Jump to content
Sign in to follow this  
mewnlite

System.BrokenFileAssociation

Recommended Posts

This Windows XP SP3 machine had a rogue security app which cleaned up nicely with MBAM and SAS. EXE files would not run but that problem was fixed by a batch and reg file that I obtained the link to a couple of weeks ago in alt.privacy.spyware. Everything is now working fine but SuperAntispyware keeps detecting this one item.

post-13511-095705000 1301404754_thumb.gif

I searched the registry for HKCR\.exe and don't come up with anything.

Google isn't showing anything since mid 2010 about this detection.

Can anyone help?

Thanks

Share this post


Link to post
Share on other sites

Everything is now working fine but SuperAntispyware keeps detecting this one item.

I searched the registry for HKCR\.exe and don't come up with anything.

This seems to be detected when the exe extension in the registry still has some entries left by the infection. If you open regedit and navigate to HKEY_CLASSES_ROOT and find the .exe extension and the exefile entry in the list and compare it to the entries in the registry file you obtained before to fix your exe problem. There will probably be some extra entries or entries that need to be removed. If you don't have the registry file still, here's how it should look:

[HKEY_CLASSES_ROOT\.exe]

@="exefile"

"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]

@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\exefile]

@="Application"

"EditFlags"=hex:38,07,00,00

"TileInfo"="prop:FileDescription;Company;FileVersion"

"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]

@="%1"

[HKEY_CLASSES_ROOT\exefile\shell]

[HKEY_CLASSES_ROOT\exefile\shell\open]

"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]

@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas]

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]

@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]

@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]

@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]

@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]

@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

Share this post


Link to post
Share on other sites

This seems to be detected when the exe extension in the registry still has some entries left by the infection. If you open regedit and navigate to HKEY_CLASSES_ROOT and find the .exe extension and the exefile entry in the list and compare it to the entries in the registry file you obtained before to fix your exe problem. There will probably be some extra entries or entries that need to be removed. If you don't have the registry file still, here's how it should look:

[HKEY_CLASSES_ROOT\.exe]

@="exefile"

"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]

@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\exefile]

@="Application"

"EditFlags"=hex:38,07,00,00

"TileInfo"="prop:FileDescription;Company;FileVersion"

"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]

@="%1"

[HKEY_CLASSES_ROOT\exefile\shell]

[HKEY_CLASSES_ROOT\exefile\shell\open]

"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]

@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas]

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]

@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]

@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]

@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]

@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]

@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

Thank you so much. There was too much stuff in [HKEY_CLASSES_ROOT\.exe]

It was like [HKEY_CLASSES_ROOT\.exe\shell\open\command] which had a value pointing to a user's tmp file.

Deleting that whole shell section took care of it.

I did find "%1" %* in a couple of places and changed it to "\"%1\" %*" as your example showed.

However that yielded access denied errors when I tried to open *anything*.

Fortunately I had the foresight to save that key before I made the change and got it back.

It didn't like the backslashes.

Thanks again!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...