Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Broken.OpenCommand on my Windows 8.1 Computer What Do I Do?

  • Please log in to reply
5 replies to this topic

#1 Lxno78


  • Members
  • 45 posts
  • Gender:Male
  • Local time:04:20 AM

Posted 12 July 2015 - 08:47 PM

My computer is only about a month old. I haven't used it much aside from playing a few video games and surfing the web (a few wikia sites and forums). I do have Avast anti-virus and Malwarebytes installed.


Malwarebytes is picking this up on the scan:


Registry Data: 1
Broken.OpenCommand, HKCR\regfile\shell\open\command, "regedit.exe" "Good: (regedit.exe "Bad: ("regedit.exe" "%1"),,[ffffffffffffffffffffffffffffffff]")", %4, %5
The Avast scan comes back clean.
Some websites say IOLO System Mechanic can cause this problem. I have never installed nor used IOLO System Mechanic.
How bad is the Broke.OpenCommand? What is it? What do I do?
System Windows 8.1
I don't have many programs installed on my computer. Before installing any program I would check it's reputability, download from the proper website, and scan the .exe with Avast and also Virus Total online. I was also careful to custom install and only install the intended software. I have not plugged in any external hard drives or USB drives to my computer yet as well.
Here is a list of all the programs I have installed on my computer so far:
Internet Explorer
Mozilla Firefox
Google Chrome
Magix Movie Edit Pro 16 (installed from CD)
VLC media player
Inkscape0.91 (vector image editing program)
GIMP 2.8 (image editing program)
Audacity (audio editing software)
Battle.net (Blizzard's game launching program)
Heroes of the Storm
MSI Live Update 6 (MSI is the company of my motherboard, this was an updater downloaded from their website)
HWiNFO64 (system information utility)
OCCT (stability checking software for CPUs, GPUs, and PSUs)
Malwarebytes Log:
Administrator: Yes
Malware Database: v2015.07.12.04
Rootkit Database: v2015.07.10.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
OS: Windows 8.1
CPU: x64
File System: NTFS
Scan Type: Custom Scan
Result: Completed
Objects Scanned: 491518
Time Elapsed: 28 min, 39 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Warn
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 0
(No malicious items detected)
Registry Values: 0
(No malicious items detected)
Registry Data: 1
Broken.OpenCommand, HKCR\regfile\shell\open\command, "regedit.exe" "Good: (regedit.exe "Bad: ("regedit.exe" "%1"),,[ffffffffffffffffffffffffffffffff]")", %4, %5
Folders: 0
(No malicious items detected)
Files: 0
(No malicious items detected)
Physical Sectors: 0
(No malicious items detected)

Edited by Lxno78, 12 July 2015 - 08:54 PM.

BC AdBot (Login to Remove)



#2 severac


  • Members
  • 872 posts
  • Gender:Male
  • Location:Serbia
  • Local time:10:20 AM

Posted 13 July 2015 - 04:45 PM



I found some info about Broken.OpenCommand.




It simply means that one of the file associations are no longer using the default Windows setting. This could be on purpose by you or software that you use but it is also a method used by Malware so we flag it. If you're telling MBAM to change it and it comes back then some program you're using is either blocking the change in the Registry or maybe a program you use is reverting it back.



We do not really detect this as malware, but as "Broken.OpenCommand", which means, any change that malware (and other programs) makes to an "executable - shell\open\command" valuedata which isn't set by default should be alerted to the user for safety sake. So this isn't a real false positive here, since we detect correctly as "Broken.OpenCommand".

If you're aware that one of the programs you installed *does* change this valuedata, then add it to your whitelist. If you're not aware of this, then have Malwarebytes fix this (as this will restore the default valuedata set by Windows again).


I don't think that you need to panic. 


Let's check:


Download Security Check from here or here and save it to your Desktop.

§  Double-click SecurityCheck.exe

§  Follow the onscreen instructions inside of the black box.

§  Notepad document should open automatically called checkup.txt; please post the contents of that document.


Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

§  Make sure the following options are checked:

o    Internet Services

o    Windows Firewall

o    System Restore

o    Security Center/Action Center

o    Windows Update

o    Windows Defender

o    Other Services

§  Press "Scan".

§  It will create a log (FSS.txt) in the same directory the tool is run.

§  Please copy and paste the log to your reply.


Please download AdwCleaner by Xplode onto your desktop.

§  Close all open programs and internet browsers.

§  Double click on adwcleaner.exe to run the tool.

§  Click on Scan button.

§  When the scan has finished click on Clean button.

§  Your computer will be rebooted automatically. A text file will open after the restart.

§  Please post the contents of that logfile with your next reply.

§  You can find the logfile at C:\AdwCleaner[S0].txt as well.


Please download Junkware Removal Tool to your desktop.

§  Shut down your protection software now to avoid potential conflicts.

§  Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".

§  The tool will open and start scanning your system.

§  Please be patient as this can take a while to complete depending on your system's specifications.

§  On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

§  Post the contents of JRT.txt into your next message.


