Spyware problem with "...command=regedit.exe "%1"

[Guest]

Archived from groups: microsoft.public.windowsme.general (More info?)

Each day I run the spyware programs and virus program.
Lately Spy-bot and Ad-Aware have been detecting the
following entry into the WinME CLASSES registry
HKEY_CLASSES_ROOT\regfile\shell\open\command\=regedit.exe "%1"

My first question is what is it, and where is it coming
from? Seems that Windows loads it. I say that because I've
been trying to determine the culprit by not automatically
starting programs.

The next question is how dangerous is it?

Finally, how do I get rid of it (if it really is dangerous)
once and for all?

Thanks,
Dave

 

[Guest]

Archived from groups: microsoft.public.windowsme.general (More info?)

Those software are flagging that ?

Looks pretty normal to me.

Basically it is saying the class of files known as "regfile" are to be opened by REGEDIT.EXE
with the name of the file being the first switch parameter.

The only question I have is that the exact syntax ?

I ask this because of the equal sign (=) before REGEDIT.EXE.

--
Dave




"Dave Boland" <NOSPAMdboland9@stny.rr.com> wrote in message
news:UYtOd.29241$8H2.26939@twister.nyroc.rr.com...
| Each day I run the spyware programs and virus program.
| Lately Spy-bot and Ad-Aware have been detecting the
| following entry into the WinME CLASSES registry
| HKEY_CLASSES_ROOT\regfile\shell\open\command\=regedit.exe "%1"
|
| My first question is what is it, and where is it coming
| from? Seems that Windows loads it. I say that because I've
| been trying to determine the culprit by not automatically
| starting programs.
|
| The next question is how dangerous is it?
|
| Finally, how do I get rid of it (if it really is dangerous)
| once and for all?
|
| Thanks,
| Dave
|

 

[Guest]

Archived from groups: microsoft.public.windowsme.general (More info?)

Dave Boland wrote:
> Each day I run the spyware programs and virus program. Lately Spy-bot
> and Ad-Aware have been detecting the following entry into the WinME
> CLASSES registry
> HKEY_CLASSES_ROOT\regfile\shell\open\command\=regedit.exe "%1"
>
> My first question is what is it, and where is it coming from? Seems
> that Windows loads it. I say that because I've been trying to determine
> the culprit by not automatically starting programs.
>
> The next question is how dangerous is it?
>
> Finally, how do I get rid of it (if it really is dangerous) once and for
> all?
>
> Thanks,
> Dave
>

Mine commonly flag Regedit as an MRU item if that helps... perhaps it
thinks you should rename regedit to something else for security's sake
or at least disable the .reg association.


Rick

 

[Guest]

Archived from groups: microsoft.public.windowsme.general (More info?)

Dave Boland wrote:
> Each day I run the spyware programs and virus program.
> Lately Spy-bot and Ad-Aware have been detecting the
> following entry into the WinME CLASSES registry
> HKEY_CLASSES_ROOT\regfile\shell\open\command\=regedit.exe "%1"
>
> My first question is what is it, and where is it coming
> from? Seems that Windows loads it. I say that because I've
> been trying to determine the culprit by not automatically
> starting programs.
>
> The next question is how dangerous is it?
>
> Finally, how do I get rid of it (if it really is dangerous)
> once and for all?

You've had a lot of helpful responses. I doubt it's a problem, but that
isn't completely clear yet.

What I haven't seen is anyone give you a recommendation for how to identify
whether or not there really is a problem, and what to do about it if there
is. Here are the steps I recommend:
http://aumha.org/a/quickfix.htm

--
Jim Eshelman, MS-MVP Windows/Security
Windows Support Center: http://aumha.org/
AumHa Forums: http://aumha.net/

 

[Guest]

Archived from groups: microsoft.public.windowsme.general (More info?)

