Exact same situation as john_in_naples... I wonder if this is a false positive? Registry Data: 2Broken.OpenCommand, HKCR\piffile\shell\open\command, "C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" *"Good: ("Bad: ("C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" *"%1" %*),Replaced,[ffffffffffffffffffffffffffffffff]" %*)" %*, %4, %5Broken.OpenCommand, HKCR\scrfile\shell\open\command, "C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" "Good: ("Bad: ("C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" "%1" %*),Replaced,[ffffffffffffffffffffffffffffffff]" /S)" %*, %4, %5