View Full Version : Microsoft.Windows.Security.InternetExplorer - what do these entries typically imply?
el nemto
2009-01-12, 10:18
Just did a fresh scan on my system for the first time in a few months, and for the first time ever with 1.6 (on this PC) and one of these entries popped up. Are they typically security settings in IE, and if so, what does removing the entry do, restore the option to the default setting?
note: there is no malware/viruses/trojans on this PC, and this lone entry was the only one detected
I don't have any specific information aside from what's in the Spybot statistics, which also curiously said it was last fixed on 12/31/1969 for some reason.
EDIT: Also, since removing it with Spybot it seems like I'm seeing a lot more fully loaded "Internet Explorer cannot display the webpage" errors in the boxes/frames where ads are blocked by my HOSTS file. Before they would mainly would just be blank white space.
md usa spybot fan
2009-01-12, 16:48
el nemto:
Although the "Last fixed" date in Spybot's Statistics seems to be incorrect you should have a corresponding "Last found" date that is correct. From that date please find and post the Checks.yymmdd-hhmm.txt or Fixes.yymmdd-hhmm.txt log from when you received and fixed the detection in question.
el nemto
2009-01-12, 20:30
Where can I find these logs?
EDIT: Also now this is getting somewhat annoying. When I navigate to a page with blocked ad framed, each frame is now becoming it's own entry in the back/forward history so I have to hit back multiple times to move to the previous page. This never happened before.
md usa spybot fan
2009-01-13, 01:35
el nemto:
By default here are two Checks.yymmdd-hhmm.txt log files produced during a scan. The second Checks.yymmdd-hhmm.txt file has the details of what the scan found. A Fixes.yymmdd-hhmm.txt log file is produced if you fix or attempt to fix something.
There are two methods to copy and post that information from previous scans:
Method 1:
Go into Spybot > Mode > Advanced mode > Tools > View Reports > View Previous reports. Look for the Checks.yymmdd-hhmm.txt or Fixes.yymmdd-hhmm.txt log file that contains the detection that you would like help with. Open it. To copy it to the Clipboard, right click on the listing and select Select All > Right click again and select Copy. Paste (Ctrl+V) the contents of the Clipboard into a new post in this thread.
Method 2
The Checks.yymmdd-hhmm.txt and Fixes.yymmdd-hhmm.txt files are stored in the following folders:
Windows 95 or 98:
C:\Windows\Application Data\Spybot - Search & Destroy\Logs
Windows ME:
C:\Windows\All Users\Application Data\Spybot - Search & Destroy\Logs
Windows NT, 2000 or XP:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs
Windows Vista:
C:\ProgramData\Spybot - Search & Destroy\Logs
Using Windows Explorer, navigate to the correct Checks.yymmdd-hhmm.txt or Fixes.yymmdd-hhmm.txt log file. Double click on it and it should open with Notepad. To copy it to the Clipboard, right click on the listing and select Select All > Right click again and select Copy. Paste (Ctrl+V) the contents of the Clipboard into a new post in this thread.
el nemto
2009-01-13, 02:41
Thanks,
Here are the log files:
--- Report generated: 2009-01-12 03:09 ---
Hint of the Day: Click the bar at the right of this to see more information! ()
Microsoft.Windows.Security.InternetExplorer: [SBI $A3433CBF] Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1060284298-1993962763-854245398-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe
--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---
2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-09-16 TeaTimer.exe (1.6.3.25)
2009-01-11 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-07-07 Tools.dll (2.1.5.7)
2008-11-04 Includes\Adware.sbi (*)
2008-12-29 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2009-01-06 Includes\Dialer.sbi (*)
2009-01-06 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-11-18 Includes\Hijackers.sbi (*)
2009-01-05 Includes\HijackersC.sbi (*)
2008-12-09 Includes\Keyloggers.sbi (*)
2008-12-22 Includes\KeyloggersC.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2009-01-06 Includes\MalwareC.sbi (*)
2008-12-16 Includes\PUPS.sbi (*)
2009-01-06 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-12-29 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-12-10 Includes\Spyware.sbi (*)
2009-01-06 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2009-01-05 Includes\Trojans.sbi (*)
2009-01-06 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
--- Report generated: 2009-01-12 03:11 ---
Hint of the Day: Click the bar at the right of this to see more information! ()
