Adaware

mc · External Since: Feb 19, 2006 Posts: 30

Hello I ran KAV and Ad-aware and Ad-aware came back with this;

Name:Windows
Category:Vulnerability
Object Type:RegData
Size:15 Bytes
Location:regfile\shell\open\command "" (notepad.exe %1)
Last Activity:2-19-2006
Relevance:Low
TAC index:3
Comment:Possible virus infection, REG file extension compromised
Description:General Windows Security Issue. Your system security may be
compromised. The specifics of the possible compromised item are listed in
the comments section.

Does anyone know what this is? I had Ad-aware delete it then I ran sys mech
6 comprehensive check up, rebooted and ran Ad-aware again. Ad-aware showed
this same reg file as a problem a second time.
thanks mc

Jake Dodd · External Since: Feb 11, 2006 Posts: 41

"mc" <wcwall.awm DeleteThis @verizon.net> wrote in message news:3N6Kf.1233$p13.755@trnddc08...
> Hello I ran KAV and Ad-aware and Ad-aware came back with this;
>
> Name:Windows
> Category:Vulnerability
> Object Type:RegData
> Size:15 Bytes
> Location:regfile\shell\open\command "" (notepad.exe %1)
> Last Activity:2-19-2006
> Relevance:Low
> TAC index:3
> Comment:Possible virus infection, REG file extension compromised
> Description:General Windows Security Issue. Your system security may be
> compromised. The specifics of the possible compromised item are listed in
> the comments section.
>
> Does anyone know what this is? I had Ad-aware delete it then I ran sys mech
> 6 comprehensive check up, rebooted and ran Ad-aware again. Ad-aware showed
> this same reg file as a problem a second time.
> thanks mc

Personally, I wouldn't want the registry association for .reg files to be the correct
"regedit.exe %1" and would change it to "notepad.exe %1" for security reasons.
If any .reg files were doubleclicked it would now open notepad and display the
contents of the registry patch in notepad instead of altering the registry.

The patch could still be imported via the command line.

Are you sure you don't have some sort of automated security here?

Jake Dodd · External Since: Feb 11, 2006 Posts: 41

"mc" <wcwall.awm.TakeThisOut@verizon.net> wrote in message news:3N6Kf.1233$p13.755@trnddc08...
> Hello I ran KAV and Ad-aware and Ad-aware came back with this;
>
> Name:Windows
> Category:Vulnerability
> Object Type:RegData
> Size:15 Bytes
> Location:regfile\shell\open\command "" (notepad.exe %1)
> Last Activity:2-19-2006
> Relevance:Low
> TAC index:3
> Comment:Possible virus infection, REG file extension compromised
> Description:General Windows Security Issue. Your system security may be
> compromised. The specifics of the possible compromised item are listed in
> the comments section.
>
> Does anyone know what this is? I had Ad-aware delete it then I ran sys mech
> 6 comprehensive check up, rebooted and ran Ad-aware again. Ad-aware showed
> this same reg file as a problem a second time.
> thanks mc

Personally, I wouldn't want the registry association for .reg files to be the correct
"regedit.exe %1" and would change it to "notepad.exe %1" for security reasons.
If any .reg files were doubleclicked it would now open notepad and display the
contents of the registry patch in notepad instead of altering the registry.

The patch could still be imported via the command line.

Are you sure you don't have some sort of automated security here?

me · External Since: Dec 27, 2004 Posts: 201

"mc" <wcwall.awm.DeleteThis@verizon.net> wrote in
news:3N6Kf.1233$p13.755@trnddc08:

> Hello I ran KAV and Ad-aware and Ad-aware came back with
> this;
>
> Name:Windows
> Category:Vulnerability
> Object Type:RegData
> Size:15 Bytes
> Location:regfile\shell\open\command "" (notepad.exe %1)
> Last Activity:2-19-2006
> Relevance:Low
> TAC index:3
> Comment:Possible virus infection, REG file extension
> compromised Description:General Windows Security Issue.
> Your system security may be compromised. The specifics of
> the possible compromised item are listed in the comments
> section.
>
> Does anyone know what this is? I had Ad-aware delete it
> then I ran sys mech 6 comprehensive check up, rebooted and
> ran Ad-aware again. Ad-aware showed this same reg file as a
> problem a second time. thanks mc
>

Ignore it. Ad-aware has been always (at least since ver.6)
'bitching' about that.

