malware detected, an 'open.command' edit?

  theDarkness 15:03 01 Feb 2013

Malwarebytes upon a full scan has detected supposed malware:

Registry Data Items Infected: HKEYCLASSESROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

It would seem after a google that this registry key is often edited by Iolo System Mechanic, but I do not have any Iolo software installed, and never have. Does anyone know what other programs may cause this key to change, or what this change may actually cause? The system has only started blue screening after the scan, after the key was 'fixed' via malwarebytes. A possible co-incidence, and I have not installed any new software recently. Thanks

  Fruit Bat /\0/\ 15:28 01 Feb 2013

Open Regeditor

scroll down to HKEYCLASSESROOT\regfile\shell\open\command

In the right-hand pane, make sure the value is regedit.exe "%1"

  theDarkness 16:09 01 Feb 2013

I did allow malwarebytes to fix the open command, and rechecked it today, it is still in its fixed state, but 10 mins after startup, I received my second 'kernel data inpage error' blue screen. Interestingly avast did not detect this registry modification using its own full scan option (I used avast just before I started malwarebytes).

The options in malwarebytes to scan:

-memory objects

-startup objects

-registry objects

-file system objects

-additional items against heuristics

Malwarebytes does not detect the uncorrected registry change if I set it to only scan 'registry objects'. Ive tried most of the above alone, so im assuming it must be picked up from either file system or additional items?

  theDarkness 16:25 01 Feb 2013

update-it was detected through 'additional items against heuristics' with the advanced heuristics engine ticked within malwarebytes, on a quick scan. It took just over one minute to detect.

If I receive any more blue screens, Im not sure if I should attempt to restore the modified registry in order to find out if this stops the problem. A more vulnerable system in order to maintain its stability sounds a bit ironic.

  Fruit Bat /\0/\ 16:42 01 Feb 2013

think there is a problem with the latest set of definitions for malwarebytes

I also have seen a reg object identified as spyware.

  theDarkness 18:34 01 Feb 2013

after I read some malware forums stating that Iolo System Mechanic was one of the only pieces of legit software that modified this value (adding the quotes), with admin mentioning that its an obvious vulnerability, I thought it couldnt be a false positive.. but Im sure there still a chance. As a test, I have kept this value to its modified good/fixed state with the quotes in the registry, but no blue screens as yet. Quite a surprise, since I received one late last night and 10 mins after startup today. If I do get a third blue screen, or if some programs stop working correctly I will restore to its 'bad' state to see if it makes a difference. Failing that, a system restore. Ive noticed a 'kernel data inpage error' blue screen may also be related to hardware as well as software. Perhaps reading event viewe/systems report or similar just before the system gave up might give a better indication of exactly what the problem is. thanks for your replies :)

  theDarkness 00:21 03 Feb 2013

I just want to add that I believe the BSOD may definately be unrelated to the registry issue - a case of mwb being over sensitive notifying me of a change perhaps. Still no blue screens, but as for the first two, this is what I have found relating to the 2 bsod, in the pic below. One seems to be relating to avast (although before finding the changed registry key, I believed guessed it might be some sort of cpu overheat as a result of leaving the system on 24/7-coretemp was previously causing the system fans to run 100% for no good reason, and is therefore incompatible with this system). Im not sure what the other BSOD may be related to, if software or hardware (atapi driver extension). I will try to auto update all my drivers (slimdrivers may be a handy tool) to see if that helps.

This is the crash dump info - click here.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

iMac Pro review

Why this awful City of Los Angeles job ad for a graphic designer is actually brilliant

iMac Pro review

Les meilleures prises CPL (2018)