supposed issue with registry but not detected within avast..

A full scan (using additional anti-malware software along with avast) has detected supposed malware (a registry mod):
Registry Data Items Infected: HKEYCLASSESROOT\regfile\shell\open\command\ (Broken.OpenCommand) → Bad: (“regedit.exe” “%1”) Good: (regedit.exe “%1”) → Quarantined and deleted successfully.

It would seem after a google that this registry key is often edited by Iolo System Mechanic, but I do not have any Iolo software installed, and never have.
Does anyone know why this supposed vulnerability is not detected using avast on a full scan? Is this change not important-if anyone knows of any other software aside from Iolo that may also change the registry in this manner, I would like to find out, just in case I have it installed.

Avast detects no issues, despite this change being present. Thanks for any tips.

Because the registry isn’t scanned in isolation. If a malware detection is found then avast would look for associated registry entries for the infected file.

These settings can be legitimately changed by the user and or other tools, so it would be hard to determine intent. In all honesty I can’t see why the one with quotes on “regedit.exe” and the parameter “%1” is considered Bad and the regedit.exe “%1” considered Good.

But what does it mean by Bad, incorrect or malicious.

Checking mine and it doesn’t match the determination of Good as it has an extra element in the parameters regedit.exe “%1” %* now is that Good, Bad or just plain indifferent. The one thing for sure is that I know my system is clean.

I assume the term vulnerability is likely used as a way of explaining I may be either putting my system at risk from outsiders in some way or another, or damaging the system from the inside, if select malicious software may use this modified key to cause issues with the computer. The registry key setting without the quotes, seems to be what windows across the board-xp,vista,7 etc, should have by default. It must be a key that is almost never modified, if it is to pop up as an issue and be labelled as malware-ie very little software adding quotes or edits to this registry key… after a google, only Iolo comes up for software that changes this value but has no malicious intent. The warning is not given when a registry scan is selected - for example in some some anti-malware programs, ‘scan additional items against heuristics shuriken’ or ‘use advanced heuristics engine’ must be selected in order for this warning to appear, but this option is usually already set by default. thanks

That’s the point there is no definition of what Bad is, so we can’t say what this change would do. It certainly wasn’t defined as a vulnerability, just Bad with no determination of what Bad is or might do. I hate these categorisations without an explanation.

Normally quotes are used when there are spaces in a path so when used on a file name that doesn’t have a space, I simply can’t understand why that would be considered Bad in a malicious way.

I take it that this was MBAM that made the detection, I have seen similar ‘Bad’ determinations, but that is normally when it is actually disabling a function monitoring your firewall or antivirus in the windows security center. This can be changed by malware looking to disable your firewall or antivirus and not have the windows security center inform you they have been disabled.

Now that is easy to understand how there might be malicious intent which could leave you vulnerable, but for the life of me I can’t understand why the quotes without any other from of manipulation, e.g. to run a different regedit.exe file is considered Bad is beyond me.

I could only assume it was because Iolo is one of the few programs mwb know of that modifies this entry, an entry which they may believe may never be necessary to change from its original windows default values.

a quote from mwb forum to a user about Broken.OpenCommand:
‘malware modifies the regedit association and replaces it with malicious valuedata, or it was modified by something else in an attempt to restore the default data - which broke it instead (because of the extra quotes added)’

I can edit this registry key to anything, and it will come up as ‘bad’ with the malware icon, which I agree isnt accurate, despite the fact that this editing could be done by malware for some malicious purpose. Whatever the case, they believe restoration to its original ‘good’ setting is the safest way to go.

I forgot to add that after I corrected this edit, I did receive two ‘kernel data inpage error’ blue screens, one in the early morning, the other today after a restart, but as a result I decided to restore these ‘bad’ values back to the way they were, despite not matching windows original values. Im not sure whether any of that is in any way related as the laptop is old, but its something I must take into account in determining exactly why the system gave up around the same time. Im not sure exactly what this registry key is used for (the likely purpose of a modified or different non-malicious regedit.exe than what is set by default).

That essentially is the crux of the matter, Bad and Broken really are two completely different things and should a security program be looking for broken registry entries.

Now as far as broken goes, if I change my registry key “regedit.exe” “%1” %* regedit still works, so I really don’t know how that could possibly be classed as broken. Interestingly even after this change the key still showed as (Default).

As I mentioned before Bad ‘malicious intent’ on changing this key would surely be trying either disable or replace the regedit.exe with one in another location.

There really are times when MBAM might be a little paranoid, if any change even quotes has it through a fit when there is no replacement or disablement.

