24 replies to this topic

[mynorgeek]

This registry data infection is new with v1.27.

Here is dev mode log:

Malwarebytes' Anti-Malware 1.27
Database version: 1128
Windows 5.1.2600 Service Pack 3

9/8/2008 6:04:45 AM
mbam-log-2008-09-08 (06-04-40).txt

Scan type: Quick Scan
Objects scanned: 43744
Time elapsed: 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("%1" %*) Good: ("%1" /S) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[nosirrah]

http://www.malwareby...?showtopic=6195

This will explain what this is .

[mynorgeek]

 nosirrah, on Sep 8 2008, 06:21 AM, said:

http://www.malwareby...?showtopic=6195

This will explain what this is .

 nosirrah, on Sep 8 2008, 03:58 AM, said:

There was a glitch in the way we corrected this key in the past , this undoes that . The glitch would not cause any problems which is why no one had a bug report for it .

The value being set today is the value that MS installs when you install windows .

This is not actually fixing a problem , only setting a value exactly the way it would be set when windows is installed .

So it is not an infection? What do I do with it? Delete? Ignore?

[nosirrah]

Let MBAM fix it and it will never come back again .

Keep in mind that its not actually broken , its just not perfect till you let MBAM fix what we changed in the past .

[jarry]

I got this one on two pcs... seems strange. the files are all from microsoft.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Broken.SecurityProviders) -> Bad: (msapsspc.dll schannel.dll digest.dll msnsspc.dll) Good: (msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll) -> No action taken.

HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("%1" %*) Good: ("%1" /S) -> No action taken.

Never mind, I guess they are both bug fixes so if you see them just say remove and get ready to reboot. ...

YOU guys could of made that a little nicer listed them as bug fix in the program it's self. that would of been nice. that would of saved me a xanax pill...

[Raid]

Sorry about that. Yes, both issues just let mbam fix for you. It's MBAM correcting errors from previous versions, that we discovered were made.

I will talk to the guys and see what we can do to keep from alarming our users in the future.

[Sacles]

Hello,

What is ultimately the good solution: to delete or not to delete the key HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("%1" %*) Good: ("%1" /S) ?

In advance, thanks for your reply.

[Raid]

Allow MBAM to delete (it won't actually delete, but put the keys back the way MS had them originally) those keys. They won't come up again.

[PROROOTECT]

 Raid, on Sep 9 2008, 09:27 AM, said:

Allow MBAM to delete (it won't actually delete, but put the keys back the way MS had them originally) those keys. They won't come up again.

Hello,

I look to SREng ( System Repair Engineer ) : / System Repair / File Association : I see Error .REG and Error .SCR The same one's ...

I look to Nemesis Anti-Spyware 1.2 Beta ( www.usec.at ) : / Registry Scans / File Assoc. Scan : I see 6 Uncommon entries ( yellow icon ) : regfile, scrfile ( the same one's ) and VBSFile, giffile, comfile, batfile -all 6 yellow icon's ... And on Startup Scan : yellow icon of explorer.exe from HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon : Name : Shell , REG_SZ , Data : explorer.exe ...

What's to be done? ...

With Kindest Regards, PROROOTECT

[nosirrah]

Is this before or after the new fix ?

One thing that could help us is if you exported any keys in question before and after any fixes that you know if . We can look to see if there are actual differances or if what you are using is to sensitive .

[PROROOTECT]

Hi,

This is BEFORE ... I am sleep ... See you tomorrow! Bye

Your PROROOTECT

[Service1st]

My original problem is that when I click on "Start" then "My Computer", "My Network Places"or "My Documents nothing opens up. But if I right click on any of the above and choose "Explore" i get a the correct action with a windows with a folder list. I went looking on the net and found link to a similar problem listed in the MBAM forum.

I just downlaoded and updated MBAM 1.28 and ran a scan. The results are confusing. Here is what it found;


Broken.OpenCommand HKCR\exefile\shell\open\command\ Bad: ("%1" /S) Good: ("%1" %*) No action taken.
Broken.OpenCommand HKCR\comfile\shell\open\command\ Bad: ("%1" /S) Good: ("%1" %*) No action taken.


