Scan Result

[Charly]

Hi all,
My sincere apologies, I earlier may have posted this thread to the wrong forum - I hope that this is the right one! Please forgive me for causing this confusion.
This is my first posting. After many years of using Spybot S&D the latest scan result revealed the following 3 items:-

21.08.2006 15:40:49 - found: Windows.Security.InternetExplorer Settings
21.08.2006 15:40:49 - found: Windows.Security.InternetExplorer Settings
21.08.2006 15:40:49 - found: Windows.Security.InternetExplorer Settings

--- Report generated: 2006-08-21 15:43 ---

Windows.Security.InternetExplorer: Settings (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1

Windows.Security.InternetExplorer: Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-861567501-1614895754-725345543-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1

Windows.Security.InternetExplorer: Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
---------------------------------------------------------------------

My question: Is it safe to 'fix' (remove) theses registry items?

Many thanks in advance.
With best regards,

 

[md usa spybot fan]

I suggest you "Fix selected problems" on those detections unless you experienced an issue such as the one described in the following article and intentionally changed those registry entries from their default setting:

• AutoShapes that were added to an HTML or an MHTML file in a Microsoft Office program do not appear when you open the file in Internet Explorer after you install Windows XP SP2
  http://support.microsoft.com/default.aspx?scid=kb;EN-US;883969

 

[Ron in RI]

Similar Situation and Question



I logged on to post a question that turns out to be very similar to Charly's.

I scan all the time and things always turn up clean....until today when I got this on my report:

HKEY_USERS\S-1-5-21-631271675-1031378978-415638407-1006\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1

I read the article in the reply to Charly's question and it does not apply in my situation. I suspect the answer is to "correct the problem".....but I'm always wary about anything to do with the Registry so I thought I'd ask.

Thanks very much!

Ron in RI

 

[md usa spybot fan]

Ron in RI:

I read the article in the reply to Charly's question and it does not apply in my situation.

Can you explain exactly what your situation is?

In referencing that article, I was trying to point out that there may be a valid reason to intentionally change those registry entries from their default settings of dword:00000001.

However, if you did not intentionally change those entry entries from default setting of dword:00000001, because of that particular problem or some other specific problem, there may be a reason for concern.

Did you intentionally change the following registry entry?

[HKEY_USERS\S-1-5-21-631271675-1031378978-415638407-1006\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe]

 

[Ron in RI]

My situation is.....

md usa...

No, I did not intentionally change that registry entry. (I never touch the Registry.)

All I can say is that the HKEY_USERS...etc entry showed up, as cited, on my Spybot scan report. I'd never had anything like it show up on Spybot.

Thanks

Ron in RI

 

[UserChris]

I'm in the same boat as Ron. I never change the registry myself but starting yesterday I am get exactly the same warning from Spybot

Windows.Security.InternetExplorer: Settings (Registry change, nothing done)
HKEY_USERS\...\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1

I fixed this on my wife's user last night, rescanned and all was fine. Now it's back on my user.

Is this really something we should worry about? I only noticed this after I updated Spybot last night and no other virus scan or spyware scan finds any errors.

I read on this msdn article that the correct value for this key should be 1, but I don't know what to make of the value shown of "=W=1".
http://msdn.microsoft.com/security/productinfo/XPSP2/securebrowsing/locallockdown.aspx

Can someone help...

Chris

 

[md usa spybot fan]

I read on this msdn article that the correct value for this key should be 1, but I don't know what to make of the value shown of "=W=1".

The detection reads "!=W=1" which indicates "!=" (not equal) "W=1" (dword=1). In other words the registry entry is something other than a "dword:00000001".

 

[UserChris]

Update -- I just tried having S&D fix it on my user, restarted, and it's back yet again. Plus, I have my system restore turned off.

I guess I could try to fix it in safe mode, but that get's back to the question, is this really a problem or could it be a false-positive?

Chris

 

[eliuri]

Hello again:

I had posted about this issue yesterday:

http://forums.spybot.info/showthread.php?t=6766

and was referred to this thread.

I'm still somewhat puzzled as to why this Security Lockdown issue only appeared after I downloaded the new Spybot definitions. It didn't show on a Spybot scan earlier this month. It could well be that the new definitions look for this particular problem, but I'm concerned because it isn't showing on online security checks I've run, such as Sygate, Symantec, GRC

Nor does it show on AdAware or A-Squared [Emsisoft] scans.

When I read that UserChris noted that the alert returns after his fixing it, I had second thoughts about fixing this entry.

It might help to hear if other users are getting similar odd findings with this entry.

Thanks in advance:

-Eliuri

Windows XP Professional Edition

Internet Explorer 6.0

Spybot 1.4

Ad-Aware SE

A-Squared Free Trojan Scanner

Zone Alarm Security Suite 6.1.744.001

 

[UserChris]

2nd update -- I've tried to fix it in safe mode and it is fine for my wife's user, but keeps coming back on my user - even when I fix it in safe mode.

Every time Spybot reports that it was able to fix it, but when I run another spybot check (regardless if I restart or not) the same warning comes up.

Oddly, when I navigate to that exact key using regedit, I can't find any binary data for iexplore.exe. There is a key for LOCALMACHINE_CD_UNLOCK of "0x00000001" but no associated binary data for iexplore.exe.

md usa spybot fan, since you don't have this issue coming up on your system, can you navigate to the iexplore key and see if it has binary data for you and what it is set at? FYI, I'm running Windows XP Home, SPII, with all the latest updates.

Any thoughts on how to fix this?

