Jump to content

Broken.OpenCommand fp?


mynorgeek

Recommended Posts

This registry data infection is new with v1.27.

Here is dev mode log:

Malwarebytes' Anti-Malware 1.27

Database version: 1128

Windows 5.1.2600 Service Pack 3

9/8/2008 6:04:45 AM

mbam-log-2008-09-08 (06-04-40).txt

Scan type: Quick Scan

Objects scanned: 43744

Time elapsed: 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("%1" %*) Good: ("%1" /S) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

There was a glitch in the way we corrected this key in the past , this undoes that . The glitch would not cause any problems which is why no one had a bug report for it .

The value being set today is the value that MS installs when you install windows .

This is not actually fixing a problem , only setting a value exactly the way it would be set when windows is installed .

So it is not an infection? What do I do with it? Delete? Ignore?

Link to post
Share on other sites

I got this one on two pcs... seems strange. the files are all from microsoft.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Broken.SecurityProviders) -> Bad: (msapsspc.dll schannel.dll digest.dll msnsspc.dll) Good: (msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll) -> No action taken.

HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("%1" %*) Good: ("%1" /S) -> No action taken.

Never mind, I guess they are both bug fixes so if you see them just say remove and get ready to reboot. ...

YOU guys could of made that a little nicer listed them as bug fix in the program it's self. that would of been nice. that would of saved me a xanax pill...

Link to post
Share on other sites

Sorry about that. Yes, both issues just let mbam fix for you. It's MBAM correcting errors from previous versions, that we discovered were made.

I will talk to the guys and see what we can do to keep from alarming our users in the future. :unsure:

Link to post
Share on other sites

Allow MBAM to delete (it won't actually delete, but put the keys back the way MS had them originally) those keys. They won't come up again.

Hello,

I look to SREng ( System Repair Engineer ) : / System Repair / File Association : I see Error .REG and Error .SCR The same one's ...

I look to Nemesis Anti-Spyware 1.2 Beta ( www.usec.at ) : / Registry Scans / File Assoc. Scan : I see 6 Uncommon entries ( yellow icon ) : regfile, scrfile ( the same one's ) and VBSFile, giffile, comfile, batfile -all 6 yellow icon's ... And on Startup Scan : yellow icon of explorer.exe from HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon : Name : Shell , REG_SZ , Data : explorer.exe ...

What's to be done? ... :unsure:

With Kindest Regards, PROROOTECT

Link to post
Share on other sites

My original problem is that when I click on "Start" then "My Computer", "My Network Places"or "My Documents nothing opens up. But if I right click on any of the above and choose "Explore" i get a the correct action with a windows with a folder list. I went looking on the net and found link to a similar problem listed in the MBAM forum.

I just downlaoded and updated MBAM 1.28 and ran a scan. The results are confusing. Here is what it found;

Broken.OpenCommand HKCR\exefile\shell\open\command\ Bad: ("%1" /S) Good: ("%1" %*) No action taken.

Broken.OpenCommand HKCR\comfile\shell\open\command\ Bad: ("%1" /S) Good: ("%1" %*) No action taken.

The only choices I get are to remove or ignore. There isn't any "fix" listed. Please advise what syntax is correct and not just say "Let MBAM fix it".

Hu asked this.

Link to post
Share on other sites

Hello Bruce,

Today :

I have MBAM v1.28.

BEFORE:

Quick scan : 2'47 sec.

Objects scanned: 42537.

Objects infected : 2.

Bad : HKCR\scrfile\shell\open\command : "%1" %*

HKCR\regfile\shell\open\command : regedit.exe"%1" %*

Remove selected.

All selected items removed successfully.

Restart of Windows. Starting : 3 seconds less than before !!! ( 23 sec ).

AFTER:

I look to Registry : ...\scrfile\... : GOOD! : "%" /S

...\regfile\... : GOOD! : regedit.exe "%1"

MBAM : Quick scan : 2'48 sec.

Objects scanned : 42543.

Objects infected : 0.

Thank you so much !!! All OK. Trustworthy MBAM !!!

I look to SREng/File Association : all OK.

Before and After :

I look to Nemesis Anti-Spyware/File Assoc. Scan : I see Uncommon entries ( yellow ) :

VBSFile : C\Windows\System32\WScript.exe : "%1" %*

giffile : "C\Program Files\Internet Explorer\iexplore.exe" -nohome

comfile : "%1" %*

batfile : "%1" %*

Nemesis/Spyware Scan :

Red (= Spyware) : Root Key : HKEY_CLASSES_ROOT

Key : Interface\48E59291-9880- ... 00908

Nemesis/Startup Scan :

Uncommon entries ( Yellow ) : HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell

On Registry, I have : ...\Winlogon : on right : Name : Shell ; Type : REG_SZ ; Data : explorer.exe

What's to be done?...

Thank you Bruce ...

Link to post
Share on other sites

I do not use your other software so I cant say for sure what they are doing behind MBAM .

Everyone that is having this is able to let MBAM fix it once and then its gone for good .

When MBAM gives you a bad: good: result , remove removes bad and replaces it with good .

Link to post
Share on other sites

  • 6 months later...

Sorry for bringing this up. But today I scan after not scanning for 2 days and I see the following:

Malwarebytes' Anti-Malware 1.35

Database version: 1940

Windows 5.1.2600 Service Pack 3

4/4/2009 9:01:03 PM

mbam-log-2009-04-04 (21-01-03).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 159028

Time elapsed: 31 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I accidentally clicked remove or delete I don't remember and then it restarted. Is this really a false positive though? I happened to have logged in to my 3 email accounts during those 2 days of not scanning and hopefully this wasn't a keylogger???

Oh yes I too see no trace of it in my quarantined section.

Link to post
Share on other sites

  • Staff

Hi,

Your association for regedit was corrupted and that's why MalwareBytes flags this. If you click the remove button, then malwarebytes will restore the association again and replace it with the correct valuedata. :)

In most cases, malware modifies the regedit association and replaces it with malicious valuedata, but in your case, it looks like it was modified by something else in an attempt to restore the default data - which broke it instead (because of the extra quotes added)

Link to post
Share on other sites

Hi,

Your association for regedit was corrupted and that's why MalwareBytes flags this. If you click the remove button, then malwarebytes will restore the association again and replace it with the correct valuedata. :)

In most cases, malware modifies the regedit association and replaces it with malicious valuedata, but in your case, it looks like it was modified by something else in an attempt to restore the default data - which broke it instead (because of the extra quotes added)

The only thing I know that I did different within that 2 day period was that I downloaded CCleaner and used the that feature that they have to clear out registry errors. Could that be the case?

Link to post
Share on other sites

  • 2 weeks later...
  • 1 year later...

I'm quite confused.

I have been running Anti-Malware for some months and a few weeks ago it started reporting this Broken.OpenCommand thing. I tell it to remove it, it says it has, and the next time I run Anti-Malware, there it is again.

What exactly is this thing? Can I just ignore it, or is it harmful in some way?

I always update Anti-Malware before I run it. I am not deliberately running any sort of registry cleaner or tweak tool thing, and indeed have no idea what they are.

If someone explains this to me, remember I need an explanation for dummies,

Thanks,

Karen

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.