And will 'bitch' even when open specifies "regedit.exe %1"

J
--
Replies to: Nherr1professor2doktor31109(at)Oyahoo(dot)Tcom

me · External Since: Dec 27, 2004 Posts: 201

"mc" <wcwall.awm.TakeThisOut@verizon.net> wrote in
news:3N6Kf.1233$p13.755@trnddc08:

> Hello I ran KAV and Ad-aware and Ad-aware came back with
> this;
>
> Name:Windows
> Category:Vulnerability
> Object Type:RegData
> Size:15 Bytes
> Location:regfile\shell\open\command "" (notepad.exe %1)
> Last Activity:2-19-2006
> Relevance:Low
> TAC index:3
> Comment:Possible virus infection, REG file extension
> compromised Description:General Windows Security Issue.
> Your system security may be compromised. The specifics of
> the possible compromised item are listed in the comments
> section.
>
> Does anyone know what this is? I had Ad-aware delete it
> then I ran sys mech 6 comprehensive check up, rebooted and
> ran Ad-aware again. Ad-aware showed this same reg file as a
> problem a second time. thanks mc
>

Ignore it. Ad-aware has been always (at least since ver.6)
'bitching' about that.

And will 'bitch' even when open specifies "regedit.exe %1"

J
--
Replies to: Nherr1professor2doktor31109(at)Oyahoo(dot)Tcom

Jake Dodd · External Since: Feb 11, 2006 Posts: 41

<me.RemoveThis@tadyatam.invalid> wrote in message news:FMlKf.44687$id5.43757@bgtnsc04-news.ops.worldnet.att.net...

> Ignore it. Ad-aware has been always (at least since ver.6)
> 'bitching' about that.
>
> And will 'bitch' even when open specifies "regedit.exe %1"

That's odd behavior. Why would a correct value be flagged?

Jake Dodd · External Since: Feb 11, 2006 Posts: 41

<me.DeleteThis@tadyatam.invalid> wrote in message news:FMlKf.44687$id5.43757@bgtnsc04-news.ops.worldnet.att.net...

> Ignore it. Ad-aware has been always (at least since ver.6)
> 'bitching' about that.
>
> And will 'bitch' even when open specifies "regedit.exe %1"

That's odd behavior. Why would a correct value be flagged?

user · External Since: Feb 08, 2006 Posts: 47

Per Jake Dodd:
>> Ignore it. Ad-aware has been always (at least since ver.6)
>> 'bitching' about that.
>>
>> And will 'bitch' even when open specifies "regedit.exe %1"
>
>That's odd behavior. Why would a correct value be flagged?
>

This is just a guess, but how about if a Trojan/keystroke monitor or whatever
were named something like NotePad.exe and stuffed into some sub-sub-sub
directory?
--
PeteCresswell

user · External Since: Feb 08, 2006 Posts: 47

Per Jake Dodd:
>> Ignore it. Ad-aware has been always (at least since ver.6)
>> 'bitching' about that.
>>
>> And will 'bitch' even when open specifies "regedit.exe %1"
>
>That's odd behavior. Why would a correct value be flagged?
>

This is just a guess, but how about if a Trojan/keystroke monitor or whatever
were named something like NotePad.exe and stuffed into some sub-sub-sub
directory?
--
PeteCresswell

* * Chas · External Since: Aug 27, 2005 Posts: 178

"(PeteCresswell)" <x.RemoveThis@y.Invalid> wrote in message
news:2imkv1hb9pdcjglpdaaoogrs6p4qiha0rl@4ax.com...
> Per Jake Dodd:
> >> Ignore it. Ad-aware has been always (at least since ver.6)
> >> 'bitching' about that.
> >>
> >> And will 'bitch' even when open specifies "regedit.exe %1"
> >
> >That's odd behavior. Why would a correct value be flagged?
>
> This is just a guess, but how about if a Trojan/keystroke monitor or
whatever
> were named something like NotePad.exe and stuffed into some
sub-sub-sub
> directory?
> --
> PeteCresswell

A year and a half ago I had a hijacker attack that replaced my
Notepad.exe file
with a file that contained the W32/Sillydl.dl Trojan.

It also placed a copy of the same infected file in the
C:\Windows\System32
Folder and another copy of the same file renamed Setup1.exe was placed
in
my C:\Temp folder.

I fixed the problem manually but it took about 3 months before any AV
product found the critter

I'm running Win98SE so Notepad.exe should only be in the C:\Windows
folder - same for Win95 and WinME. In NT4, Win2k and WinXP, Notepad.exe
should be in the C:\Windows\System32 (or where ever Windows resides in
your
system).

A search in Google Groups/alt.comp.anti-virus listed about 30 other
threads related to Notepad.exe problems.

Chas.

* * Chas · External Since: Aug 27, 2005 Posts: 178

"(PeteCresswell)" <x DeleteThis @y.Invalid> wrote in message
news:2imkv1hb9pdcjglpdaaoogrs6p4qiha0rl@4ax.com...
> Per Jake Dodd:
> >> Ignore it. Ad-aware has been always (at least since ver.6)
> >> 'bitching' about that.
> >>
> >> And will 'bitch' even when open specifies "regedit.exe %1"
> >
> >That's odd behavior. Why would a correct value be flagged?
>
> This is just a guess, but how about if a Trojan/keystroke monitor or
whatever
> were named something like NotePad.exe and stuffed into some
sub-sub-sub
> directory?
> --
> PeteCresswell

A year and a half ago I had a hijacker attack that replaced my
Notepad.exe file
with a file that contained the W32/Sillydl.dl Trojan.