Microsoft.Windows.Security.InternetExplorer: [SBI $A3433CBF] Settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-1060284298-1993962763-854245398-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe
--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---
2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-09-16 TeaTimer.exe (1.6.3.25)
2009-01-11 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-07-07 Tools.dll (2.1.5.7)
2008-11-04 Includes\Adware.sbi (*)
2008-12-29 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2009-01-06 Includes\Dialer.sbi (*)
2009-01-06 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-11-18 Includes\Hijackers.sbi (*)
2009-01-05 Includes\HijackersC.sbi (*)
2008-12-09 Includes\Keyloggers.sbi (*)
2008-12-22 Includes\KeyloggersC.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2009-01-06 Includes\MalwareC.sbi (*)
2008-12-16 Includes\PUPS.sbi (*)
2009-01-06 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-12-29 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-12-10 Includes\Spyware.sbi (*)
2009-01-06 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2009-01-05 Includes\Trojans.sbi (*)
2009-01-06 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
I'm using IE7, and WinXP SP3
md usa spybot fan
2009-01-13, 06:54
el nemto:
The default setting for the following registry entry became "iexplore.exe"=dword:00000001 with the introduction of Windows XP Service Pack 2.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]
"iexplore.exe"=dword:00000001
Spybot's detection indicates that the registry entry not equal to dword:00000001. In other words the value not set to the default value.
There is an explanation (relatively technical) of FEATURE_LOCALMACHINE_LOCKDOWN in the following:
Compatibility in Internet Explorer 6 for Windows XP Service Pack 2
http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/overview/xpsp2compat.asp
The bottom line is, if you did not intentionally change the default for some reason such as the following, the detection should be fixed:
Pictures do not appear as expected, or you receive an error message when you open an HTML file on a Windows XP Service Pack 2-based computer
http://support.microsoft.com/kb/878461
el nemto
2009-01-13, 07:37
The first link you provided gave me a 404. I didn't make any manual changes to that registry key. Is it connected to a setting anywhere in IE7's options or security settings?
Also, do you have any idea why it would cause the new, annoying ad frame behavior?
md usa spybot fan
2009-01-13, 08:26
el nemto:
... I didn't make any manual changes to that registry key. ...
Are you running Windows XP SP2 or above? If so the registry entry would have been change from "iexplore.exe"=dword:00000000 to "iexplore.exe"=dword:00000001 when you upgraded to XP SP2.
There is some information on FEATURE_LOCALMACHINE_LOCKDOWN here:
AutoShapes that were added to an HTML or an MHTML file in a Microsoft Office program do not appear when you open the file in Internet Explorer after you install Windows XP SP2
http://support.microsoft.com/kb/883969
... Also, do you have any idea why it would cause the new, annoying ad frame behavior?
To see if "SDHelper" is causing the behavior, try disabling "SDHelper". To do that:
Go into Spybot > Mode > Advanced Mode > Tools > Resident. Under the heading "Resident protection status" you will see: Resident "SDHelper" (Internet Explorer bad download blocker) active.
Resident "TeaTimer" (Protection of over-all system settings) active.
Uncheck:
Resident "SDHelper" (Internet Explorer bad download blocker) active.
Exit Internet Explorer and restart it.
el nemto
2009-01-13, 08:29
I'm running WinXP SP3, but I've done Spybot scans (not in 1.6 though) since installing SP2 and SP3 and never had that entry before.
Also I don't use the Spybot BHO or TeaTimer, so that can't be it.
md usa spybot fan
2009-01-13, 08:58
el nemto:
The FEATURE_LOCALMACHINE_LOCKDOWN detection has been in Spybot since at least August 2006 (Spybot 1.4 at that time). See:
FP with new localmachine_lockdown
http://forums.spybot.info/showthread.php?t=6778
el nemto
2009-01-13, 09:07
That's odd. Maybe I had it on the ignore product list in earlier versions.
Do you have any idea what could be causing the blocked ad frame behavior? I've never seen this happen before fixing that spybot result, in any version of IE (I've been using a HOSTS file to block ads since 2002).
md usa spybot fan
2009-01-13, 09:16
el nemto:
You could try to set that registry entry back to dword:00000000 (or use Spybot Recovery feature) and see what that does. Otherwise I don't know what could be causing problem.
el nemto
2009-01-13, 10:59
Sure enough setting it back to 0 solved the problem.
What an odd cause/effect...