I need help

I need help please. I use Vista Home Premium SP1, Firefox, Windows Defender, Avast Free Edition, MBAM, SAS, Spybot, and Spysweeper. All programs have been updated with the latest versions.

I ran Avast, SAS, and Spysweeper and they didn’t find any problems.

MBAM found:

Registry Data Items Infected:

HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) → Bad: (“%1” %*) Good: (“%1” /S) → Quarantined and deleted successfully.

The reason why I deleted it was because I did a search on their forum and that was the solution from what I understood.

After I rebooted my computer, I got a Windows Defender message saying:

Description:
This program has potentially unwanted behavior.

Advice:
Permit this detected item only if you trust the program or the software publisher.

Resources:
driver:
MBAMSwissArmy

file:
C:\Windows\system32\drivers\mbamswissarmy.sys

Category:
Not Yet Classified

I’m assuming it has to do with MBAM.

Spybot found:

AdwareAlert: [SBI $4B7BCDE7] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
DisabledRun

AdwareAlert: [SBI $714BCC83] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
DisabledUninstall

AdwareAlert: [SBI $5BD92570] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
Explorer\DisabledBHO

I didn’t click on Fix the problems since I have no idea what they are.

I then ran Trend Micro HouseCall. It found the following:

Adware_Istbar - This adware plugin can monitor or manipulate a user’s Internet activity, usually posing as a toolbar or a search aid in the Internet browser. I didn’t install a toolbar.

Downloader_Adpop - Trend Micro doesn’t have any info regarding this.

Adware_Common components - This adware does not have or has deceptive EULA. It’s a plugin that can monitor or manipulate a user’s Internet activity.

Adware_BHO_VIPSearcher - This adware does not have or has deceptive EULA. It’s a plugin that can monitor or manipulate a user’s Internet activity.

I didn’t click on Fix the problems since I have no idea what they are.

Since I really don’t know anything about the above items, I don’t want to fix problems in case I’m not suppose to. Also, don’t know how trustworthy Spybot and Housecall are.

MBAM always triggers Windows Defender when you run a quick scan on C:\Windows\system32\drivers\mbamswissarmy.sys and that is OK.

I don’t believe the other detections have anything to do with MBAM but are legitimate items that should be removed by the detecting application.

However
Start on page 5 post 70 of this thread and see if anything fits
http://forum.avast.com/index.php?topic=38193.60
post 72 a few more

Perhaps PM DavidR and ask him to comment on your problem before doing anything else

The reason why I deleted the problem MBAM found was in this thread on the MBAM forum

http://www.malwarebytes.org/forums/index.php?s=d5de4dee2e7d488e478370fd0c0b1fbf&showtopic=6249

I went ahead and fixed what Housecall found.

Wyrmrider, if I remember correctly, you also use Spybot. If you do, do you have any idea what those Adware Alerts are? I’ve been using Spybot for a long time, and it has never found anything until yesterday.

I do not know but let’s see what Spybot forum says
good question
post a link to the spybot thread next time you post
they have had two weeks of LARGE (for them) updates

I would say that should use regedit and navigate to where this is meant to be as I would have thought that it hasn’t deleted the key but changed the value from what it considers Bad to what it considers Good.

Edit: Having read the topic of the link you gave, this is basically what it does.

HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) → Bad: (“%1” %*) Good: (“%1” /S) → Quarantined and deleted successfully.

The reason I say that is if the key was actually deleted and quarantined it would effectively still be broken (what MBAM reported Broken.OpenCommand) as there would be no link to open screen saver .scr files ???

Edit: again based on the other link, I don’t know if they have got this right or not as they mention in the topic.

This was registry data we modified in the past in a way that while worked just fine , it was not the way windows installs it by default .

Now my relatively new system which had a clean install of windows XP Pro and the setting on mine would be classed as Bad by MBAM but it is the ‘default’ value from installation and screen savers work, so I c hose to ‘Ignore’ the detection by MBAM.

I can’t help with the other registry values as a) there is no such entries in my registry, b) probably because I don’t use Vista.

David,

Are you saying I should’ve clicked on Ignore instead of quarantine and delete? I looked in my quarantine log, and HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) → Bad: (“%1” %*) Good: (“%1” /S) wasn’t listed. I checked to see if I had any screen saver pictures, and I do.

This is a link to my thread on the Spybot forum. At the time of this message, there has been no reply.

http://forums.spybot.info/showthread.php?s=50804e1dc5b104358013e6d66ae97287&t=34102

I’m wondering if any of my problems have to do with me installing iTunes 8. I uninstalled it and reinstalled version 7.7.1.11. The reason why I uninstalled it was because people were having problems with the software and/or their iPod. I ran Spybot again, and it still found the problems. Before I installed it, I ran scans and nothing was found.

No what I’m saying iis that based on my default settings having never been changed, and the comment in that topic that appears to say that previously MBAM changed that value, it doesn’t make sense.

In the other link that wyrmrider posted changing the value somehow resolved a problem by changing a default value, so to my mind either Microsoft is wrong in its default value of MBAM is wrong as seems apparent by the quote I posted. Added is the full post from that topic you posted.

This was registry data we modified in the past in a way that while worked just fine , it was not the way windows installs it by default.

All that this is , is a one time fix to make this data 100% correct .

The reason we did not notice this error before was that the error did not cause any problems .

This is more of a correction than a fix as nothing was actually broken .

Now this implies that they previously changed the value but now they are correcting it, now I’m unaware that they ever changed that value on my system as it has only recently started to flag that registry entry.

So on my system nothing should have changed that would require MBAM to change it back. Now if I have confused you sorry, but this whole aspect confuses the hell out of me too and that is why I took the decision not to change it but to Ignore it.

Why don’t you read about it in Malwarebytes own forum regarding the False positive?
http://www.malwarebytes.org/forums/index.php?showtopic=6195
http://www.malwarebytes.org/forums/index.php?showtopic=6226

http://forums.spybot.info/showthread.php?t=34036