Perhaps the additional quotes could have been the result of someone using a registry cleaning program which may have caused issues? CCleaner is installed, although I do not use its built in registry cleaner myself, another user may have. I have noticed upon a search that another user has had a problem at the same location. All info being missing (as in their case) is possibly more likely to happen rather than questionable additional quotes though… http://forums.techguy.org/general-security/983955-broken-open.html

MBAM throws that up on my system… It is irrelevant in my view as I am clean

Unfortunately the forums.techguy.org topic quickly gets diverted from the original question which remains unanswered. I use ccleaner, but generally I don’t use its registry cleaning function. But I have used it in the past and that certainly didn’t add ""s to that key and I rather doubt that corrupting whilst cleaning would be as benign as the addition of the ""s.

I can also see no point why a so called registry cleaner would be making modifications most cleaners are just deleting keys that they feel are redundant/orphans, etc.

I still feel this is more of an issue for MBAM than for you to worry about. As I have said I think there times when MBAM is to damn sensitive.

avast has always reported my system to be 100% clean too with no problems, and mwb being sensitive seems to come up a lot on some forums. I do wonder what the developers of avast make of mwb’s advanced heuristics engine thats bringing up my ‘broken.OpenCommand’ issue, but that may be a topic for another day, lol. I’ll ignore the registry change for now, although it does seem very odd, and focus on trying to find out what I can gather from the blue screen crash reports instead. Thanks for the replies :slight_smile:

I don’t think the avast developers would give it much though about mbam’s ‘advanced heuristics’ since they don’t scan the registry in this way. I also don’t class this as advanced anything, to me it is bordering on paranoid heuristics as all this is achieving is scaring the user without good justification.

This is also another reason why I have disabled mbam’s so called malicious website blocking feature, it doesn’t just block malicious websites but many other categories. So if it doesn’t do what it says on the tin I disable it.

I found the memory dumps - here is the info on the blue screens, it looks like they may be unrelated to the registry issue after all, yet one may be related to avast, the other possibly some sort of cpu overload (I had issues before with coretemp making the fans go full speed). I dont think Ill be leaving this system on 24/7 from now on, lol. If anyone has any ideas… ?? :slight_smile: thanks

http://s18.postimage.org/4vdq74ea1/Untitled.jpg

Windows Memory Dump creation

https://support.avast.com/index.php?languageid=1&group=eng&_m=knowledgebase&_a=viewarticle&kbarticleid=1356

thanks for the tip on saving and sending memory dumps in case of future crashes, but shouldnt I just zip and send the two I have already, above (or at least the one relating to avast)? That program seems to be only for forcing a crash (blue screen) if I have a program freeze, poor response or black screen, but Ive never had that. Everything had worked fine up until windows gave me 2 out of the blue ‘to prevent damage’ screens, seemingly for no good reason. Im sure its very likely, but I have found nothing to hint online that the 2 bsod Ive had are related to one another. I cant find much on ‘ataport.sys’ other than that its a microsoft driver used with ide controllers, commonly taken advantage of through malware/rootkits, often causing the bsod. Avast and mwb with the fixed registry entry state my system is clean, so I dont know. I have had no bsod since the 1st, but I will reinstall avast.

update-Im now on the third bsod (3rd feb), lol. It would seem the individual programs may not be the cause, even if related to the problem, as I just uninstalled ZA and replaced it with OA, but I received another ‘bad pool header’, this time OA related. I dont think I can upload the memory dump you mention in the previous post, as its too large a file (2 gigabytes!), and the wifi connection here is slow and unreliable when it comes to a constant connection (wireless home phone ringing or being picked up can cause a disconnection) :frowning: Im not going to reinstall the system just yet, and i dont have the option to restore. Interestingly enough, its now the 7th of february and no more issues. Ive just realized that Ive forgotten to restart one commonly used program since the 3rd (Speedfan!). If I dont receive another BSOD within the next week im going to try Speedfan once more, and wait. I may have found the culprit, despite having used it for weeks on default settings with no problems at all. If it works, then I can only put it down to hardware or the last program installation.

http://s11.postimage.org/awxk8p0f7/Untitled.jpg

event viewer around the time of the last BSOD (3/2/2013 18:14) is below, could this really be speedfan related, or some sort of hardware issue between the two-eg cpu overheat or damage?

03/02/2013 18:15:11, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: aswSnx aswSP aswTdi ElbyCDIO EUDSKACS EUFDDISK OADevice oahlpXX spldr Wanarpv6
03/02/2013 18:15:11, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
03/02/2013 18:15:04, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error “1084” attempting to start the service WSearch with arguments “” in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
03/02/2013 18:15:01, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error “1068” attempting to start the service fdPHost with arguments “” in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
03/02/2013 18:14:59, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error “1084” attempting to start the service EventSystem with arguments “” in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
03/02/2013 18:14:50, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error “1084” attempting to start the service ShellHWDetection with arguments “” in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
03/02/2013 18:14:08, Error: EventLog [6008] - The previous system shutdown at 6:05:20 PM on 2/3/2013 was unexpected.
03/02/2013 18:13:29, Error: sptd [4] - Driver detected an internal error in its data structures for .