Adaware

[mc]

Hello I ran KAV and Ad-aware and Ad-aware came back with this;

Name:Windows
Category:Vulnerability
Object Type:RegData
Size:15 Bytes
Location:regfile\shell\open\command "" (notepad.exe %1)
Last Activity:2-19-2006
Relevance:Low
TAC index:3
Commentossible virus infection, REG file extension compromised
Description:General Windows Security Issue. Your system security may be
compromised. The specifics of the possible compromised item are listed in
the comments section.

Does anyone know what this is? I had Ad-aware delete it then I ran sys mech
6 comprehensive check up, rebooted and ran Ad-aware again. Ad-aware showed
this same reg file as a problem a second time.
thanks mc

 

[David H. Lipman]

From: "mc" <[email protected]>

| Hello I ran KAV and Ad-aware and Ad-aware came back with this;
|
| Name:Windows
| Category:Vulnerability
| Object Type:RegData
| Size:15 Bytes
| Location:regfile\shell\open\command "" (notepad.exe %1)
| Last Activity:2-19-2006
| Relevance:Low
| TAC index:3
| Commentossible virus infection, REG file extension compromised
| Description:General Windows Security Issue. Your system security may be
| compromised. The specifics of the possible compromised item are listed in
| the comments section.
|
| Does anyone know what this is? I had Ad-aware delete it then I ran sys mech
| 6 comprehensive check up, rebooted and ran Ad-aware again. Ad-aware showed
| this same reg file as a problem a second time.
| thanks mc
|

It looks like it is reacting to an alteration in the file association of a .REG file.

Let Ad-aware correct the alteration.

 

[Jake Dodd]

Hello I ran KAV and Ad-aware and Ad-aware came back with this;

Name:Windows
Category:Vulnerability
Object Type:RegData
Size:15 Bytes
Location:regfile\shell\open\command "" (notepad.exe %1)
Last Activity:2-19-2006
Relevance:Low
TAC index:3
Commentossible virus infection, REG file extension compromised
Description:General Windows Security Issue. Your system security may be
compromised. The specifics of the possible compromised item are listed in
the comments section.

Does anyone know what this is? I had Ad-aware delete it then I ran sys mech
6 comprehensive check up, rebooted and ran Ad-aware again. Ad-aware showed
this same reg file as a problem a second time.
thanks mc

Personally, I wouldn't want the registry association for .reg files to be the correct
"regedit.exe %1" and would change it to "notepad.exe %1" for security reasons.
If any .reg files were doubleclicked it would now open notepad and display the
contents of the registry patch in notepad instead of altering the registry.

The patch could still be imported via the command line.

Are you sure you don't have some sort of automated security here?

 

[mc]

I noticed that when I let Ad-aware do its 'fix' then sys mech 6 shows only
a fair rating on the home page when first opened. So then I let sys mech run
a comprehensive checkup to get a 'good' safety light on the home page.
So if I run Ad-aware again the same info comes back as in my first post. I
wonder if sys mech 6 is doing this reg file setup?
However I do remember changing a reg setting somewhere that would clear the
page file on shut down.
mc

 

[mc]

I just read this at iolo, I wonder if this is the cause?
mc
http://www.iolo.com/customercare/kbarticle.aspx?id=KBA-01449

 

[me]

Hello I ran KAV and Ad-aware and Ad-aware came back with
this;

Name:Windows
Category:Vulnerability
Object Type:RegData
Size:15 Bytes
Location:regfile\shell\open\command "" (notepad.exe %1)
Last Activity:2-19-2006
Relevance:Low
TAC index:3
Commentossible virus infection, REG file extension
compromised Description:General Windows Security Issue.
Your system security may be compromised. The specifics of
the possible compromised item are listed in the comments
section.

Does anyone know what this is? I had Ad-aware delete it
then I ran sys mech 6 comprehensive check up, rebooted and
ran Ad-aware again. Ad-aware showed this same reg file as a
problem a second time. thanks mc

Ignore it. Ad-aware has been always (at least since ver.6)
'bitching' about that.

And will 'bitch' even when open specifies "regedit.exe %1"

J

 

[mc]

thanks for the info..
mc

 

[Jake Dodd]

I just read this at iolo, I wonder if this is the cause?
mc
http://www.iolo.com/customercare/kbarticle.aspx?id=KBA-01449

It confirms my suspicions. I guess Ad-Aware doesn't like non-default
association in the registry, and System Mechanic 6 and Ad-Aware
are having a tug-of-war game.

 

[Jake Dodd]

Ignore it. Ad-aware has been always (at least since ver.6)
'bitching' about that.

And will 'bitch' even when open specifies "regedit.exe %1"

That's odd behavior. Why would a correct value be flagged?

 

[(PeteCresswell)]

Per Jake Dodd:

That's odd behavior. Why would a correct value be flagged?

This is just a guess, but how about if a Trojan/keystroke monitor or whatever
were named something like NotePad.exe and stuffed into some sub-sub-sub
directory?

 

[* * Chas]

Per Jake Dodd:

This is just a guess, but how about if a Trojan/keystroke monitor or whatever
were named something like NotePad.exe and stuffed into some sub-sub-sub
directory?

A year and a half ago I had a hijacker attack that replaced my
Notepad.exe file
with a file that contained the W32/Sillydl.dl Trojan.

It also placed a copy of the same infected file in the
C:\Windows\System32
Folder and another copy of the same file renamed Setup1.exe was placed
in
my C:\Temp folder.

I fixed the problem manually but it took about 3 months before any AV
product found the critter

I'm running Win98SE so Notepad.exe should only be in the C:\Windows
folder - same for Win95 and WinME. In NT4, Win2k and WinXP, Notepad.exe
should be in the C:\Windows\System32 (or where ever Windows resides in
your
system).

A search in Google Groups/alt.comp.anti-virus listed about 30 other
threads related to Notepad.exe problems.

Chas.

 

[Jake Dodd]

Per Jake Dodd:

This is just a guess, but how about if a Trojan/keystroke monitor or whatever
were named something like NotePad.exe and stuffed into some sub-sub-sub
directory?

If I understand your question correctly, it doesn't matter. If a malware takes
advantage of a normal (default) key value, that does not make the value a
bad thing. Naming it NotePad.exe and changing the key value to notepad.exe
%1 would be equivalent to naming the malware RegEdit.exe and not altering
the key value.

If I misunderstood your question, please elaborate.

 

[BoB]

mc,

The WMF exploit can be used against notepad. See

http://testing.OnlyTheRightAnswers.com/wmfexploit.zip

It tests notepad against nine different extensions.

BoB

 

[Jake Dodd]

The WMF exploit can be used against notepad. See

It's not 'used against' notepad, it is only using notepad as a way to show
the user that a command has been run by the exploit.

http://testing.OnlyTheRightAnswers.com/wmfexploit.zip

It tests notepad against nine different extensions.

It is not testing notepad against anything, it is testing the various file extensions
for vulnerable behavior and using notepad as a demonstration that the exploit
has the power to invoke program files without user interaction.

 

[BoB]

It's not 'used against' notepad, it is only using notepad as a way to show
the user that a command has been run by the exploit.


It is not testing notepad against anything, it is testing the various file extensions
for vulnerable behavior and using notepad as a demonstration that the exploit
has the power to invoke program files without user interaction.

Thanks, that's a better explanation. The OP should get the point now.

BoB

 

[mc]

Kaspersky anti-hacker does not like this file. It wants to quarantine
everything. So how do you safely perform this test?
mc