Chris

 

[md usa spybot fan]

I do not have an "iexplore.exe" entry in my HKEY_USERS registry hive:

[HKEY_USERS\S-1-5-21-1957994488-790525478-839522115-1004\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]

[HKEY_USERS\S-1-5-21-1957994488-790525478-839522115-1004\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings]

However, I do have one in the HKLM:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]
@=""
"iexplore.exe"=dword:00000001
"explorer.exe"=dword:00000001
"msimn.exe"=dword:00000001
"wmplayer.exe"=dword:00000001
"waol.exe"=dword:00000001

 

[md usa spybot fan]

Firstly, Spybot does not appear to detect "iexplore.exe"=dword:00000000 in the HKLM registry hive. This entry was not detected:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]
@=""
"iexplore.exe"=dword:00000000

It is detected in the users registry hive. This entry was detected:

[HKEY_USERS\S-1-5-21-1957994488-790525478-839522115-1004\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]
@=""
"iexplore.exe"=dword:00000000

As:

Windows.Security.InternetExplorer: Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1957994488-790525478-839522115-1004\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1

Doing a "Fix selected problems" changes the "iexplore.exe"=dword:00000000 to "iexplore.exe"=dword:00000001:

[HKEY_USERS\S-1-5-21-1957994488-790525478-839522115-1004\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]
@=""
"iexplore.exe"=dword:00000001

Log from the fix:

Windows.Security.InternetExplorer: Settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-1957994488-790525478-839522115-1004\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1

I ran the same test with the Security.sbi file from the 2006-08-11 updates and the registry entry of "iexplore.exe"=dword:00000000 was not detected proving the the detection was added with 2006-08-18 updates.

 

[UserChris]

Thanks md usa, that answers a lot of questions.

But why do you suppose that change doesn't stick on my user? Does your system retain that change when you do another Spybot scan, perhaps after restart, or does it flag the same issue over and over(as it does with me)?

Chris

 

[Ron in RI]

Bottom line.......



This is a most interesting thread...though it's getting beyond my competence.

I expect that this change might have occured after I downloaded S&D definition updates....as I did updates just before running this particular scan.

The bottom line question for me is: Is this "LOCKDOWN/iexplore.exe" item a problem? Is there something we should do? Leave it alone? Fix it? Or.....?

Thanks

 

[md usa spybot fan]

UserChris:

I can only assume that something is preventing Spybot from actually changing the entry to begin with or something that is changing the registry entry back after Spybot alters it. If your wife's entry has not been changed back than it would seem to be something you are running under your account that is not being run under your wife's account.

 

[eliuri]

Thanks md usa, that answers a lot of questions.

But why do you suppose that change doesn't stick on my user? Does your system retain that change when you do another Spybot scan, perhaps after restart, or does it flag the same issue over and over(as it does with me)?

Chris

************************************************


Hello again, Chris:

I too have two users on my PC. One of them got that Spybot: Windows.Security.Internet Explorer reading; the other did not.

Here’s how I resolved it without asking Spybot to fix anything::

Internet Explorer-->Properties->Options--> Advanced-->Scroll down to Security.

Uncheck the top two boxes. In my case, the “culprit” was the second box from top checked box reading:


“Allow active content to run in files on My Computer".

The user getting that Spybot alert had that checked in; the one without the alert had that unchecked.

I suppose that the upper box reading:


“Allow active content from CDs to run on My Computer”

might trigger that alert as well if checked in.

It seems that the option allowing active content to run in files on My Computer in effect overrides the SP2 Default of locking down the Local Machine Zone.

At times, an Information Bar appears on top of a page asking you if you’d like to allow active content to run , and you’re prompted with several options. I’m wondering if you might have allowed that after you fixed it via Spybot, and thus undid the Local Machine Zone lockdown? Perhaps some program you were running prompted you about this and you opted to allow it?

In any case, my altering the Internet Options--> Advanced security settings as described above did fix it –at least for now—without having Spybot alter the registry, and neither of the two users are getting that Windows.Security.Internet Explorer registry item in the Spybot scan.

I’m wondering if the same happens in your case.

I found the following site useful in explaining some of this.

http://www.microsoft.com/windows/ie/community/columns/improvements.mspx


Best of luck:

-Eliuri

 

[UserChris]

Thanks for the post eliuri.

I discovered the same thing last night, but in my case the culprit was “Allow active content from CDs to run on My Computer”.

Once I unchecked that and ran a Spybot scan all was well. Whew! What a relief.

Would it be possible for us to recommend to the makers of Spybot that they add to the description of this problem a suggestion that the user check that Internet Options panel to see if any of these boxes are checked? Spybot seems to be unable to fix the problem if these boxes are checked so this would be a very helpful piece of advice.

Thanks to everyone! I really appreciate all the feedback and suggestions I've received here.

Chris

 

[Ron in RI]

The solution!

:crowned:

Hi Folks....

Unchecking the "active content" culprit settled the problem for me, too.

THANKS so much to all who participated in this discussion!!

Ron in RI

 

[folsombob]

Same/similar problems -- plus icon change

I have the same or similar problems as the others.
In addition, all of my .htm and .html files have lost there icons.

The files STILL OPEN in IE, but they now sport the generic icon.

This happened to me after I installed Adobe Photoshop CS2. It may be connected to the install, or just a coincidence.

I, too, do not like to mess around in the Registry.

What is the solution to SpyBot's recognition of this?

Should I "fix selected problem..." or just let it ride?

Thanks,

folsombob

 

[eliuri]

Hello folsombob:

You might wish to try the following:

In IE go to: Tools--->Internet Options--->Advanced.

Scroll down to Security.

Uncheck the following top two boxes [if checked]:

--Allow active content from CDS to run on My Computer

--Allow active content to run on files on My Computer

If you run the Spybot scan again, you might not get that

Windows.Security.Internet Explorer

-Eliuri