Jump to content


Photo

Broken.OpenCommand fp?


  • Please log in to reply
24 replies to this topic

#1 mynorgeek

mynorgeek

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 209 posts
  • Gender:Male

Posted 08 September 2008 - 08:11 AM

This registry data infection is new with v1.27.

Here is dev mode log:

Malwarebytes' Anti-Malware 1.27
Database version: 1128
Windows 5.1.2600 Service Pack 3

9/8/2008 6:04:45 AM
mbam-log-2008-09-08 (06-04-40).txt

Scan type: Quick Scan
Objects scanned: 43744
Time elapsed: 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("%1" %*) Good: ("%1" /S) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#2 nosirrah

nosirrah

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,452 posts
  • Gender:Male
  • Location:Northampton, MA USA

Posted 08 September 2008 - 08:21 AM

http://www.malwareby...?showtopic=6195

This will explain what this is .
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#3 mynorgeek

mynorgeek

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 209 posts
  • Gender:Male

Posted 08 September 2008 - 08:28 AM

http://www.malwareby...?showtopic=6195

This will explain what this is .


There was a glitch in the way we corrected this key in the past , this undoes that . The glitch would not cause any problems which is why no one had a bug report for it .

The value being set today is the value that MS installs when you install windows .

This is not actually fixing a problem , only setting a value exactly the way it would be set when windows is installed .


So it is not an infection? What do I do with it? Delete? Ignore?

#4 nosirrah

nosirrah

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,452 posts
  • Gender:Male
  • Location:Northampton, MA USA

Posted 08 September 2008 - 08:34 AM

Let MBAM fix it and it will never come back again .

Keep in mind that its not actually broken , its just not perfect till you let MBAM fix what we changed in the past .
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#5 jarry

jarry

    New Member

  • Members
  • Pip
  • 6 posts

Posted 08 September 2008 - 04:44 PM

I got this one on two pcs... seems strange. the files are all from microsoft.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Broken.SecurityProviders) -> Bad: (msapsspc.dll schannel.dll digest.dll msnsspc.dll) Good: (msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll) -> No action taken.

HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("%1" %*) Good: ("%1" /S) -> No action taken.

Never mind, I guess they are both bug fixes so if you see them just say remove and get ready to reboot. ...

YOU guys could of made that a little nicer listed them as bug fix in the program it's self. that would of been nice. that would of saved me a xanax pill...

#6 Raid

Raid

    Malware Researcher

  • Experts
  • PipPipPipPipPipPip
  • 1,552 posts
  • Gender:Male
  • Location:United States

Posted 08 September 2008 - 06:46 PM

Sorry about that. Yes, both issues just let mbam fix for you. It's MBAM correcting errors from previous versions, that we discovered were made.

I will talk to the guys and see what we can do to keep from alarming our users in the future. :unsure:

#7 Sacles

Sacles

    New Member

  • Members
  • Pip
  • 2 posts

Posted 09 September 2008 - 12:54 AM

Hello,

What is ultimately the good solution: to delete or not to delete the key HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("%1" %*) Good: ("%1" /S) ?

In advance, thanks for your reply.

#8 Raid

Raid

    Malware Researcher

  • Experts
  • PipPipPipPipPipPip
  • 1,552 posts
  • Gender:Male
  • Location:United States

Posted 09 September 2008 - 02:27 AM

Allow MBAM to delete (it won't actually delete, but put the keys back the way MS had them originally) those keys. They won't come up again.

#9 PROROOTECT

PROROOTECT

    New Member

  • Members
  • Pip
  • 27 posts

Posted 09 September 2008 - 12:42 PM

Allow MBAM to delete (it won't actually delete, but put the keys back the way MS had them originally) those keys. They won't come up again.


Hello,

I look to SREng ( System Repair Engineer ) : / System Repair / File Association : I see Error .REG and Error .SCR The same one's ...

I look to Nemesis Anti-Spyware 1.2 Beta ( www.usec.at ) : / Registry Scans / File Assoc. Scan : I see 6 Uncommon entries ( yellow icon ) : regfile, scrfile ( the same one's ) and VBSFile, giffile, comfile, batfile -all 6 yellow icon's ... And on Startup Scan : yellow icon of explorer.exe from HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon : Name : Shell , REG_SZ , Data : explorer.exe ...

What's to be done? ... :unsure:

With Kindest Regards, PROROOTECT
XP SP2 � 1GB RAM, 13proc, 17svc, IE8 sandboxed.
Look on MalwareTips.com forum ..

#10 nosirrah

nosirrah

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,452 posts
  • Gender:Male
  • Location:Northampton, MA USA

Posted 09 September 2008 - 12:54 PM

Is this before or after the new fix ?

One thing that could help us is if you exported any keys in question before and after any fixes that you know if . We can look to see if there are actual differances or if what you are using is to sensitive .
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#11 PROROOTECT

PROROOTECT

    New Member

  • Members
  • Pip
  • 27 posts

Posted 09 September 2008 - 04:07 PM

Hi,

This is BEFORE ... I am sleep ... See you tomorrow! Bye :unsure:

Your PROROOTECT
XP SP2 � 1GB RAM, 13proc, 17svc, IE8 sandboxed.
Look on MalwareTips.com forum ..

#12 Service1st

Service1st

    New Member

  • Members
  • Pip
  • 1 posts

Posted 10 September 2008 - 11:34 AM

My original problem is that when I click on "Start" then "My Computer", "My Network Places"or "My Documents nothing opens up. But if I right click on any of the above and choose "Explore" i get a the correct action with a windows with a folder list. I went looking on the net and found link to a similar problem listed in the MBAM forum.