Dave,

I'm unclear as to why SpyBot or AdAware should be flagging this entry as
it is quite normal although I'm a bit uncertain about the nomenclature
used. Basically I would expect to see at the key:
HKEY_CLASSES_ROOT\regfile\shell\open\command
the Default string value: regedit.exe "%1"

What this means is that in association with the key:
HKEY_CLASSES_ROOT\.reg
the default action when attempting to open a file with a REG extension is
to use Regedit.exe.
--
Mike Maltby MS-MVP
mike.maltby@gmail.com


Dave Boland <NOSPAMdboland9@stny.rr.com> wrote:

> Each day I run the spyware programs and virus program.
> Lately Spy-bot and Ad-Aware have been detecting the
> following entry into the WinME CLASSES registry
> HKEY_CLASSES_ROOT\regfile\shell\open\command\=regedit.exe "%1"
>
> My first question is what is it, and where is it coming
> from? Seems that Windows loads it. I say that because I've
> been trying to determine the culprit by not automatically
> starting programs.
>
> The next question is how dangerous is it?
>
> Finally, how do I get rid of it (if it really is dangerous)
> once and for all?

 

[Shane]

Archived from groups: microsoft.public.windowsme.general (More info?)

"Dave Boland" <NOSPAMdboland9@stny.rr.com> wrote in message
news:UYtOd.29241$8H2.26939@twister.nyroc.rr.com...
> Each day I run the spyware programs and virus program. Lately Spy-bot and
> Ad-Aware have been detecting the following entry into the WinME CLASSES
> registry
> HKEY_CLASSES_ROOT\regfile\shell\open\command\=regedit.exe "%1"

Strange. That is the registry key that sets Regedit as the default
application for opening *.reg files (Registration Entries) and is perfectly
legit. So when you double-click a (valid) file with a .reg extension,
Regedit.exe opens it - and you're asked if you want to add the information
in whatever.reg into the registry. Click Yes, and it goes in.

The default action for d-clicking a reg file can be changed to Edit, thus to
open in a text editor instead, which is much safer. Then if you know you
want to add the information within it to the registry, you r-click and
select Merge.

However, I fail to see why Spybot and Ad-aware are alerting on this entry,
or if they're set to alert on changes, why that one has been changed (to
what it should be anyway!). What else do they say, what are the details?



Shane

 

[Shane]

Archived from groups: microsoft.public.windowsme.general (More info?)

> The default action for d-clicking a reg file can be changed to Edit, thus
> to open in a text editor instead, which is much safer. Then if you know
> you want to add the information within it to the registry, you r-click and
> select Merge.
>
> However, I fail to see why Spybot and Ad-aware are alerting on this entry,
> or if they're set to alert on changes, why that one has been changed (to
> what it should be anyway!).

Unless it was previously set to open regfiles in Notepad and has now been
reverted?


Shane

 

[Guest]

Archived from groups: microsoft.public.windowsme.general (More info?)

Shane wrote:
>> The default action for d-clicking a reg file can be changed to Edit,
>> thus to open in a text editor instead, which is much safer. Then if
>> you know you want to add the information within it to the registry,
>> you r-click and select Merge.
>>
>> However, I fail to see why Spybot and Ad-aware are alerting on this
>> entry, or if they're set to alert on changes, why that one has been
>> changed (to what it should be anyway!).
>
> Unless it was previously set to open regfiles in Notepad and has now
> been reverted?

You can change this entry back and forth with these Registry patches from
http://aumha.org/regfiles.htm -

To set .REG files to open in Notepad by default:
http://aumha.org/downloads/editreg.zip

To set .REG files back to open with RegEdit by default:
http://aumha.org/downloads/uneditreg.zip

--
Jim Eshelman, MS-MVP Windows/Security
Windows Support Center: http://aumha.org/
AumHa Forums: http://aumha.net/

 

[Guest]

Archived from groups: microsoft.public.windowsme.general (More info?)