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 


#3 Lxno78

  • Topic Starter

  • Members
  • 45 posts
  • Gender:Male
  • Local time:04:20 AM

Posted 13 July 2015 - 09:11 PM

Security Check Log
 Results of screen317's Security Check version 1.005  
   x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Windows Defender   
avast! Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 Mozilla Firefox (39.0) 
 Google Chrome (43.0.2357.130) 
 Google Chrome (43.0.2357.132) 
````````Process Check: objlist.exe by Laurent````````  
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast avastui.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  % 
````````````````````End of Log`````````````````````` 
Farbar Service Scanner Log
Farbar Service Scanner Version: 17-01-2015
Ran by PC1 (administrator) on 13-07-2015 at 21:39:36
Running from "E:\Desktop"
Microsoft Windows 8.1  (X64)
Boot Mode: Normal
Internet Services:
Connection Status:
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
Windows Firewall:
Firewall Disabled Policy: 
System Restore:
System Restore Policy: 
Action Center:
Windows Update:
Windows Autoupdate Disabled Policy: 
Windows Defender:
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend: ""%ProgramFiles%\Windows Defender\MsMpEng.exe"".
Windows Defender Disabled Policy: 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
Other Services:
File Check:
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MsMpEng.exe => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
**** End of log ****
AdwCleaner Log
# AdwCleaner v4.208 - Logfile created 13/07/2015 at 21:47:21
# Updated 09/07/2015 by Xplode
# Database : 2015-07-11.1 [Server]
# Operating system : Windows 8.1  (x64)
# Username : PC1 - MAINPC
# Running from : E:\Desktop\adwcleaner_4.208.exe
# Option : Cleaning
***** [ Services ] *****
***** [ Files / Folders ] *****
***** [ Scheduled tasks ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local
***** [ Web browsers ] *****
-\\ Internet Explorer v11.0.9600.17840
-\\ Mozilla Firefox v39.0 (x86 en-US)
-\\ Google Chrome v43.0.2357.132
AdwCleaner[R0].txt - [859 bytes] - [13/07/2015 21:43:29]
AdwCleaner[S0].txt - [787 bytes] - [13/07/2015 21:47:21]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [845  bytes] ##########
Junkware Removal Tool Log
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.4.7 (07.13.2015:1)
OS: Windows 8.1 x64
Ran by PC1 on Mon 07/13/2015 at 21:56:45.84
~~~ Services
~~~ Tasks
~~~ Registry Values
~~~ Registry Keys
~~~ Files
~~~ Folders
~~~ Chrome
[C:\Users\PC1\appdata\local\Google\Chrome\User Data\Default\Preferences] - default search provider reset
[C:\Users\PC1\appdata\local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:
[C:\Users\PC1\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset
[C:\Users\PC1\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
Scan was completed on Mon 07/13/2015 at 21:59:23.24
End of JRT log
Also, thank you for the help!

#4 severac


  • Members
  • 872 posts
  • Gender:Male
  • Location:Serbia
  • Local time:10:20 AM

Posted 14 July 2015 - 01:33 AM

You are clean. It is difficult to determine what have caused the Broken.OpenCommand problem. You don't have to worry.


Empty your temp folders using TFC (Temporary File Cleaner)

§  Please download TFC by Old Timer and save it to your desktop.
alternate download link

§  Save any unsaved work. (TFC will close ALL open programs including your browser!)

§  Double-click on TFC.exe to run it. (If you are using Vista or above, right-click on the file and choose "Run As Administrator".)

§  Click the Start button to begin the cleaning process and let it run uninterrupted to completion.

§  Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway allowing Windows to load normally (not into Safe Mode) to ensure a complete clean.


This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
This is a very crucial step so make sure you don't skip it.
Download  DelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

Double-click Delfix.exe to start the tool.
Make sure the following items are checked:

§  Activate UAC (optional; some users prefer to keep it off)

§  Remove disinfection tools

§  Create registry backup

§  Purge System Restore

Now click "Run" and wait patiently.
Once finished, a logfile will be created. You don't have to attach it to your next reply.

Edited by severac, 14 July 2015 - 01:35 AM.

I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 


#5 Lxno78

  • Topic Starter

  • Members
  • 45 posts
  • Gender:Male
  • Local time:04:20 AM

Posted 14 July 2015 - 08:34 AM

I have two questions.


1. When I was looking at the RegBackup folder (I think Junkware Removal Tool created this for registry backup) I accidentally clicked the file dos_restore.cmd and it ran the process. Should I worry? Do you know what that did at all?


2. I discovered another problem. My user folder is showing up as a protected system file in the directory C:\Users.

I basically have the same problem as the person who asked here.

What bothers me is that at the end of that post it is stated that a virus could likely be the cause. I'm wondering if Junkware Removal Tool caused this problem when running RegBackup as a this directory was created C:\RegBackup\MAINPC\7.13.2015_9.56.47-PM\C\Users which contains both the Default user folder and [MyAccountName] user folder. I'm wondering if when it was backed up an attribute was changed?


Any ideas to what happened?

#6 severac


  • Members
  • 872 posts
  • Gender:Male
  • Location:Serbia
  • Local time:10:20 AM

Posted 14 July 2015 - 08:50 AM



You can ask the JRT developer (thisisu) a question, report an issue or suggestion in this topic which he monitors for issues with JRT. You can also send a private message (PM) directly to thisisu. He will probably know to explain this.

I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users