mikew_nt

System.BrokenFileAssociation

33 posts in this topic

This morning I woke up to find that SAS had detected 3 registry threats. The only thing going on yesterday was I updated SAS to 4.36.1006.

The indication is System.BrokenFileAssociation, but there isn't much detail.

Just for background, this is a fairly new Windows7 system, and I have not installed or run anything like CCleaner or anything.

I've never seen SAS pick up anything like System.BrokenFileAssociation.

Is this a false positive or did I get malware somewhere?

If this is a false positive, should I restore these from quarantine?

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 04/30/2010 at 00:25 AM

Application Version : 4.36.1006

Core Rules Database Version : 4870

Trace Rules Database Version: 2682

Scan type : Quick Scan

Total Scan Time : 00:25:39

Memory items scanned : 569

Memory threats detected : 0

Registry items scanned : 592

Registry threats detected : 3

File items scanned : 41812

File threats detected : 0

System.BrokenFileAssociation

HKCR\.exe

HKCR\.com

HKCR\exefile\shell\open\command

0

Share this post


Link to post
Share on other sites

Updates:

I restored once, and re-ran the scan. It found the same three items, so I did the false positive report while I was there.

Here is something interesting in that I opened regedit before and after the restore, and if we are talking about HKEY_CLASSES_ROOT, I saw no difference before or after in the registry keys.

Here is the other interesting thing. When I re-ran the quick scan, it immediately flagged 3 registry items while it was still scanning memory items. I hit Next rather than waiting for the scan, and quaranteened them. Just as additional information, SAS is not requesting to reboot after quaranteed.

Then I ran it again with the items quaranteened, and it gave me the exact same result! I can quaranteen again, rescan and it will give me the same 3 items again. I can probably do this to infinity and it will keep detecting and quaranteening.

I've already checked out my Event Viewer and I have no Errors or Warnings, I installed no other software yesterday, and the machine appears to be operating fine.

Is this a bug in the new engine?

0

Share this post


Link to post
Share on other sites

Same result here on a Vista 64-bit system -

Have not quarantined as yet.

SAS Admin - Advice please!

0

Share this post


Link to post
Share on other sites

I have fully updated to 4874-2686 and this problem is still there.

Those registry values appear to be fairly important (!), and it is unclear to me what might happen if the machine were to reboot right now.

SAS Admin, can you please let us know what is up?

Can you also let us know if we need to restore those keys, or do anything special?

0

Share this post


Link to post
Share on other sites

Thank you for taking the time to report this issue and the details surrounding it. We have disabled the detection of "System.BrokenFileAssociation" as of SAS Core Database Version 4875 (released a few moments ago). The rule, as you have seen, resulted in erroneous detections on certain systems, and our lead low-level developer is investigating. If you update your definition databases within the product, these registry keys will no longer be detected.

Thanks,

Geoff

0

Share this post


Link to post
Share on other sites

Thank you for taking the time to report this issue and the details surrounding it. We have disabled the detection of "System.BrokenFileAssociation" as of SAS Core Database Version 4875 (released a few moments ago). The rule, as you have seen, resulted in erroneous detections on certain systems, and our lead low-level developer is investigating. If you update your definition databases within the product, these registry keys will no longer be detected.

Thanks,

Geoff

Your comments noted Geoff.

My suspicions confirmed.

Thanks for your prompt response.

0

Share this post


Link to post
Share on other sites

Thank you for taking the time to report this issue and the details surrounding it. We have disabled the detection of "System.BrokenFileAssociation" as of SAS Core Database Version 4875 (released a few moments ago). The rule, as you have seen, resulted in erroneous detections on certain systems, and our lead low-level developer is investigating. If you update your definition databases within the product, these registry keys will no longer be detected.

Thanks,

Geoff

I am having this problem now May 4, 2010 and have everything updated to latest versions. It just started this afternoon.

Mark

0

Share this post


Link to post
Share on other sites

Hi mark5scuba,

Can you create a support ticket on our website requesting a SSI diagnostic in the problem description, making sure to mention that you are getting the System.BrokenFileAssociation detection? Also, please specify your OS in the problem description as well.

http://www.superantispyware.com/csrcreateticket.html

Thanks,

Geoff

I am having this problem now May 4, 2010 and have everything updated to latest versions. It just started this afternoon.

Mark

0

Share this post


Link to post
Share on other sites

Hi mark5scuba,

Can you create a support ticket on our website requesting a SSI diagnostic in the problem description, making sure to mention that you are getting the System.BrokenFileAssociation detection? Also, please specify your OS in the problem description as well.

http://www.superantispyware.com/csrcreateticket.html

Thanks,

Geoff

Geoff,

I installed the beta ver 4.90.1060 and the problem went away. My OS is Vista Ultimate 64bit on an MSI P55-GD65 with I7 860

Thanks,

Mark

0

Share this post


Link to post
Share on other sites

Exact same problem, I did as the above member did and the Broken file.System went away. OS is Vista 64bit Ultimate.

System.BrokenFileAssociation - I have no idea what it was, but I am happy its gone wit the new beta.

0

Share this post


Link to post
Share on other sites

I too am getting the System.BrokenFileAssociation detection. Location is HKCR\.exe My SAS Pro updated itself to 4.36.1006 and now every scan I run since has this detection. I've sent a support ticket request already. I am running WindowsXP Pro with serve pack 3 and have not installed any new software except SAS. I just want to know if it's a false positive or serious.