David H. Lipman wrote:
> Those software are flagging that ?
>
> Looks pretty normal to me.
>
> Basically it is saying the class of files known as "regfile" are to be opened by REGEDIT.EXE
> with the name of the file being the first switch parameter.
>
> The only question I have is that the exact syntax ?
>
> I ask this because of the equal sign (=) before REGEDIT.EXE.
>

David and others,

After doing some more homework, here is what I'm finding.

1. As soon as WindowsME is up, I run regedit to look at
HKEY_CLASSES_ROOT\regfile\open\command The contents are
actually Name = [Default], and Data = "D:\SCRIPT
SENTRY\SCRIPTSENTRY.exe "%1"%"

Script Sentry is a program to protect my system from scripts
that are used in Microsoft products. This is a program that
I installed.

2. I run Spybot and it says:
Common Extension hijack: Default registry file handler
(Registry change, nothing done)
HKEY_CLASSES_ROOT\regfile\shell\open\command\=regedit.exe
"%1"

This is what will be in the entry if I except it. I'm not
going to accept it because I want Script Sentry to process
it first.

So, I guess I have a false alarm?

Dave,

 

[Guest]

Archived from groups: microsoft.public.windowsme.general (More info?)

Yes. It looked at SCRIPT SENTRY as malware.

--
Dave L.




"Dave Boland" <NOSPAMdboland9@stny.rr.com> wrote in message
news:NNuOd.29248$8H2.19105@twister.nyroc.rr.com...
| David H. Lipman wrote:
| > Those software are flagging that ?
| >
| > Looks pretty normal to me.
| >
| > Basically it is saying the class of files known as "regfile" are to be opened by
REGEDIT.EXE
| > with the name of the file being the first switch parameter.
| >
| > The only question I have is that the exact syntax ?
| >
| > I ask this because of the equal sign (=) before REGEDIT.EXE.
| >
|
| David and others,
|
| After doing some more homework, here is what I'm finding.
|
| 1. As soon as WindowsME is up, I run regedit to look at
| HKEY_CLASSES_ROOT\regfile\open\command The contents are
| actually Name = [Default], and Data = "D:\SCRIPT
| SENTRY\SCRIPTSENTRY.exe "%1"%"
|
| Script Sentry is a program to protect my system from scripts
| that are used in Microsoft products. This is a program that
| I installed.
|
| 2. I run Spybot and it says:
| Common Extension hijack: Default registry file handler
| (Registry change, nothing done)
| HKEY_CLASSES_ROOT\regfile\shell\open\command\=regedit.exe
| "%1"
|
| This is what will be in the entry if I except it. I'm not
| going to accept it because I want Script Sentry to process
| it first.
|
| So, I guess I have a false alarm?
|
| Dave,
|

 

[Shane]

Archived from groups: microsoft.public.windowsme.general (More info?)

"Dave Boland" <NOSPAMdboland9@stny.rr.com> wrote in message
news:NNuOd.29248$8H2.19105@twister.nyroc.rr.com...
> David H. Lipman wrote:
>> Those software are flagging that ?
>>
>> Looks pretty normal to me.
>>
>> Basically it is saying the class of files known as "regfile" are to be
>> opened by REGEDIT.EXE
>> with the name of the file being the first switch parameter.
>>
>> The only question I have is that the exact syntax ?
>>
>> I ask this because of the equal sign (=) before REGEDIT.EXE.
>>
>
> David and others,
>
> After doing some more homework, here is what I'm finding.
>
> 1. As soon as WindowsME is up, I run regedit to look at
> HKEY_CLASSES_ROOT\regfile\open\command The contents are actually Name =
> [Default], and Data = "D:\SCRIPT SENTRY\SCRIPTSENTRY.exe "%1"%"
>
> Script Sentry is a program to protect my system from scripts that are used
> in Microsoft products. This is a program that I installed.
>
> 2. I run Spybot and it says:
> Common Extension hijack: Default registry file handler (Registry change,
> nothing done)
> HKEY_CLASSES_ROOT\regfile\shell\open\command\=regedit.exe "%1"
>
> This is what will be in the entry if I except it. I'm not going to accept
> it because I want Script Sentry to process it first.
>
> So, I guess I have a false alarm?
>

Yes. You should set SB and AAW to ignore that particular on.


