Jump to content

Broken.Open Command CryptoPrevent

john_in_naples
 Share

Recommended Posts

Firefox

Firefox

Posted
Posted

Hello and Welcome to Malwarebytes

Being that you are probably infected, feel free to follow the instructions below to receive free, one-on-one expert assistance in checking your system and clearing out any infections and correcting any damage done by the malware.

Please see the following pinned topic which has information on how to get help with this: Available Assistance for Possibly Infected Computers

Thank you

Link to post
Share on other sites
daledoc1

daledoc1

Posted
Posted

Hi,

 

If this is the only detection you're seeing on your scan, then you might want to check this recent reply to a similar report by our Research Director >>here<<:

 

 

Please add this to your whitelist in Malwarebytes. By default, the .scr and .pif files should have “%1” %* as valuedata for the command.

 

On the other hand, if you have any reason to believe that you might be infected, then by all means, please do follow @Firefox's expert advice to have a malware expert assist you with checking your system.

 

Thanks,

Link to post
Share on other sites
theMezz

theMezz

Posted
Posted

I just started receiving the errors below.  Crypto Prevent has been on this workstation for weeks.  Any ideas as to what is going on?

 

 

Broken.OpenCommand, HKRC\piffile\shell\open\command, C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe

 

Broken.OpenCommand, HKRC\scrfile\shell\open\command

 

 

Exact same situation as  john_in_naples...

I wonder if this is a false positive?

 

Registry Data: 2
Broken.OpenCommand, HKCR\piffile\shell\open\command, "C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" *"Good: ("Bad: ("C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" *"%1" %*),Replaced,[ffffffffffffffffffffffffffffffff]" %*)" %*, %4, %5
Broken.OpenCommand, HKCR\scrfile\shell\open\command, "C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" "Good: ("Bad: ("C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.exe" "%1" %*),Replaced,[ffffffffffffffffffffffffffffffff]" /S)" %*, %4, %5
Link to post
Share on other sites
daledoc1

daledoc1

Posted
Posted

Hi, @theMezz:
 

Exact same situation as john_in_naples...
I wonder if this is a false positive?


See below:
 

Hi,
 
If this is the only detection you're seeing on your scan, then you might want to check this recent reply to a similar report by our Research Director >>here<<:
 
Please add this to your whitelist in Malwarebytes. By default, the .scr and .pif files should have “%1” %* as valuedata for the command.
 

 
On the other hand, if you have any reason to believe that you might be infected, then by all means, please do follow @Firefox's expert advice to have a malware expert assist you with checking your system.

To do so, please follow the advice here: Available Assistance for Possibly Infected Computers
 
Thanks,

 
 

Link to post
Share on other sites
Deneb

Deneb

Posted
Posted

CryptoPrevent has just been updated to version 6, which has a real-time filter thatprevents execution of CPL, SCR and PIF files by default (configurable in settings). If you have the premium version you will have automatically updated. MalwareBytes sees the registry changes made by CryptoPrevent  as an indication of possible malware alterations to the registry. The simplest solution is to choose to exclude the detections in MBAM.

 

See the Technical Information and Forum menus in CryptoPrevent for more information.

Link to post
Share on other sites
Deneb

Deneb

Posted
Posted

All you need to do is to add the two registry detections for piffile and scrfile to Malware Exclusions. From memory, I think a right click on the quarantine entries allows this - it's been a few days since I did it now so I can't recall exactly.

Link to post
Share on other sites
Unicore

Unicore

Posted
Posted

Thanks for the insight Deneb.  I tried to right click on the quarantine entries, but that did not work for me.  I'm going to have to hold my breath and take a deep dive into the registry to see if I can find the proper path to the piffile and scrfile objects so I can include them in Malware Exclusions.  Wish me luck!  :unsure:

Link to post
Share on other sites
Deneb

Deneb

Posted
Posted

Hi Unicore, in the interests of getting the right information I deleted the two registry entries from my exclusions list and ran another scan. Its the drop-down action menu in the scan result screen of the MBAM main interface that you need. Click on the drop down menu for each entry - it gives three options: Quarantine, Add Exclusion or Ignore Once.

 

Hope that helps. Good luck! :)

Link to post
Share on other sites
Unicore

Unicore

Posted
Posted

Great minds think alike!  While I was gone, I added back the quarantined entries and ran a hyper-scan.  The errant files are again detected in the drop-down action menu as you described.  I selected ADD EXCLUSION for each of the files and then APPLY ACTION...and ran another scan.  Problem solved! 

 

It's kind of tricky when MBAM bounces between two menus that seem to do the same thing.  In reality, the only way that registry entries can be whitelisted is to follow the procedure you outlined.  I'm glad I didn't have to dig down into the registry!

 

Thanks for your help!  I think it's really great when users such as you and I can help each other to solve such problems.  :D

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept