PDA

View Full Version : Scan Result



Charly
2006-08-21, 12:48
Hi all,
My sincere apologies, I earlier may have posted this thread to the wrong forum - I hope that this is the right one! Please forgive me for causing this confusion.
This is my first posting. After many years of using Spybot S&D the latest scan result revealed the following 3 items:-

21.08.2006 15:40:49 - found: Windows.Security.InternetExplorer Settings
21.08.2006 15:40:49 - found: Windows.Security.InternetExplorer Settings
21.08.2006 15:40:49 - found: Windows.Security.InternetExplorer Settings

--- Report generated: 2006-08-21 15:43 ---

Windows.Security.InternetExplorer: Settings (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1

Windows.Security.InternetExplorer: Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-861567501-1614895754-725345543-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1

Windows.Security.InternetExplorer: Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
---------------------------------------------------------------------

My question: Is it safe to 'fix' (remove) theses registry items?

Many thanks in advance.
With best regards,

md usa spybot fan
2006-08-21, 15:49
I suggest you "Fix selected problems" on those detections unless you experienced an issue such as the one described in the following article and intentionally changed those registry entries from their default setting:
AutoShapes that were added to an HTML or an MHTML file in a Microsoft Office program do not appear when you open the file in Internet Explorer after you install Windows XP SP2
http://support.microsoft.com/default.aspx?scid=kb;EN-US;883969

Ron in RI
2006-08-21, 21:11
:rolleyes:

I logged on to post a question that turns out to be very similar to Charly's.

I scan all the time and things always turn up clean....until today when I got this on my report:

HKEY_USERS\S-1-5-21-631271675-1031378978-415638407-1006\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1

I read the article in the reply to Charly's question and it does not apply in my situation. I suspect the answer is to "correct the problem".....but I'm always wary about anything to do with the Registry so I thought I'd ask.

Thanks very much!

Ron in RI

md usa spybot fan
2006-08-22, 00:24
Ron in RI:


I read the article in the reply to Charly's question and it does not apply in my situation.
Can you explain exactly what your situation is?

In referencing that article, I was trying to point out that there may be a valid reason to intentionally change those registry entries from their default settings of dword:00000001.

However, if you did not intentionally change those entry entries from default setting of dword:00000001, because of that particular problem or some other specific problem, there may be a reason for concern.

Did you intentionally change the following registry entry?


[HKEY_USERS\S-1-5-21-631271675-1031378978-415638407-1006\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe]

Ron in RI
2006-08-22, 03:43
md usa...

No, I did not intentionally change that registry entry. (I never touch the Registry.)

All I can say is that the HKEY_USERS...etc entry showed up, as cited, on my Spybot scan report. I'd never had anything like it show up on Spybot.

Thanks

Ron in RI

UserChris
2006-08-22, 08:20
I'm in the same boat as Ron. I never change the registry myself but starting yesterday I am get exactly the same warning from Spybot


Windows.Security.InternetExplorer: Settings (Registry change, nothing done)
HKEY_USERS\...\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1


I fixed this on my wife's user last night, rescanned and all was fine. Now it's back on my user.

Is this really something we should worry about? I only noticed this after I updated Spybot last night and no other virus scan or spyware scan finds any errors.

I read on this msdn article that the correct value for this key should be 1, but I don't know what to make of the value shown of "=W=1".
http://msdn.microsoft.com/security/productinfo/XPSP2/securebrowsing/locallockdown.aspx

Can someone help...

Chris

md usa spybot fan
2006-08-22, 08:34
I read on this msdn article that the correct value for this key should be 1, but I don't know what to make of the value shown of "=W=1".
The detection reads "!=W=1" which indicates "!=" (not equal) "W=1" (dword=1). In other words the registry entry is something other than a "dword:00000001".

UserChris
2006-08-22, 08:37
Update -- I just tried having S&D fix it on my user, restarted, and it's back yet again. Plus, I have my system restore turned off.

