6 replies to this topic

[sginzbar]

MBAM has been detecting a change in Broken.OpenCommand in my registry of by my desktop (WindowsXP) and my laptop (Windows 7). I checked the items found and clicked remove selected. If I repeat the scan immediately no threats are found. However if I repeat the scan later the same day the Broken.OpenCommand is found again.

Registry Data Items Detected: 2
HKCR\scrfile\shell\open\command| (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE "%1") Good: ("%1" /S) -> Quarantined and repaired successfully.
HKCR\regfile\shell\open\command| (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE "%1") Good: (regedit.exe "%1") -> Quarantined and repaired successfully.

Is the registry being reinfected by notepad.exe?

I am using IOLO System Mechanic which has been reported to cause false positives for the Broken.OpenCommand, http://forums.malwar...howtopic=110120. However after I disabled System Mechanics repair registry problems in automated tasks the Broken.OpenCommand keeps showing up in MBAM.

Is Broken.OpenCommand a dangerous trojan as a number of websites say or is it "a shell context menu addition that allows you to open the registry editor by right-clicking on a .reg file. No idea why MBAM objected to the quotes around the regedit command; your existing entry was not broken", http://www.overclock...n-opencommand-s

If it's a serious problem how can I clean my computers? Our university technical support said they could run ComboFix but would first backup my harddisk onto another disk in case ComboFix breaks anything.

Steve

[Firefox]

Hello and

This can be caused by Iolo's System Mechanic, and is safe to add to your ignore list.

System Mechanic (and Dell's PC TuneUp) both change Windows File Associations to make certain files open in Notepad instead of with the programs that Windows would normally open them with. One of those types of files is Registry Exports, which experts and companies like ours like to use when helping people online. This breaks certain fixes, and is considered not good, and thus Malwarebytes' Anti-Malware will attempt to fix it.

This is not something that we will likely change, and so we offer the ability to add the entries to the ignore list in order to prevent them from being detected.

As for running Combofix, you should not run such tools without expert advice as this could make things worst if you do not know exactly what you are doing....

[sginzbar]

Thanks for the explanation. i tried uninstalling System Mechanic. In the last 6 hrs since I uninstalled it MBAM has not detected any changes to Broke.OpenCommand. I am using the full version of MBAM licenced to the university. On my computer I don't see anywhere I can add Broken.OpenCommand to an ignore list. I think I would have to ask the university administrator to add it to the ignore list. Is System Mechanic the only possible cause of this registry change or can it also by caused by malware?

Steve

[Firefox]

As far as I know at this time, System Mechanic is the one that causes this particular issue. Of course there could be malware out there that also affect issues such as this one, but at the moment I can only recall this being an issue with System Mechanic.

As for adding this to the ignore list...

• Perform another Quick Scan with MBAM and once you're viewing the results of the scan, click once on the item you wish to ignore and click Ignore and do the same for any additional items you want ignored

• When finished, click on Remove Selected (even if there are no more items listed that were detected in the scan)

• Do one more Quick Scan to verify that the items are now ignored

[exile360]

Infections can indeed cause this, however, the most common cause of it recurring repeatedly like this is System Mechanic, and since it did not return after uninstalling System Mechanic, then System Mechanic was certainly the cause.

[sginzbar]

I reinstalled System Mechanic and ran a deep analysis. The two registry changes showed up as a security vulnerability. I was able to ignor them in System Mechanic. I did a MBAM quick scan later and nothing was detected.

Steve

[Firefox]

Glad to hear you got it sorted out....