It also placed a copy of the same infected file in the
C:\Windows\System32
Folder and another copy of the same file renamed Setup1.exe was placed
in
my C:\Temp folder.

I fixed the problem manually but it took about 3 months before any AV
product found the critter

I'm running Win98SE so Notepad.exe should only be in the C:\Windows
folder - same for Win95 and WinME. In NT4, Win2k and WinXP, Notepad.exe
should be in the C:\Windows\System32 (or where ever Windows resides in
your
system).

A search in Google Groups/alt.comp.anti-virus listed about 30 other
threads related to Notepad.exe problems.

Chas.

mc · External Since: Feb 19, 2006 Posts: 30

thanks for the info..
mc

mc · External Since: Feb 19, 2006 Posts: 30

thanks for the info..
mc

Jake Dodd · External Since: Feb 11, 2006 Posts: 41

"(PeteCresswell)" <x DeleteThis @y.Invalid> wrote in message news:2imkv1hb9pdcjglpdaaoogrs6p4qiha0rl@4ax.com...
> Per Jake Dodd:
> >> Ignore it. Ad-aware has been always (at least since ver.6)
> >> 'bitching' about that.
> >>
> >> And will 'bitch' even when open specifies "regedit.exe %1"
> >
> >That's odd behavior. Why would a correct value be flagged?
> >
>
> This is just a guess, but how about if a Trojan/keystroke monitor or whatever
> were named something like NotePad.exe and stuffed into some sub-sub-sub
> directory?

If I understand your question correctly, it doesn't matter. If a malware takes
advantage of a normal (default) key value, that does not make the value a
bad thing. Naming it NotePad.exe and changing the key value to notepad.exe
%1 would be equivalent to naming the malware RegEdit.exe and not altering
the key value.

If I misunderstood your question, please elaborate.

Jake Dodd · External Since: Feb 11, 2006 Posts: 41

"(PeteCresswell)" <x DeleteThis @y.Invalid> wrote in message news:2imkv1hb9pdcjglpdaaoogrs6p4qiha0rl@4ax.com...
> Per Jake Dodd:
> >> Ignore it. Ad-aware has been always (at least since ver.6)
> >> 'bitching' about that.
> >>
> >> And will 'bitch' even when open specifies "regedit.exe %1"
> >
> >That's odd behavior. Why would a correct value be flagged?
> >
>
> This is just a guess, but how about if a Trojan/keystroke monitor or whatever
> were named something like NotePad.exe and stuffed into some sub-sub-sub
> directory?

If I understand your question correctly, it doesn't matter. If a malware takes
advantage of a normal (default) key value, that does not make the value a
bad thing. Naming it NotePad.exe and changing the key value to notepad.exe
%1 would be equivalent to naming the malware RegEdit.exe and not altering
the key value.

If I misunderstood your question, please elaborate.

mc · External Since: Feb 19, 2006 Posts: 30

Kaspersky anti-hacker does not like this file. It wants to quarantine
everything. So how do you safely perform this test?
mc

mc · External Since: Feb 19, 2006 Posts: 30

Kaspersky anti-hacker does not like this file. It wants to quarantine
everything. So how do you safely perform this test?
mc

angus49 · Joined: May 25, 2006 Posts: 2

According to Symantec this is a trojan called Backdoor.Way. I had the same thing happen as you. Adaware would clean it, then when I restarted and re-ran Adaware again it was back. First run Adaware and if it is there, remove it. Then open regedit (START-Run-regedit-OK). Go to:

HKLM\Software\Classes\txtfile\Shell\Open\Command

Go to the right pane and double click (default). The editor will open, It will show %SystemRoot%\System32\NOTEPAD>EXE%1. Remove the
\System32. OK, then exit regedit. Go to Start-All Programs-Accessories, find the notepad shortcut icon. Right click, click properties.
In the target window also remove \System32, click apply and OK. Do this with any other Notepad shortcuts you may have made.

Next go to regedit again and check:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run.Check the right pane to see if there is a listing: msgtask C:\Windows\System32\msgsvc.exe. If there is: Select Value the Delete and exit regedit. I did not have this part on my system, but check it anyway.

Now restart your system, re-run Adaware and see if it is gone. It worked on mine. Good luck.

angus49 · Joined: May 25, 2006 Posts: 2

To Mc:

The post I just made was assuming you are runnin XP. If you are running a 9x OS, then the reg entries will show %System% instead of %System32%. Follow the same directions.