0

Share this post


Link to post
Share on other sites

add me to the list I've been getting it the past few days. I reboot every day and my files update:

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 05/06/2010 at 06:11 PM

Application Version : 4.36.1006

Core Rules Database Version : 4895

Trace Rules Database Version: 2707

Scan type : Complete Scan

Total Scan Time : 00:44:55

Memory items scanned : 659

Memory threats detected : 0

Registry items scanned : 9220

Registry threats detected : 1

File items scanned : 39945

File threats detected : 1

System.BrokenFileAssociation

HKCR\.exe

-----

Win XP Home

0

Share this post


Link to post
Share on other sites

I have the same problem and still do not know if this is a false positive. I also installed the beta ver 4.90.1060 but the problem is still there. It did not surprise me because the version of the database is the same.

My OS is Windows 7 Ultimate.

0

Share this post


Link to post
Share on other sites

I still have the problem but this machine is running 32 bit win xp:

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 05/08/2010 at 07:43 AM

Application Version : 4.37.1000

Core Rules Database Version : 4906

Trace Rules Database Version: 2718

Scan type : Complete Scan

Total Scan Time : 00:00:03

Memory items scanned : 111

Memory threats detected : 0

Registry items scanned : 0

Registry threats detected : 1

File items scanned : 0

File threats detected : 0

System.BrokenFileAssociation

HKCR\.exe

0

Share this post


Link to post
Share on other sites

For me the story is mostly the same as the first poster.. Except that the broken fileassociations were taken care off in an automatic scan.. A few hours later more and more programs started to malfunction.. So I rebooted.. After the reboot, Windows started, but no other program were able to start.. each time I tried to start a program it would tell me that there was no program associated with the extension .exe so that I need to install a program that could deal with that extension.

So now I have a completely non-functional Windows 7 Ultimate edition 64-bit.. I have a diskimage a few weeks old, but I am still hoping to find a solution to restore the current.. I can't even get SAS to start to let it undo it's damage.

I hope that somebody can give me advise to make the programs start again.. I do have a WinPE to access the computer with programs.

When booting "normally" I have a network. And for some reason windows explorer is the only program willing to start by itself, but no copying or pasting. I can use explorer to start programs that start by clicking on for example png, jpg, etc files.. So file-associations other than .exe seem intact, but even these programs fail if they try to startup other programs.

Please has anybody any idea?

1

Share this post


Link to post
Share on other sites

For me the story is mostly the same as the first poster.. Except that the broken fileassociations were taken care off in an automatic scan.. A few hours later more and more programs started to malfunction.. So I rebooted.. After the reboot, Windows started, but no other program were able to start.. each time I tried to start a program it would tell me that there was no program associated with the extension .exe so that I need to install a program that could deal with that extension.

So now I have a completely non-functional Windows 7 Ultimate edition 64-bit.. I have a diskimage a few weeks old, but I am still hoping to find a solution to restore the current.. I can't even get SAS to start to let it undo it's damage.

I hope that somebody can give me advise to make the programs start again.. I do have a WinPE to access the computer with programs.

When booting "normally" I have a network. And for some reason windows explorer is the only program willing to start by itself, but no copying or pasting. I can use explorer to start programs that start by clicking on for example png, jpg, etc files.. So file-associations other than .exe seem intact, but even these programs fail if they try to startup other programs.

Please has anybody any idea?

Its a false positive just eliminate that entry so it never finds it again.
0

Share this post


Link to post
Share on other sites

Welcome to the SuperAntiSpyware forum Alinda.

Please download the .exe fix from the following site (using another computer obviously), save it to disk or USB stick, then follow the instructions on the site to extract and run the fix.

http://www.winhelponline.com/blog/file-asso-fixes-for-windows-7/

Thanks that seems to have worked fine. Even though I got error messages while trying to follow the instructions. Now I can just use my Windows 7 installation again.

After this experience and reading various articles I have now turned off the automatic quarantine and remove infected file option. I have had too many false positives, both from SAS and my virus scanner.

Thanks for the help!

0

Share this post


Link to post
Share on other sites

I still have the problem but this machine is running 32 bit win xp:

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 05/08/2010 at 07:43 AM

Application Version : 4.37.1000

Core Rules Database Version : 4906

Trace Rules Database Version: 2718

Scan type : Complete Scan

Total Scan Time : 00:00:03

Memory items scanned : 111

Memory threats detected : 0

Registry items scanned : 0

Registry threats detected : 1

File items scanned : 0

File threats detected : 0

System.BrokenFileAssociation

HKCR\.exe

I had the same problem on my 32 bit XP Pro setup, however, with HKCR\.com. Assuming it to be a false positive, I told SuperAntiSpyware to ignore it. Then I checked the registry and found that it was indeed a false association as .com was referred to as an exefile and not a comfile. An easy way out (which I used) was to download a fix from here: http://www.dougknox.com/xp/file_assoc.htm I enclose the screen shot of the opening page, which speaks for itself.

Worked for me .. as SuperAntiSpyware keeps quiet about the false association, at least for now.

p.s. edited above link (removed trailing '.' to make it click-able). And, ran another scan and no problems, so it seems the fix took care of a file association which indeed was broke (imo).

post-9125-127373948271_thumb.jpg

0

Share this post


Link to post
Share on other sites

Same problem here and I have seen nothing that fixed it.

I have a support ticket working but no help.

I'm getting so don't like making registry changes that do nothing. :(

0

Share this post


Link to post
Share on other sites

I am having the same problem.

Although the administrator says the problem has been corrected, everytime I run a scan it says "broken file extension."

Is this anything that should concern me?post-11935-127822835477_thumb.jpg

0

Share this post


Link to post
Share on other sites

I am having the same problem.

Although the administrator says the problem has been corrected, every time I run a scan it says "broken file extension."

Is this anything that should concern me?post-11935-127822835477_thumb.jpg

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now