Shane

 

[Shane]

Archived from groups: microsoft.public.windowsme.general (More info?)

"Jim Eshelman" <newsgroups@NSaumha.org> wrote in message
news:Os3V79vDFHA.2632@TK2MSFTNGP12.phx.gbl...
> Shane wrote:
>>> The default action for d-clicking a reg file can be changed to Edit,
>>> thus to open in a text editor instead, which is much safer. Then if
>>> you know you want to add the information within it to the registry,
>>> you r-click and select Merge.
>>>
>>> However, I fail to see why Spybot and Ad-aware are alerting on this
>>> entry, or if they're set to alert on changes, why that one has been
>>> changed (to what it should be anyway!).
>>
>> Unless it was previously set to open regfiles in Notepad and has now
>> been reverted?
>
> You can change this entry back and forth with these Registry patches from
> http://aumha.org/regfiles.htm -
>
> To set .REG files to open in Notepad by default:
> http://aumha.org/downloads/editreg.zip
>
> To set .REG files back to open with RegEdit by default:
> http://aumha.org/downloads/uneditreg.zip
>

I did look for those, Jim (hence why my post was later than Dave and
Mike's). Didn't see them in the Registry section and thought better of
elaborating further.

Shane

 

[Guest]

Archived from groups: microsoft.public.windowsme.general (More info?)

Rather than using a registry patch to open REG files in notepad or regedit
all that is necessary is to use Control Panel | Folder Options | File
Types, select the REG extension, click Advanced and set the default action
to Edit (to open in Notepad) or Merge (to run using Regedit).
--
Mike Maltby MS-MVP
mike.maltby@gmail.com


Shane <arthursixpence@hotmail.com> wrote:

>> You can change this entry back and forth with these Registry patches
>> from http://aumha.org/regfiles.htm -
>>
>> To set .REG files to open in Notepad by default:
>> http://aumha.org/downloads/editreg.zip
>>
>> To set .REG files back to open with RegEdit by default:
>> http://aumha.org/downloads/uneditreg.zip
>>
>
> I did look for those, Jim (hence why my post was later than Dave and
> Mike's). Didn't see them in the Registry section and thought better of
> elaborating further.

 

[Shane]

Archived from groups: microsoft.public.windowsme.general (More info?)

Personally, I have to go through configuring EditpadLite to open/edit .reg -
and all the other ascii-type files. The reg file is convenient, but I must
remember to edit it for Editpad and to set the others too, sometime!


Shane


"Mike M" <No_Spam@Corned_Beef.Only> wrote in message
news:OJdV0YwDFHA.2600@TK2MSFTNGP09.phx.gbl...
> Rather than using a registry patch to open REG files in notepad or regedit
> all that is necessary is to use Control Panel | Folder Options | File
> Types, select the REG extension, click Advanced and set the default action
> to Edit (to open in Notepad) or Merge (to run using Regedit).
> --
> Mike Maltby MS-MVP
> mike.maltby@gmail.com
>
>
> Shane <arthursixpence@hotmail.com> wrote:
>
> >> You can change this entry back and forth with these Registry patches
> >> from http://aumha.org/regfiles.htm -
> >>
> >> To set .REG files to open in Notepad by default:
> >> http://aumha.org/downloads/editreg.zip
> >>
> >> To set .REG files back to open with RegEdit by default:
> >> http://aumha.org/downloads/uneditreg.zip
> >>
> >
> > I did look for those, Jim (hence why my post was later than Dave and
> > Mike's). Didn't see them in the Registry section and thought better of
> > elaborating further.
>

 

[Shane]

Archived from groups: microsoft.public.windowsme.general (More info?)