The only choices I get are to remove or ignore. There isn't any "fix" listed. Please advise what syntax is correct and not just say "Let MBAM fix it".

Hu asked this.

[nosirrah]

Remove is also remove bad and replace with good .

Broken.OpenCommand HKCR\exefile\shell\open\command\ Bad: ("%1" /S) Good: ("%1" %*) No action taken.

[PROROOTECT]

Hello Bruce,

Today :
I have MBAM v1.28.

BEFORE:
Quick scan : 2'47 sec.
Objects scanned: 42537.
Objects infected : 2.
Bad : HKCR\scrfile\shell\open\command : "%1" %*
HKCR\regfile\shell\open\command : regedit.exe"%1" %*
Remove selected.
All selected items removed successfully.
Restart of Windows. Starting : 3 seconds less than before !!! ( 23 sec ).

AFTER:
I look to Registry : ...\scrfile\... : GOOD! : "%" /S
...\regfile\... : GOOD! : regedit.exe "%1"
MBAM : Quick scan : 2'48 sec.
Objects scanned : 42543.
Objects infected : 0.

Thank you so much !!! All OK. Trustworthy MBAM !!!

I look to SREng/File Association : all OK.

Before and After :
I look to Nemesis Anti-Spyware/File Assoc. Scan : I see Uncommon entries ( yellow ) :
VBSFile : C\Windows\System32\WScript.exe : "%1" %*
giffile : "C\Program Files\Internet Explorer\iexplore.exe" -nohome
comfile : "%1" %*
batfile : "%1" %*
Nemesis/Spyware Scan :
Red (= Spyware) : Root Key : HKEY_CLASSES_ROOT
Key : Interface\48E59291-9880- ... 00908
Nemesis/Startup Scan :
Uncommon entries ( Yellow ) : HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell

On Registry, I have : ...\Winlogon : on right : Name : Shell ; Type : REG_SZ ; Data : explorer.exe

What's to be done?...

Thank you Bruce ...

[PROROOTECT]

Hello,

What should I do with this, please ...

[nosirrah]

I do not use your other software so I cant say for sure what they are doing behind MBAM .

Everyone that is having this is able to let MBAM fix it once and then its gone for good .

When MBAM gives you a bad: good: result , remove removes bad and replaces it with good .

[PROROOTECT]

Thank you very much, Bruce!

[paranoidsoul]

Sorry for bringing this up. But today I scan after not scanning for 2 days and I see the following:

Malwarebytes' Anti-Malware 1.35
Database version: 1940
Windows 5.1.2600 Service Pack 3

4/4/2009 9:01:03 PM
mbam-log-2009-04-04 (21-01-03).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 159028
Time elapsed: 31 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I accidentally clicked remove or delete I don't remember and then it restarted. Is this really a false positive though? I happened to have logged in to my 3 email accounts during those 2 days of not scanning and hopefully this wasn't a keylogger???

Oh yes I too see no trace of it in my quarantined section.

[miekiemoes]

Hi,

Your association for regedit was corrupted and that's why MalwareBytes flags this. If you click the remove button, then malwarebytes will restore the association again and replace it with the correct valuedata.
In most cases, malware modifies the regedit association and replaces it with malicious valuedata, but in your case, it looks like it was modified by something else in an attempt to restore the default data - which broke it instead (because of the extra quotes added)

[paranoidsoul]

 miekiemoes, on Apr 5 2009, 05:41 PM, said:

Hi,

Your association for regedit was corrupted and that's why MalwareBytes flags this. If you click the remove button, then malwarebytes will restore the association again and replace it with the correct valuedata.
In most cases, malware modifies the regedit association and replaces it with malicious valuedata, but in your case, it looks like it was modified by something else in an attempt to restore the default data - which broke it instead (because of the extra quotes added)

The only thing I know that I did different within that 2 day period was that I downloaded CCleaner and used the that feature that they have to clear out registry errors. Could that be the case?