PDA

View Full Version : Microsoft.Windows.Security.InternetExplorer threat



godawgs
2009-12-11, 22:25
I just ran a scan and the following came up. It shows as a security threat and was checked.

Microsoft.Windows.Security.InternetExplorer
[SBI $A3433CBF] Settings (Registry change, nothing done) HKEY_USERS\S-1-5-21-2695072642-473866232-3689853989-1006\Software\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe (is not) W=1

I had to manually add the "(is not) W=1" to this post, as it did not show up when I copied the results of the scan to the clipboard and then pasted it into notepad.

I deleted the rest of the scan as the entries were only cookies, MRU's, Last file opened, etc;.

Can anyone tell me what this threat is? I just did a update from Windows for the IE 6.0 browser yesterday, did that have anything to do with it? Sould I go ahead and let SpyBot S&D fix it?
Thanks!
ps- Below is the balance of the scan showing program particulars:

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-02-05 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-10-08 Includes\Adware.sbi (*)
2009-12-08 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2009-12-08 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-12-08 Includes\HijackersC.sbi (*)
2009-10-20 Includes\Keyloggers.sbi (*)
2009-12-08 Includes\KeyloggersC.sbi (*)
2009-12-08 Includes\Malware.sbi (*)
2009-12-08 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-12-08 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-12-08 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-11-03 Includes\Spyware.sbi (*)
2009-12-08 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti (*)
2009-12-08 Includes\Trojans.sbi (*)
2009-12-09 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

If you need any more information, let me know.

Rosenfeld
2009-12-12, 02:00
The alert tells you that one security setting in Internet Explorer options is not set to its default value. The setting concerned is in Internet options, advanced tab, in the security section (scroll down to it), 'allow active content to run in files on my computer'. If that has a checkmark in the box the registry entry you mention is set to 0 and Spybot flags it as 'not = 1'. If it isn't checked (the default) it would (should) be set to its default value of 1 in the registry, which is what spybot expects.

In fact I deliberately checked that box in the advanced tab and excluded the detection from further searches to stop Spybot from flagging it every time. Although that makes my system slightly less secure when browsing, I had good reasons to do so in my circumstances.

But if you did not check that option deliberately, it could be a sign that there is (was) some malware on your PC that set it.

Uncheck that option in the advanced tab, close IE and restart it, see if it remains unchecked, and or rescan with Spybot.

godawgs
2009-12-12, 05:50
Thanks, Rosenfeld.
The "allow active content to run in files on my computer" was checked. If I remember correctly, my credit card site had directions to set it so a part of their site would work. I will go back to their site and if that is not the case, I will uncheck it, close and reopen the browser to make sure it's still unchecked and then rerun Spybot. But this was the only thing that came up as an immediate threat when I ran it today.
Thanks again,
JC

jprice
2010-04-26, 23:59
I'm using Windows 7 and the latest version of IE8.
Today I installed Spybot - Search & Destroy version: 1.6.2 (build: 20090126)
and installed the latest Spybot updates.

SpybotSD reported the same "Microsoft.Windows.Security.InternetExplorer" problem you diagnosed in this thread on December 11, 2009:

========================================
Microsoft.Windows.Security.InternetExplorer: [SBI $A3433CBF] Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1101232559-714465636-2791255473-1006\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe
========================================


The values for this registry entry are as follows:
(Default)= (value not set)
iexplore.exe=0

And "allow active content to run in files on my computer" under my IE8 Advanced Security Settings was already UNCHECKED when I examined it per the advice you gave Dec. 11, 2009.

This is inconsistent with the diagnosis you provided in Dec. 11, 2009 for the "Microsoft.Windows.Security.InternetExplorer" problem.
How should I address this?

jprice
2010-04-27, 00:53
Rosenfeld:

I allowed SpybotSD to fix this "Microsoft.Windows.Security.InternetExplorer" problem just to see what would happen.

The result was that the registry value "iexplore.exe" was changed from 0 to 1.

However, the IE8 Advanced Security Setting you cited ("allow active content to run in files on my computer") remained UNCHECKED.

Apparently the registry entry being flagged by SypbotSD is NOT associated with the Advanced Security Setting "allow active content to run in files on my computer".