Jump to content


Photo

Broken.OpenCommand detected in registry by MBAM

Broken.OpenCommand

  • Please log in to reply
6 replies to this topic

#1 sginzbar

sginzbar

    New Member

  • Members
  • Pip
  • 3 posts

Posted 20 January 2013 - 12:50 AM

MBAM has been detecting a change in Broken.OpenCommand in my registry of by my desktop (WindowsXP) and my laptop (Windows 7). I checked the items found and clicked remove selected. If I repeat the scan immediately no threats are found. However if I repeat the scan later the same day the Broken.OpenCommand is found again.

Registry Data Items Detected: 2
HKCR\scrfile\shell\open\command| (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE "%1") Good: ("%1" /S) -> Quarantined and repaired successfully.
HKCR\regfile\shell\open\command| (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE "%1") Good: (regedit.exe "%1") -> Quarantined and repaired successfully.

Is the registry being reinfected by notepad.exe?

I am using IOLO System Mechanic which has been reported to cause false positives for the Broken.OpenCommand, http://forums.malwar...howtopic=110120. However after I disabled System Mechanics repair registry problems in automated tasks the Broken.OpenCommand keeps showing up in MBAM.

Is Broken.OpenCommand a dangerous trojan as a number of websites say or is it "a shell context menu addition that allows you to open the registry editor by right-clicking on a .reg file. No idea why MBAM objected to the quotes around the regedit command; your existing entry was not broken", http://www.overclock...n-opencommand-s

If it's a serious problem how can I clean my computers? Our university technical support said they could run ComboFix but would first backup my harddisk onto another disk in case ComboFix breaks anything.

Steve

#2 Firefox

Firefox

    Forum Deity

  • Trusted Advisors
  • PipPipPipPipPipPip
  • 9,965 posts
  • Gender:Male
  • Location:USA

Posted 20 January 2013 - 11:28 AM

Hello and :welcome:

This can be caused by Iolo's System Mechanic, and is safe to add to your ignore list.

System Mechanic (and Dell's PC TuneUp) both change Windows File Associations to make certain files open in Notepad instead of with the programs that Windows would normally open them with. One of those types of files is Registry Exports, which experts and companies like ours like to use when helping people online. This breaks certain fixes, and is considered not good, and thus Malwarebytes' Anti-Malware will attempt to fix it.

This is not something that we will likely change, and so we offer the ability to add the entries to the ignore list in order to prevent them from being detected.

As for running Combofix, you should not run such tools without expert advice as this could make things worst if you do not know exactly what you are doing....

post-2065-0-92797800-1392234217.jpg


Dell Precision T7500, Win7 Ultimate 64bit fully updated, McAfee Corp Edition v8.8,
Watchguard Firewall, Intel Xeon E5606CPU, Dual Quad Core Processors, 16GB Ram,
E5606 @ 2.13GHz, Nvidia Quadro NVS420, Raid-1 Dual 1TB Sata 10000 rpm Hard Drives
Dual DVD Burners, IE10, Opera, MBAM, MBSB, MBAE


#3 sginzbar

sginzbar

    New Member

  • Members
  • Pip
  • 3 posts

Posted 20 January 2013 - 01:10 PM

Thanks for the explanation. i tried uninstalling System Mechanic. In the last 6 hrs since I uninstalled it MBAM has not detected any changes to Broke.OpenCommand. I am using the full version of MBAM licenced to the university. On my computer I don't see anywhere I can add Broken.OpenCommand to an ignore list. I think I would have to ask the university administrator to add it to the ignore list. Is System Mechanic the only possible cause of this registry change or can it also by caused by malware?

Steve

#4 Firefox

Firefox

    Forum Deity

  • Trusted Advisors
  • PipPipPipPipPipPip
  • 9,965 posts
  • Gender:Male
  • Location:USA

Posted 20 January 2013 - 10:48 PM

As far as I know at this time, System Mechanic is the one that causes this particular issue. Of course there could be malware out there that also affect issues such as this one, but at the moment I can only recall this being an issue with System Mechanic.

As for adding this to the ignore list...

• Perform another Quick Scan with MBAM and once you're viewing the results of the scan, click once on the item you wish to ignore and click Ignore and do the same for any additional items you want ignored

• When finished, click on Remove Selected (even if there are no more items listed that were detected in the scan)

• Do one more Quick Scan to verify that the items are now ignored

post-2065-0-92797800-1392234217.jpg


Dell Precision T7500, Win7 Ultimate 64bit fully updated, McAfee Corp Edition v8.8,
Watchguard Firewall, Intel Xeon E5606CPU, Dual Quad Core Processors, 16GB Ram,
E5606 @ 2.13GHz, Nvidia Quadro NVS420, Raid-1 Dual 1TB Sata 10000 rpm Hard Drives
Dual DVD Burners, IE10, Opera, MBAM, MBSB, MBAE


#5 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,015 posts
  • Gender:Male

Posted 21 January 2013 - 03:34 AM

Infections can indeed cause this, however, the most common cause of it recurring repeatedly like this is System Mechanic, and since it did not return after uninstalling System Mechanic, then System Mechanic was certainly the cause.
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#6 sginzbar

sginzbar

    New Member

  • Members
  • Pip
  • 3 posts

Posted 21 January 2013 - 01:42 PM

I reinstalled System Mechanic and ran a deep analysis. The two registry changes showed up as a security vulnerability. I was able to ignor them in System Mechanic. I did a MBAM quick scan later and nothing was detected.

Steve

#7 Firefox

Firefox

    Forum Deity

  • Trusted Advisors
  • PipPipPipPipPipPip
  • 9,965 posts
  • Gender:Male
  • Location:USA

Posted 21 January 2013 - 02:05 PM

Glad to hear you got it sorted out....

post-2065-0-92797800-1392234217.jpg


Dell Precision T7500, Win7 Ultimate 64bit fully updated, McAfee Corp Edition v8.8,
Watchguard Firewall, Intel Xeon E5606CPU, Dual Quad Core Processors, 16GB Ram,
E5606 @ 2.13GHz, Nvidia Quadro NVS420, Raid-1 Dual 1TB Sata 10000 rpm Hard Drives
Dual DVD Burners, IE10, Opera, MBAM, MBSB, MBAE






Also tagged with one or more of these keywords: Broken.OpenCommand

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users