I guess I could try to fix it in safe mode, but that get's back to the question, is this really a problem or could it be a false-positive?

Chris

eliuri
2006-08-22, 10:42
Hello again:

I had posted about this issue yesterday:

http://forums.spybot.info/showthread.php?t=6766

and was referred to this thread.

I'm still somewhat puzzled as to why this Security Lockdown issue only appeared after I downloaded the new Spybot definitions. It didn't show on a Spybot scan earlier this month. It could well be that the new definitions look for this particular problem, but I'm concerned because it isn't showing on online security checks I've run, such as Sygate, Symantec, GRC

Nor does it show on AdAware or A-Squared [Emsisoft] scans.

When I read that UserChris noted that the alert returns after his fixing it, I had second thoughts about fixing this entry.

It might help to hear if other users are getting similar odd findings with this entry.

Thanks in advance:

-Eliuri

Windows XP Professional Edition

Internet Explorer 6.0

Spybot 1.4

Ad-Aware SE

A-Squared Free Trojan Scanner

Zone Alarm Security Suite 6.1.744.001

UserChris
2006-08-22, 17:45
2nd update -- I've tried to fix it in safe mode and it is fine for my wife's user, but keeps coming back on my user - even when I fix it in safe mode.

Every time Spybot reports that it was able to fix it, but when I run another spybot check (regardless if I restart or not) the same warning comes up.

Oddly, when I navigate to that exact key using regedit, I can't find any binary data for iexplore.exe. There is a key for LOCALMACHINE_CD_UNLOCK of "0x00000001" but no associated binary data for iexplore.exe.

md usa spybot fan, since you don't have this issue coming up on your system, can you navigate to the iexplore key and see if it has binary data for you and what it is set at? FYI, I'm running Windows XP Home, SPII, with all the latest updates.

Any thoughts on how to fix this?

Chris

md usa spybot fan
2006-08-22, 18:22
I do not have an "iexplore.exe" entry in my HKEY_USERS registry hive:


[HKEY_USERS\S-1-5-21-1957994488-790525478-839522115-1004\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]

[HKEY_USERS\S-1-5-21-1957994488-790525478-839522115-1004\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings]However, I do have one in the HKLM:


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]
@=""
"iexplore.exe"=dword:00000001
"explorer.exe"=dword:00000001
"msimn.exe"=dword:00000001
"wmplayer.exe"=dword:00000001
"waol.exe"=dword:00000001

md usa spybot fan
2006-08-22, 19:16
Firstly, Spybot does not appear to detect "iexplore.exe"=dword:00000000 in the HKLM registry hive. This entry was not detected:


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]
@=""
"iexplore.exe"=dword:00000000It is detected in the users registry hive. This entry was detected:


[HKEY_USERS\S-1-5-21-1957994488-790525478-839522115-1004\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]
@=""
"iexplore.exe"=dword:00000000As:


Windows.Security.InternetExplorer: Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1957994488-790525478-839522115-1004\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1Doing a "Fix selected problems" changes the "iexplore.exe"=dword:00000000 to "iexplore.exe"=dword:00000001:


[HKEY_USERS\S-1-5-21-1957994488-790525478-839522115-1004\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]
@=""
"iexplore.exe"=dword:00000001Log from the fix:


Windows.Security.InternetExplorer: Settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-1957994488-790525478-839522115-1004\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1
I ran the same test with the Security.sbi file from the 2006-08-11 updates and the registry entry of "iexplore.exe"=dword:00000000 was not detected proving the the detection was added with 2006-08-18 updates.

UserChris
2006-08-22, 23:54
Thanks md usa, that answers a lot of questions.

But why do you suppose that change doesn't stick on my user? Does your system retain that change when you do another Spybot scan, perhaps after restart, or does it flag the same issue over and over(as it does with me)?

Chris

Ron in RI
2006-08-23, 00:12
:cool:

This is a most interesting thread...though it's getting beyond my competence.

I expect that this change might have occured after I downloaded S&D definition updates....as I did updates just before running this particular scan.

