason forced me to install Adobe AIR and Acrobat.com too, which I uninstalled), Malwarebytes' Anti-Malware and Spybot. This has never happend to me before, so I'm thinking it had something to do with uninstalling older Adobe Readers or installing Adobe Reader 9/Adobe Air with Acrobat.com.

blues
2008-08-19, 19:28
i have installed adobe reader 9 after formatting some days ago, so if it is adobe reader then the old one also does it.

adobe air? i saw that crap too and didnt understand what it was, it wasnt in the old one i had as i remember.

the setting is unchecked right after formatting so something is checking it.

monkeys
2008-08-19, 19:46
I'm definitely guessing it for some reason did it when I installed Adobe Reader 9, or the forced on me Adobe AIR/Acrobat.com.

blues
2008-08-19, 19:57
i have tried different things now, i opened utorrent, tried to update adobe reader, tried to update java, deleted files with ccleaner. no setting changed at all when i did all this.

the setting is changed from time to time for some reason.

i dont trust ADOBE and SUN at all.

monkeys
2008-08-19, 20:15
Here's a post from an old thread about it:


Eliuri and all

Recently I installed Adobe Creative Suite 2 (CS2), downloaded the new definitions, got the same error as those on this thread, but also, ALL of my .htm and .html file icons have turned to the generic icon, as if there were no program to open the files.

They are clearly associated with IE, open with IE when double-clicked upon, and in Folder Options/File Types/ I can see the association, and they open with IE when double-clicked upon.

Coincidence? Related? Bad timing? Bad luck?

Thanks,

folsombob

http://forums.spybot.info/showthread.php?t=6749

blues
2008-08-19, 20:40
so you think it is adobe reader that checks the setting?

i fix it with spybot, and some days later it is back. it is frustrating.

monkeys
2008-08-19, 20:57
I think that's what did it to me at least. I didn't do anything between my scans last night and today except go to sites I always go to and install Adobe Reader 9/Adobe AIR, so I seriously doubt it's actual malware that does it. I guess we'll see if it keeps coming back for me.

You're completely clean when you scan besides occasionally getting that right? No infections when you scan with Avast and other things? :)

blues
2008-08-19, 21:07
if it is adobe reader, then i will not use it anymore. maybe i will use this instead if it is safe: http://www.foxitsoftware.com/pdf/rd_intro.php

avast and the others doesnt detect anything.

monkeys
2008-08-19, 21:13
It's strange how it keeps checking itself for you (hope it doesn't do that me!). I've been using Adobe Reader since I got this computer a couple years ago and this has never happened before until last night/today when I decided to uninstall Adobe Reader 8 and "upgrade" to 9.

Oh, and you say you had Adobe AIR/Acrobat.com? Do you still have it, or did you uninstall it a few seconds after seeing they forced you install that crap like I did?

blues
2008-08-19, 21:20
i only removed a shortcut on my desktop, it was air or acrobat.com

i opened the shortcut and there was a licence agreement if i remember right, i didnt accept it and deleted the shortcut.

monkeys
2008-08-19, 21:25
I'm thinking it's more Adobe Air than Adobe Reader, though I really don't know. How often would you say it checks itself again for you? Can see if it checks itself again for me, and that might let us know if it's Adobe Air.

blues
2008-08-19, 21:50
i scan with spybot once a week but i dont use to look in ie7 if the setting has changed so often and i have never noticed it when i have been looking myself other than looking at it when spybot finds it. i dont think spybot finds it every week.

monkeys
2008-08-20, 05:38
Yeah, so I look at "Allow active content to run files in my computer". It's unchecked. Then I reinstall Adobe Reader 9/Adobe AIR/Acrobat.com. Then I look at "Allow active content to run files in my computer". It's checked. I guess that answers that question.

blues
2008-08-20, 10:11
i reinstalled adobe acrobat today, and you are right the setting was changed. the box was checked after reinstalling it.

so the question is, this change cant be so critical when it is adobe acrobat that change it, or what? it is a trusted program by many. so why does spybot detect the change? i hope someone can explain what the setting really does. isnt this critical since spybot detects it? or is the setting harmless?

the strange thing is, even when i dont reinstall acrobat the setting is still changed sometimes, maybe once a week or so. since nobody explains what the setting really does we can surf safely without being afraid that some malware gets automatically installed? then why is spybot detecting something that may be harmless? since the team/advisors is not answering i guess it is harmless. why detect it then? maybe it is needed by adobe acrobat. why doesnt the setting get changed to other people that use acrobat when we just found out it was acrobat that changed it?

blues
2008-08-23, 10:21
other people are experiencing the same, that it is adobe reader that changes the setting:

"Windows Live OneCare Safety Scanner users can't scan because of Adobe Reader 9": http://www.dozleng.com/updates/index.php?showtopic=16434

"error occurred in the script on this page": http://boards.live.com/safetyboards/thread.aspx?threadid=606296

this is unacceptable, and reminds me of one tweak program called safexp that i used to disable activex in internet explorer, but when using safexp to set the setting back it didnt set it to the default setting that is prompt but it set it to enable.