mynorgeek

Broken.OpenCommand fp?

25 posts in this topic

This registry data infection is new with v1.27.

Here is dev mode log:

Malwarebytes' Anti-Malware 1.27

Database version: 1128

Windows 5.1.2600 Service Pack 3

9/8/2008 6:04:45 AM

mbam-log-2008-09-08 (06-04-40).txt

Scan type: Quick Scan

Objects scanned: 43744

Time elapsed: 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("%1" %*) Good: ("%1" /S) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites
There was a glitch in the way we corrected this key in the past , this undoes that . The glitch would not cause any problems which is why no one had a bug report for it .

The value being set today is the value that MS installs when you install windows .

This is not actually fixing a problem , only setting a value exactly the way it would be set when windows is installed .

So it is not an infection? What do I do with it? Delete? Ignore?

Share this post


Link to post
Share on other sites

Let MBAM fix it and it will never come back again .

Keep in mind that its not actually broken , its just not perfect till you let MBAM fix what we changed in the past .

Share this post


Link to post
Share on other sites

I got this one on two pcs... seems strange. the files are all from microsoft.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Broken.SecurityProviders) -> Bad: (msapsspc.dll schannel.dll digest.dll msnsspc.dll) Good: (msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll) -> No action taken.

HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("%1" %*) Good: ("%1" /S) -> No action taken.

Never mind, I guess they are both bug fixes so if you see them just say remove and get ready to reboot. ...

YOU guys could of made that a little nicer listed them as bug fix in the program it's self. that would of been nice. that would of saved me a xanax pill...

Share this post


Link to post
Share on other sites

Sorry about that. Yes, both issues just let mbam fix for you. It's MBAM correcting errors from previous versions, that we discovered were made.

I will talk to the guys and see what we can do to keep from alarming our users in the future. :unsure:

Share this post


Link to post
Share on other sites

Hello,

What is ultimately the good solution: to delete or not to delete the key HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("%1" %*) Good: ("%1" /S) ?

In advance, thanks for your reply.

Share this post


Link to post
Share on other sites

Allow MBAM to delete (it won't actually delete, but put the keys back the way MS had them originally) those keys. They won't come up again.

Share this post


Link to post
Share on other sites
Allow MBAM to delete (it won't actually delete, but put the keys back the way MS had them originally) those keys. They won't come up again.

Hello,

I look to SREng ( System Repair Engineer ) : / System Repair / File Association : I see Error .REG and Error .SCR The same one's ...

I look to Nemesis Anti-Spyware 1.2 Beta ( www.usec.at ) : / Registry Scans / File Assoc. Scan : I see 6 Uncommon entries ( yellow icon ) : regfile, scrfile ( the same one's ) and VBSFile, giffile, comfile, batfile -all 6 yellow icon's ... And on Startup Scan : yellow icon of explorer.exe from HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon : Name : Shell , REG_SZ , Data : explorer.exe ...

What's to be done? ... :unsure:

With Kindest Regards, PROROOTECT

Share this post


Link to post
Share on other sites

Is this before or after the new fix ?

One thing that could help us is if you exported any keys in question before and after any fixes that you know if . We can look to see if there are actual differances or if what you are using is to sensitive .

Share this post


Link to post
Share on other sites

My original problem is that when I click on "Start" then "My Computer", "My Network Places"or "My Documents nothing opens up. But if I right click on any of the above and choose "Explore" i get a the correct action with a windows with a folder list. I went looking on the net and found link to a similar problem listed in the MBAM forum.

I just downlaoded and updated MBAM 1.28 and ran a scan. The results are confusing. Here is what it found;

Broken.OpenCommand HKCR\exefile\shell\open\command\ Bad: ("%1" /S) Good: ("%1" %*) No action taken.

Broken.OpenCommand HKCR\comfile\shell\open\command\ Bad: ("%1" /S) Good: ("%1" %*) No action taken.

The only choices I get are to remove or ignore. There isn't any "fix" listed. Please advise what syntax is correct and not just say "Let MBAM fix it".

Hu asked this.

Share this post


Link to post
Share on other sites

Remove is also remove bad and replace with good .

Broken.OpenCommand HKCR\exefile\shell\open\command\ Bad: ("%1" /S) Good: ("%1" %*) No action taken.

Share this post


Link to post
Share on other sites

Hello Bruce,

Today :

I have MBAM v1.28.

BEFORE:

Quick scan : 2'47 sec.

Objects scanned: 42537.

Objects infected : 2.