I originally tried Editpad on Koldbear's recommendation. It must be the
anniversary of his death any day now. I've got some red coming back from
France tomorrow, think I'll raise a glass to the ol' ah heck!


Shane


"Shane" <arthursixpence@hotmail.com> wrote in message
news:36voudF4dqddqU1@individual.net...
> Personally, I have to go through configuring EditpadLite to open/edit
..reg -
> and all the other ascii-type files. The reg file is convenient, but I must
> remember to edit it for Editpad and to set the others too, sometime!
>
>
> Shane
>
>
> "Mike M" <No_Spam@Corned_Beef.Only> wrote in message
> news:OJdV0YwDFHA.2600@TK2MSFTNGP09.phx.gbl...
> > Rather than using a registry patch to open REG files in notepad or
regedit
> > all that is necessary is to use Control Panel | Folder Options | File
> > Types, select the REG extension, click Advanced and set the default
action
> > to Edit (to open in Notepad) or Merge (to run using Regedit).
> > --
> > Mike Maltby MS-MVP
> > mike.maltby@gmail.com
> >
> >
> > Shane <arthursixpence@hotmail.com> wrote:
> >
> > >> You can change this entry back and forth with these Registry patches
> > >> from http://aumha.org/regfiles.htm -
> > >>
> > >> To set .REG files to open in Notepad by default:
> > >> http://aumha.org/downloads/editreg.zip
> > >>
> > >> To set .REG files back to open with RegEdit by default:
> > >> http://aumha.org/downloads/uneditreg.zip
> > >>
> > >
> > > I did look for those, Jim (hence why my post was later than Dave and
> > > Mike's). Didn't see them in the Registry section and thought better of
> > > elaborating further.
> >
>
>

 

[Guest]

Archived from groups: microsoft.public.windowsme.general (More info?)

Thank you Shane for reminding me of Koldbear.

--
Dave




"Shane" <arthursixpence@hotmail.com> wrote in message news:36vp62F572nkjU1@individual.net...
| I originally tried Editpad on Koldbear's recommendation. It must be the
| anniversary of his death any day now. I've got some red coming back from
| France tomorrow, think I'll raise a glass to the ol' ah heck!
|
|
| Shane
|

 

[Guest]

Archived from groups: microsoft.public.windowsme.general (More info?)

Dave Boland wrote:
> Each day I run the spyware programs and virus program. Lately Spy-bot
> and Ad-Aware have been detecting the following entry into the WinME
> CLASSES registry
> HKEY_CLASSES_ROOT\regfile\shell\open\command\=regedit.exe "%1"
>
> My first question is what is it, and where is it coming from? Seems
> that Windows loads it. I say that because I've been trying to determine
> the culprit by not automatically starting programs.
>
> The next question is how dangerous is it?
>
> Finally, how do I get rid of it (if it really is dangerous) once and for
> all?
>
> Thanks,
> Dave
>

Thank you all!! I really appreciate your help!

Dave,

 

[Guest]

Archived from groups: microsoft.public.windowsme.general (More info?)

Mike M wrote:
> Rather than using a registry patch to open REG files in notepad or
> regedit all that is necessary is to use Control Panel | Folder
> Options | File Types, select the REG extension, click Advanced and
> set the default action to Edit (to open in Notepad) or Merge (to run
> using Regedit).

That's easier than clicking a .REG file? <g>

--
Jim Eshelman, MS-MVP Windows/Security
Windows Support Center: http://aumha.org/
AumHa Forums: http://aumha.net/

 

[Shane]

Archived from groups: microsoft.public.windowsme.general (More info?)