The bottom line question for me is: Is this "LOCKDOWN/iexplore.exe" item a problem? Is there something we should do? Leave it alone? Fix it? Or.....?

Thanks

md usa spybot fan
2006-08-23, 00:17
UserChris:

I can only assume that something is preventing Spybot from actually changing the entry to begin with or something that is changing the registry entry back after Spybot alters it. If your wife's entry has not been changed back than it would seem to be something you are running under your account that is not being run under your wife's account.

eliuri
2006-08-23, 11:01
Thanks md usa, that answers a lot of questions.

But why do you suppose that change doesn't stick on my user? Does your system retain that change when you do another Spybot scan, perhaps after restart, or does it flag the same issue over and over(as it does with me)?

Chris

************************************************


Hello again, Chris:

I too have two users on my PC. One of them got that Spybot: Windows.Security.Internet Explorer reading; the other did not.

Here’s how I resolved it without asking Spybot to fix anything::

Internet Explorer-->Properties->Options--> Advanced-->Scroll down to Security.

Uncheck the top two boxes. In my case, the “culprit” was the second box from top checked box reading:


“Allow active content to run in files on My Computer".

The user getting that Spybot alert had that checked in; the one without the alert had that unchecked.

I suppose that the upper box reading:


“Allow active content from CDs to run on My Computer”

might trigger that alert as well if checked in.

It seems that the option allowing active content to run in files on My Computer in effect overrides the SP2 Default of locking down the Local Machine Zone.

At times, an Information Bar appears on top of a page asking you if you’d like to allow active content to run , and you’re prompted with several options. I’m wondering if you might have allowed that after you fixed it via Spybot, and thus undid the Local Machine Zone lockdown? Perhaps some program you were running prompted you about this and you opted to allow it?

In any case, my altering the Internet Options--> Advanced security settings as described above did fix it –at least for now—without having Spybot alter the registry, and neither of the two users are getting that Windows.Security.Internet Explorer registry item in the Spybot scan.

I’m wondering if the same happens in your case.

I found the following site useful in explaining some of this.

http://www.microsoft.com/windows/ie/community/columns/improvements.mspx


Best of luck:

-Eliuri

UserChris
2006-08-23, 23:15
Thanks for the post eliuri.

I discovered the same thing last night, but in my case the culprit was “Allow active content from CDs to run on My Computer”.

Once I unchecked that and ran a Spybot scan all was well. Whew! What a relief.

Would it be possible for us to recommend to the makers of Spybot that they add to the description of this problem a suggestion that the user check that Internet Options panel to see if any of these boxes are checked? Spybot seems to be unable to fix the problem if these boxes are checked so this would be a very helpful piece of advice.

Thanks to everyone! I really appreciate all the feedback and suggestions I've received here.

Chris

Ron in RI
2006-08-24, 21:16
:crowned:

Hi Folks....

Unchecking the "active content" culprit settled the problem for me, too.

THANKS so much to all who participated in this discussion!!

Ron in RI

folsombob
2006-08-26, 00:46
I have the same or similar problems as the others.
In addition, all of my .htm and .html files have lost there icons.

The files STILL OPEN in IE, but they now sport the generic icon.

This happened to me after I installed Adobe Photoshop CS2. It may be connected to the install, or just a coincidence.

I, too, do not like to mess around in the Registry.

What is the solution to SpyBot's recognition of this?

Should I "fix selected problem..." or just let it ride?

Thanks,

folsombob

eliuri
2006-08-26, 04:37
Hello folsombob:

You might wish to try the following:

In IE go to: Tools--->Internet Options--->Advanced.

Scroll down to Security.

Uncheck the following top two boxes [if checked]:

--Allow active content from CDS to run on My Computer

--Allow active content to run on files on My Computer

If you run the Spybot scan again, you might not get that

Windows.Security.Internet Explorer

-Eliuri

folsombob
2006-08-26, 08:13
Thanks, Eliuri!

folsombob
2006-08-26, 08:14
Thanks, Eliuri!!