I just downlaoded and updated MBAM 1.28 and ran a scan. The results are confusing. Here is what it found;


Broken.OpenCommand HKCR\exefile\shell\open\command\ Bad: ("%1" /S) Good: ("%1" %*) No action taken.
Broken.OpenCommand HKCR\comfile\shell\open\command\ Bad: ("%1" /S) Good: ("%1" %*) No action taken.


The only choices I get are to remove or ignore. There isn't any "fix" listed. Please advise what syntax is correct and not just say "Let MBAM fix it".

Hu asked this.

#13 nosirrah

nosirrah

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,452 posts
  • Gender:Male
  • Location:Northampton, MA USA

Posted 10 September 2008 - 11:39 AM

Remove is also remove bad and replace with good .

Broken.OpenCommand HKCR\exefile\shell\open\command\ Bad: ("%1" /S) Good: ("%1" %*) No action taken.
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#14 PROROOTECT

PROROOTECT

    New Member

  • Members
  • Pip
  • 27 posts

Posted 10 September 2008 - 04:14 PM

Hello Bruce,

Today :
I have MBAM v1.28.

BEFORE:
Quick scan : 2'47 sec.
Objects scanned: 42537.
Objects infected : 2.
Bad : HKCR\scrfile\shell\open\command : "%1" %*
HKCR\regfile\shell\open\command : regedit.exe"%1" %*
Remove selected.
All selected items removed successfully.
Restart of Windows. Starting : 3 seconds less than before !!! ( 23 sec ).

AFTER:
I look to Registry : ...\scrfile\... : GOOD! : "%" /S
...\regfile\... : GOOD! : regedit.exe "%1"
MBAM : Quick scan : 2'48 sec.
Objects scanned : 42543.
Objects infected : 0.

Thank you so much !!! All OK. Trustworthy MBAM !!!

I look to SREng/File Association : all OK.

Before and After :
I look to Nemesis Anti-Spyware/File Assoc. Scan : I see Uncommon entries ( yellow ) :
VBSFile : C\Windows\System32\WScript.exe : "%1" %*
giffile : "C\Program Files\Internet Explorer\iexplore.exe" -nohome
comfile : "%1" %*
batfile : "%1" %*
Nemesis/Spyware Scan :
Red (= Spyware) : Root Key : HKEY_CLASSES_ROOT
Key : Interface\48E59291-9880- ... 00908
Nemesis/Startup Scan :
Uncommon entries ( Yellow ) : HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell

On Registry, I have : ...\Winlogon : on right : Name : Shell ; Type : REG_SZ ; Data : explorer.exe

What's to be done?...

Thank you Bruce ...
XP SP2 � 1GB RAM, 13proc, 17svc, IE8 sandboxed.
Look on MalwareTips.com forum ..

#15 PROROOTECT

PROROOTECT

    New Member

  • Members
  • Pip
  • 27 posts

Posted 17 September 2008 - 10:42 AM

Hello,

What should I do with this, please ...
XP SP2 � 1GB RAM, 13proc, 17svc, IE8 sandboxed.
Look on MalwareTips.com forum ..

#16 nosirrah

nosirrah

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 5,452 posts
  • Gender:Male
  • Location:Northampton, MA USA

Posted 17 September 2008 - 12:26 PM

I do not use your other software so I cant say for sure what they are doing behind MBAM .

Everyone that is having this is able to let MBAM fix it once and then its gone for good .

When MBAM gives you a bad: good: result , remove removes bad and replaces it with good .
Bruce Harrison
Vice President of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#17 PROROOTECT

PROROOTECT

    New Member

  • Members
  • Pip
  • 27 posts

Posted 21 September 2008 - 02:43 PM

Thank you very much, Bruce! :angry:
XP SP2 � 1GB RAM, 13proc, 17svc, IE8 sandboxed.
Look on MalwareTips.com forum ..

#18 paranoidsoul

paranoidsoul

    New Member

  • Members
  • Pip
  • 11 posts

Posted 04 April 2009 - 09:53 PM

Sorry for bringing this up. But today I scan after not scanning for 2 days and I see the following:

Malwarebytes' Anti-Malware 1.35
Database version: 1940
Windows 5.1.2600 Service Pack 3

4/4/2009 9:01:03 PM
mbam-log-2009-04-04 (21-01-03).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 159028
Time elapsed: 31 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I accidentally clicked remove or delete I don't remember and then it restarted. Is this really a false positive though? I happened to have logged in to my 3 email accounts during those 2 days of not scanning and hopefully this wasn't a keylogger???

Oh yes I too see no trace of it in my quarantined section.

#19 miekiemoes

miekiemoes

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,676 posts
  • Gender:Female
  • Location:Belgium

Posted 05 April 2009 - 12:41 PM

Hi,

Your association for regedit was corrupted and that's why MalwareBytes flags this. If you click the remove button, then malwarebytes will restore the association again and replace it with the correct valuedata. :)
In most cases, malware modifies the regedit association and replaces it with malicious valuedata, but in your case, it looks like it was modified by something else in an attempt to restore the default data - which broke it instead (because of the extra quotes added)
Mieke Verburgh
Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#20 paranoidsoul

paranoidsoul

    New Member

  • Members
  • Pip
  • 11 posts

Posted 06 April 2009 - 01:08 AM

Hi,

Your association for regedit was corrupted and that's why MalwareBytes flags this. If you click the remove button, then malwarebytes will restore the association again and replace it with the correct valuedata. :)
In most cases, malware modifies the regedit association and replaces it with malicious valuedata, but in your case, it looks like it was modified by something else in an attempt to restore the default data - which broke it instead (because of the extra quotes added)


The only thing I know that I did different within that 2 day period was that I downloaded CCleaner and used the that feature that they have to clear out registry errors. Could that be the case?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users