Bad : HKCR\scrfile\shell\open\command : "%1" %*

HKCR\regfile\shell\open\command : regedit.exe"%1" %*

Remove selected.

All selected items removed successfully.

Restart of Windows. Starting : 3 seconds less than before !!! ( 23 sec ).

AFTER:

I look to Registry : ...\scrfile\... : GOOD! : "%" /S

...\regfile\... : GOOD! : regedit.exe "%1"

MBAM : Quick scan : 2'48 sec.

Objects scanned : 42543.

Objects infected : 0.

Thank you so much !!! All OK. Trustworthy MBAM !!!

I look to SREng/File Association : all OK.

Before and After :

I look to Nemesis Anti-Spyware/File Assoc. Scan : I see Uncommon entries ( yellow ) :

VBSFile : C\Windows\System32\WScript.exe : "%1" %*

giffile : "C\Program Files\Internet Explorer\iexplore.exe" -nohome

comfile : "%1" %*

batfile : "%1" %*

Nemesis/Spyware Scan :

Red (= Spyware) : Root Key : HKEY_CLASSES_ROOT

Key : Interface\48E59291-9880- ... 00908

Nemesis/Startup Scan :

Uncommon entries ( Yellow ) : HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell

On Registry, I have : ...\Winlogon : on right : Name : Shell ; Type : REG_SZ ; Data : explorer.exe

What's to be done?...

Thank you Bruce ...

Share this post


Link to post
Share on other sites

I do not use your other software so I cant say for sure what they are doing behind MBAM .

Everyone that is having this is able to let MBAM fix it once and then its gone for good .

When MBAM gives you a bad: good: result , remove removes bad and replaces it with good .

Share this post


Link to post
Share on other sites

Sorry for bringing this up. But today I scan after not scanning for 2 days and I see the following:

Malwarebytes' Anti-Malware 1.35

Database version: 1940

Windows 5.1.2600 Service Pack 3

4/4/2009 9:01:03 PM

mbam-log-2009-04-04 (21-01-03).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 159028

Time elapsed: 31 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I accidentally clicked remove or delete I don't remember and then it restarted. Is this really a false positive though? I happened to have logged in to my 3 email accounts during those 2 days of not scanning and hopefully this wasn't a keylogger???

Oh yes I too see no trace of it in my quarantined section.

Share this post


Link to post
Share on other sites

Hi,

Your association for regedit was corrupted and that's why MalwareBytes flags this. If you click the remove button, then malwarebytes will restore the association again and replace it with the correct valuedata. :)

In most cases, malware modifies the regedit association and replaces it with malicious valuedata, but in your case, it looks like it was modified by something else in an attempt to restore the default data - which broke it instead (because of the extra quotes added)

Share this post


Link to post
Share on other sites
Hi,

Your association for regedit was corrupted and that's why MalwareBytes flags this. If you click the remove button, then malwarebytes will restore the association again and replace it with the correct valuedata. :)

In most cases, malware modifies the regedit association and replaces it with malicious valuedata, but in your case, it looks like it was modified by something else in an attempt to restore the default data - which broke it instead (because of the extra quotes added)

The only thing I know that I did different within that 2 day period was that I downloaded CCleaner and used the that feature that they have to clear out registry errors. Could that be the case?

Share this post


Link to post
Share on other sites

Sorry for the double reply but I could not find an edit button. So judging from what you say am I safe to assume that this is false positive and not one of those keylogger malwares I have been hearing about?

Share this post


Link to post
Share on other sites

Hi,

Yes, that's possible that Ccleaner corrupted it.

Mbam restored the association for regedit again, so you should be ok. In your case, it wasn't modified by malware.

Share this post


Link to post
Share on other sites

How do I permanently delete this? It goes away for a few days but then comes back.

Share this post


Link to post
Share on other sites

Why do you want to delete it? Mbam doesn't delete it either. It just restores the default association again. If it gets corrupted all the time again, then it's most probably because you have been using registry cleaners or tweak tools.

Share this post


Link to post
Share on other sites

I'm quite confused.

I have been running Anti-Malware for some months and a few weeks ago it started reporting this Broken.OpenCommand thing. I tell it to remove it, it says it has, and the next time I run Anti-Malware, there it is again.

What exactly is this thing? Can I just ignore it, or is it harmful in some way?

I always update Anti-Malware before I run it. I am not deliberately running any sort of registry cleaner or tweak tool thing, and indeed have no idea what they are.

If someone explains this to me, remember I need an explanation for dummies,

Thanks,

Karen

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.