Hello folsombob:

You might wish to try the following:

In IE go to: Tools--->Internet Options--->Advanced.

Scroll down to Security.

Uncheck the following top two boxes [if checked]:

--Allow active content from CDS to run on My Computer

--Allow active content to run on files on My Computer

If you run the Spybot scan again, you might not get that

Windows.Security.Internet Explorer

-Eliuri

Charly
2006-08-27, 03:42
Hi Eliuri,

I unchecked the second item (the first one was unchecked already) and a
consequent scan revealed the following:-
--- Search result list ---
Windows.Security.InternetExplorer: Settings (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1

Windows.Security.InternetExplorer: Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1
Regards,

folsombob
2006-08-27, 06:22
Eliuri and all

Recently I installed Adobe Creative Suite 2 (CS2), downloaded the new definitions, got the same error as those on this thread, but also, ALL of my .htm and .html file icons have turned to the generic icon, as if there were no program to open the files.

They are clearly associated with IE, open with IE when double-clicked upon, and in Folder Options/File Types/ I can see the association, and they open with IE when double-clicked upon.

Coincidence? Related? Bad timing? Bad luck?

Thanks,

folsombob

eliuri
2006-08-27, 09:11
Folsombob wrote:


"They are clearly associated with IE, open with IE when double-clicked upon, and in Folder Options/File Types/ I can see the association, and they open with IE when double-clicked upon."



Hello folsombob:

I really don't know much about the technical aspects here, and what I posted last week was based on my own experience with this. I'm not familiar with Adobe Creative Suite.

But having said that, let me hazard a guess as to what might have happened here, and I suppose you can test it out rather easily.

When you prevented active content from running files on your computer, you essentially told IE not to run active content associated with .htm or .html files. Perhaps that's what's needed to enable those particular file icons from showing in their non-generic form. You might test this out by rechecking in that box in the Advanced--> Security scroll down in Internet Options. By reallowing it, you might get those icons to display as before. If so, I guess it's up to you if you wish to override this security setting of IE.

Another approach might be to install Mozilla-Firefox and to set it as your default browser , just to see if those earlier icons are restored. You can readily switch back to Internet Explorer as your default browser if you want to or if it doesn't resolve this. I find it much easier to get customized icons on Firefox than it is with IE and supposedly, they incur little if any security risks.

Might help and unlikely to hurt...

Good luck:

-Eliuri

eliuri
2006-08-27, 13:03
Hi Eliuri,

I unchecked the second item (the first one was unchecked already) and a
consequent scan revealed the following:-
--- Search result list ---
Windows.Security.InternetExplorer: Settings (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1

Windows.Security.InternetExplorer: Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1
Regards,


Hi again, Charly:

The possibility of this being a false positive has recently been raised in a few microsoft.public newsgroups. Hopefully, this will be sorted out soon. Might be best to leave it alone till the matter is resolved.

Check at:

microsoft.public.internetexplorer.security

and

microsoft.public.internetexplorer.general

with regard to an August 25 post on this matter.

I access those newsgroups via Outlook Express.

If I were you, I'd leave it as is till this matter is clarified.

Take care:

-Eliuri

Viral
2006-08-27, 21:22
Spybot was reporting Windows.Security.InternetExplorer continuously on my machine too, even after repeated 'cleans'. I checked my Internet Explorer advanced options and none of the following suspect options was checked (first three items under the sub-heading Security):
Allow active content from CDs to run on My Computer
Allow active content to run in files on My Computer
Allow software to run or install even if the signature is invalid
So I checked and then unchecked each of them and clicked Apply. Then I clicked OK to close the Internet Options dialogue and reran Spybot; no problems!

