Contact Forum Editor

Send an email to our Forum Editor:

PLEASE NOTE: Your name is used only to let the Forum Editor know who sent the message. Both your name and email address will not be used for any other purpose.

Tech Helproom

It's free to register, to post a question or to start / join a discussion

View Forum Rules | Contact Forum Editor

 

malware detected, an 'open.command' edit?

theDarkness

Likes # 0

Posted February 1, 2013 at 3:03PM

Malwarebytes upon a full scan has detected supposed malware:

Registry Data Items Infected: HKEYCLASSESROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

It would seem after a google that this registry key is often edited by Iolo System Mechanic, but I do not have any Iolo software installed, and never have. Does anyone know what other programs may cause this key to change, or what this change may actually cause? The system has only started blue screening after the scan, after the key was 'fixed' via malwarebytes. A possible co-incidence, and I have not installed any new software recently. Thanks

Like this post
Fruit Bat /\0/\

Likes # 0

Posted February 1, 2013 at 3:28PM

Open Regeditor

scroll down to HKEYCLASSESROOT\regfile\shell\open\command

In the right-hand pane, make sure the value is regedit.exe "%1"

Like this post
theDarkness

Likes # 0

Posted February 1, 2013 at 4:09PM

I did allow malwarebytes to fix the open command, and rechecked it today, it is still in its fixed state, but 10 mins after startup, I received my second 'kernel data inpage error' blue screen. Interestingly avast did not detect this registry modification using its own full scan option (I used avast just before I started malwarebytes).

The options in malwarebytes to scan:

-memory objects

-startup objects

-registry objects

-file system objects

-additional items against heuristics

Malwarebytes does not detect the uncorrected registry change if I set it to only scan 'registry objects'. Ive tried most of the above alone, so im assuming it must be picked up from either file system or additional items?

Like this post
theDarkness

Likes # 0

Posted February 1, 2013 at 4:25PM

update-it was detected through 'additional items against heuristics' with the advanced heuristics engine ticked within malwarebytes, on a quick scan. It took just over one minute to detect.

If I receive any more blue screens, Im not sure if I should attempt to restore the modified registry in order to find out if this stops the problem. A more vulnerable system in order to maintain its stability sounds a bit ironic.

Like this post
Fruit Bat /\0/\

Likes # 0

Posted February 1, 2013 at 4:42PM

think there is a problem with the latest set of definitions for malwarebytes

I also have seen a reg object identified as spyware.

Like this post
Jock1e

Likes # 0

Posted February 1, 2013 at 5:02PM

theDarkness

Maybe false positives from Malwarebytes it probably quarantined them,If so enable them again and see if you get rid of the blue screens.

Download and run Hitmanpro and see if that finds any problems.

I Also had Java and Foxit Reader problems found running Eset.

I had already removed Java and have just removed Foxit.

Like this post
theDarkness

Likes # 0

Posted February 1, 2013 at 6:34PM

after I read some malware forums stating that Iolo System Mechanic was one of the only pieces of legit software that modified this value (adding the quotes), with admin mentioning that its an obvious vulnerability, I thought it couldnt be a false positive.. but Im sure there still a chance. As a test, I have kept this value to its modified good/fixed state with the quotes in the registry, but no blue screens as yet. Quite a surprise, since I received one late last night and 10 mins after startup today. If I do get a third blue screen, or if some programs stop working correctly I will restore to its 'bad' state to see if it makes a difference. Failing that, a system restore. Ive noticed a 'kernel data inpage error' blue screen may also be related to hardware as well as software. Perhaps reading event viewe/systems report or similar just before the system gave up might give a better indication of exactly what the problem is. thanks for your replies :)

Like this post
theDarkness

Likes # 0

Posted February 3, 2013 at 12:21AM

I just want to add that I believe the BSOD may definately be unrelated to the registry issue - a case of mwb being over sensitive notifying me of a change perhaps. Still no blue screens, but as for the first two, this is what I have found relating to the 2 bsod, in the pic below. One seems to be relating to avast (although before finding the changed registry key, I believed guessed it might be some sort of cpu overheat as a result of leaving the system on 24/7-coretemp was previously causing the system fans to run 100% for no good reason, and is therefore incompatible with this system). Im not sure what the other BSOD may be related to, if software or hardware (atapi driver extension). I will try to auto update all my drivers (slimdrivers may be a handy tool) to see if that helps.

This is the crash dump info - click here.

Like this post

Reply to this topic

This thread has been locked.



Check out PC Advisor's other tech forums

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story. Both your name and the recipient's name and address will not be used for any other purpose.