Well, here we go, Dave.........(glass of red).........*To Koldbear!*



Shane




"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:uIv7i2wDFHA.4004@tk2msftngp13.phx.gbl...
> Thank you Shane for reminding me of Koldbear.
>
> --
> Dave
>
>
>
>
> "Shane" <arthursixpence@hotmail.com> wrote in message
news:36vp62F572nkjU1@individual.net...
> | I originally tried Editpad on Koldbear's recommendation. It must be the
> | anniversary of his death any day now. I've got some red coming back from
> | France tomorrow, think I'll raise a glass to the ol' ah heck!
> |
> |
> | Shane
> |
>
>

 

[Guest]

Archived from groups: microsoft.public.windowsme.general (More info?)

A shot of JD -- in the memory of *Koldbear !*
< gulp >

--
Dave




"Shane" <arthursixpence@hotmail.com> wrote in message
news:eQuW7h8DFHA.2568@TK2MSFTNGP10.phx.gbl...
| Well, here we go, Dave.........(glass of red).........*To Koldbear!*
|
|
|
| Shane
|
|
|
|
| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
| news:uIv7i2wDFHA.4004@tk2msftngp13.phx.gbl...
| > Thank you Shane for reminding me of Koldbear.
| >
| > --
| > Dave
| >
| >
| >
| >
| > "Shane" <arthursixpence@hotmail.com> wrote in message
| news:36vp62F572nkjU1@individual.net...
| > | I originally tried Editpad on Koldbear's recommendation. It must be the
| > | anniversary of his death any day now. I've got some red coming back from
| > | France tomorrow, think I'll raise a glass to the ol' ah heck!
| > |
| > |
| > | Shane
| > |
| >
| >
|
|

 

[Guest]

Archived from groups: microsoft.public.windowsme.general (More info?)

Jim Eshelman wrote:

> That's easier than clicking a .REG file? <g>

Aren't you supposed to double click it? A considerable more effort than
just "clicking it". (Sorry Mike... and Jim, it's a wide open shot...)

John

 

[Guest]

Archived from groups: microsoft.public.windowsme.general (More info?)

John John wrote:
> Jim Eshelman wrote:
>
>> That's easier than clicking a .REG file? <g>
>
> Aren't you supposed to double click it? A considerable more effort
> than just "clicking it". (Sorry Mike... and Jim, it's a wide open
> shot...)

On any Windows version from 98 onward, the option for single-click launch is
available ... and I do tend to assume that the rest of the world is as lazy
as me! <vbg>

--
Jim Eshelman, MS-MVP Windows/Security
Windows Support Center: http://aumha.org/
AumHa Forums: http://aumha.net/

 

[Guest]

Archived from groups: microsoft.public.windowsme.general (More info?)

Jim Eshelman wrote:

> On any Windows version from 98 onward, the option for single-click launch is
> available ... and I do tend to assume that the rest of the world is as lazy
> as me! <vbg>

So what do you do if you want to just highlight something or drag'n'drop ?

Rick

 

[Guest]

Archived from groups: microsoft.public.windowsme.general (More info?)

Yes, as it puts everything in the hand of the user rather than requiring
them to go to a third party site and download a tool to do it for them.
Better also perhaps in that they learn something about what they are
doing.
--
Mike Maltby MS-MVP
mike.maltby@gmail.com


Jim Eshelman <newsgroups@NSaumha.org> wrote:

> Mike M wrote:
>> Rather than using a registry patch to open REG files in notepad or
>> regedit all that is necessary is to use Control Panel | Folder
>> Options | File Types, select the REG extension, click Advanced and
>> set the default action to Edit (to open in Notepad) or Merge (to run
>> using Regedit).
>
> That's easier than clicking a .REG file? <g>

 

[Guest]

Archived from groups: microsoft.public.windowsme.general (More info?)

Well I'm just as lazy have been through 98 to XP <g>
Joan

Jim Eshelman wrote:

> On any Windows version from 98 onward, the option for single-click launch is
> available ... and I do tend to assume that the rest of the world is as lazy
> as me! <vbg>
>