Recently keep getting broken.open command for piffile shell

[sarsen]

Is this a false positive? Any further action required please?

Thanks

Logfile from Quick Scan in developer mode:

Malwarebytes' Anti-Malware 1.41

Database version: 2870

Windows 5.0.2195 Service Pack 4

30/09/2009 11:21:43

mbam-log-2009-09-30 (11-21-32).txt

Scan type: Quick Scan

Objects scanned: 82573

Time elapsed: 11 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CLASSES_ROOT\piffile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("%1"?) Good: ("%1" %*) -> No action taken. [3974894881707936807878667969840910013986796885748079]

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[prairie dog]

If you think this may be a false positive,Post a developers log in the False positive forum. Thanks!

[sarsen]

If you think this may be a false positive,Post a developers log in the False positive forum. Thanks!

Well, I dont know whether it is or it isnt. It may be caused by malware for all I know, thats why I posted it here. Presumably the value maybe caused by malware or it wouldnt be flagged up by mbam?

If it was a confirmed FP I would have posted it on the FP thread.

I have posted a developers log above.

[prairie dog]

post your logs in the false positive forum so the MBAM team can check for you.

[grandma742]

post your logs in the false positive forum so the MBAM team can check for you.

Just joined your forum and I have found that this is a conflict between programs. Malwarebytes quarantines Broken.Opencommand and Systems Mechanic changes it back. System Mechanics calls it Dangerous file association:.scr (Screen Saver) Vulnerability: Files with executable code are often used to spread viruses. Repair: Set .reg files to always open with Notepad. The other one: .reg (Registration Entries) says the same thing. So, am I just to let System Mechanics repair and mark them as Ignore on Malwarebytes? I hope I did this right as I am 68 and still learning or trying to!!!!! Thanks for your time.

[yardbird]

@ grandma742 Welcome to Malwarebytes! Please follow these instructions, A helper will get you fixed up!

follow these instructions & post it in the HiJackLog Forum please

Scan and post logs - read note at bottom in green

If you're having Malware related issues with your computer that you're unable to resolve.

1. Please read and follow the instructions provided here: I'm infected - What do I do now?
   
2. If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
   
3. When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.
   

• Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.
  
• Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.
  
• Using these other tools often makes the cleanup task more difficult and time consuming.
  
• If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.
  
• Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.
  
• There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review
  

NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.

[miekiemoes]

No need to post any logs in the HijackThisforum since this is no malware related problem, nor a false positive.

Sarsen, as grandma742 said:

Just joined your forum and I have found that this is a conflict between programs. Malwarebytes quarantines Broken.Opencommand and Systems Mechanic changes it back. System Mechanics calls it Dangerous file association:.scr (Screen Saver) Vulnerability: Files with executable code are often used to spread viruses. Repair: Set .reg files to always open with Notepad. The other one: .reg (Registration Entries) says the same thing. So, am I just to let System Mechanics repair and mark them as Ignore on Malwarebytes? I hope I did this right as I am 68 and still learning or trying to!!!!! Thanks for your time.

Thanks for posting this Grandma742

This is exactly what is happening here. This isn't really a false positive in malwarebytes. Malwarebytes sees and reports that the association for these files are not the default ones as set by Windows (since malware may alter these associations as well). When you select to remove in mbam, mbam restores it to the default associations again (as set by Windows).

So you have 2 choices here... Or you ignore the detection in mbam, or you don't let System mechanic modify the default associations.

[sarsen]

No need to post any logs in the HijackThisforum since this is no malware related problem, nor a false positive.

Sarsen, as grandma742 said:

Thanks for posting this Grandma742

This is exactly what is happening here. This isn't really a false positive in malwarebytes. Malwarebytes sees and reports that the association for these files are not the default ones as set by Windows (since malware may alter these associations as well). When you select to remove in mbam, mbam restores it to the default associations again (as set by Windows).

So you have 2 choices here... Or you ignore the detection in mbam, or you don't let System mechanic modify the default associations.

Cheers

I dont use system mechanic. Could be spyware blaster, or maybe spybot search and destroy, or ccleaner perhaps.

[miekiemoes]

Sarsen, in your case, the association for pif files was set to ""%1"?" instead of the default association "%1" %*

However, it appears this doesn't break the association and pif files should still run fine here.

Afaik, spywareblaster, Ccleaner nor Spybot s&d don't modify this one. I guess you probably have been using a tool in the past to "fix" associations where it didn't really set them correctly.

[sarsen]

Sarsen, in your case, the association for pif files was set to ""%1"?" instead of the default association "%1" %*

However, it appears this doesn't break the association and pif files should still run fine here.

Afaik, spywareblaster, Ccleaner nor Spybot s&d don't modify this one. I guess you probably have been using a tool in the past to "fix" associations where it didn't really set them correctly.

Thanks for the reply. I havent been using much else as far as I remember, other than avg, and superantispyware...

...when I try and fix it in mbam, it always comes up again on the next scan... ignoring it seems to be the solution.

It didnt look like anything serious, but I always think its worth checking it out with others who live and breathe this stuff