:bigthumb:

Mele20
2006-08-28, 02:30
What I'd like to know is why when I right click on this key which Spybot has flagged after the latest definitions were installed

Windows.Security.InternetExplorer: Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1627089689-3221996064-4092179728-1005\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1

Spybot takes me to this key in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates
\AuthRoot\Certificates\049811056AFE9FD0F5BE01685AACE6A5D1C4454C

A key regarding Root Certs has nothing to do with the key detected by Spybot as having changed. This odd discrepancy alerted me immediately to the possibility of a FP. I am telling Spybot to ignore this until we get some official determination about it.

md usa spybot fan
2006-08-28, 07:08
Mele20:

I believe that you may be misinterpreting what is happening.

It appears that expanding the Windows.Security.InternetExplorer detection, highlighting and right clicking on the detailed entry > selecting "More details" > "Jump to location" opens the Registry Editor. However, it appears to me that the Registry Editor opens to wherever it was left when it was last use, not to the specific registry key in the detection or any other specific entry.

Charly
2006-09-03, 13:21
Hi Eliuri,
sorry for pestering you again but the latest scan result still show the same old findings:-

--- Report generated: 2006-09-03 16:56 ---

Windows.Security.InternetExplorer: Settings (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1

Windows.Security.InternetExplorer: Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
---------------------------------------------------
I followed the recommendations as posted by "Viral" dated 08/27/06 19:22 but without any success.
Was wondering if anything *new* has transpired to rectify these persistent findings.
I am a novice and my computer terminologies are not up to scratch but am willing to try anything. If available, would appreciate some easy-to-read 'cum' easy-to-implement guidance.

With best regards,
Charly.

eliuri
2006-09-04, 23:25
Hi again Charly:

You could place those two items in the Ignore Single Entries list the next time they appear in the scan result. You've already asked Spybot to correct them, and they simply reappeared. Possibly a future definition update will correct this. You could try removing it from ignore when the next definition file is downloaded, and re-ignore them if its still flagged.. Anyhow, I guess that's what I would do...

I don't know enough about the registry to speculate as to the problem, but it seems others are having difficulties with this finding as well.

Take care;

-Eliuri

Charly
2006-09-05, 00:12
Hi again Charly:

You could place those two items in the Ignore Single Entries list the next time they appear in the scan result. You've already asked Spybot to correct them, and they simply reappeared. Possibly a future definition update will correct this. You could try removing it from ignore when the next definition file is downloaded, and re-ignore them if its still flagged.. Anyhow, I guess that's what I would do...

I don't know enough about the registry to speculate as to the problem, but it seems others are having difficulties with this finding as well.

Take care;

-Eliuri

Thanks Eliuri.

Outrider
2006-09-24, 08:57
Hi, Spybot lovers;

I can't make this thing go away and you guys are talking about things I have yet to comprehend. S&D does not blow it away despite the fact that it thinks it does.

Does anyone know if this little glitch threatens us or should we ignore it?

System seems to be doing OK, however this bugger jumped out at me after I mistakenly downloaded some S/W accompanying BSPlayer download, which immediately made itself look like it was trying to get into my communications, etc.

Any feedback would be appreciated.

Learn2
2006-09-29, 21:48
Hi Outsider,
I am a NEWBIE here also. I am no computer wiz. I spend hours at a time searching for answers!
This issue was no different! I contacted SPYBOT who gave me a list of websites, (including this thread), .....all of which are mentioned in this thread (some of which I had found on my own).

On my own, nothing made sense! But coming here, reading post by post, going to the link when it appears, it started making some sense. I do not understand it all, but it makes a lot more sense than it did before coming here.

This place is :bigthumb: Thank you all so much for the info!:heart: :heart: :angel: :angel: I greatly appreciate it. I can finally move on to other things!!!!!!:D: Learn 2

musicalpulltoy
2013-04-16, 20:18
it still exist 3 years later


Microsoft.Windows.Security.InternetExplorer: [SBI $366713D4] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe

spybotsandra
2013-04-17, 15:05
Hello,

It might be the best next time to open a new thread instead of posting in a 7 year old one. ;)

So which Spybot version do you run?
Which Windows version do you have?

Best regards
Sandra
Team Spybot