Hi

I have an unusual problem in that I can no longer open AVI, MP3, WAV, WMV or MPEG files by double clicking on them, but I am concerned that the real problem is more complex and would like some advice as to whether I need to re-install Vista or there is a simple fix. The problem seems to be related to the 'takeown' command which I had never heard of before this happened. It seems to have "taken over" my PC when I want to play media files.

My system: I am running Vista Home Premium (SP1) on a P5 Intel PC (2.66 GHz, 2664 Mhz, 2 Core) with 4GB RAM.

The symptoms: first noticed when I double-clicked on a AVI video file and UAC came Up (which was unusual) and when I clicked on 'Yes' to proceed the command window flicked on for a brief moment then disappeared and after than nothing happened. I can play the AVI by right clicking and using 'Open with ..'. This behaviour also applies to MPEG, WMV, MP3 and WAV files, but not FLV or MOV files (which play normally).

Odd thing: at the same time all my printer drivers seemed to disappear. I got them back by reverting to a System restore point 2 days previous - but not to a point before than - which suggests whatever happened was a couple of days ago. Or this may be coincidental.

What happens?

When I double click on the above types of files I get a UAC type message that looks slightly different (sorry, I couldn't capture a screenshot) and contains the words "Windows Command Processor" and an icon of the CMD Prompt Window. If I click on 'Details' I get the following message "cmd.exe" /c takeown /f "U:\Video Clips\April" && icacls "U:\Video Clips\April" (this last is the file I am clicking on on the external drive U). If I click on continue that's when the CMD Window opens and closes so fast I can't read what it says - then nothing happens at all.

I have tried double clicking on office files with no problem - they open normally.


I googled 'takeown' and discovered what it does, and it was then I noticed that if I right click on any of these files (in fact any files) I now have a new option - 'Take Ownership' which I didn't have before and I never created - so some software I have installed has presumably done it. By looking in the register I have found the following:

HKEY_CLASSES_ROOT\*\shell\runas\command
There are 2 lines both saying cmd.exe /c takeown /f “%1” && icacls “%1” /grant administrators:F

HKEY_CLASSES_ROOT\Directory\shell\runas\command
There are 2 lines both saying cmd.exe /c takeown /f “%1” /r/d y && icacls “%1” /grant administrators:F/t

Presumably these have introduced the new option to Take Ownership in the right click menu.

I am almost wary of now introducing the fact that around 3-4 days ago I got a warning from Windows Live One-Care that I had a trojan which it removed. I stupidly did not write down its name and am having trouble identifying it in a log somewhere. I have checked with anti malware and antivirus programs and nothing comes up - so I have no idea if this is connected.


I really want advice on what to do next. Do I remove those entries in the register and see what happens? Can I try anything else? I could revert to an image I took just before Christmas if need be - or if I have to reinstall Vista. Help please.

Your caution is wise. Something has changed the file association to "CMD /c ..." etc. Incidentally it's the /c that makes the CMD screen disappear. As an aside, if you amended the /c to /k in the registry entry, then the screen will remain.

Disregarding for the moment the possibility of Malware, when you right click the media file, you should be offered a choice to set the default program. Yes? And if so, what happens?

I've not seen such registry entries in _ROOT\*. Any chance of attaching a full text print of that registry section and the .avi entry down to two levels?

In any case, treat this as the consequences of a malware attack and run the anti-malware program mentioned in the Readme posts of the Virus forum If there's anything to report that you can't handle, do open a thread there and let us know here that you've done so.

Many thanks for your reply.

First I altered the CMD /c to CMD /k as you suggested and the screen stayed open. I enclose a screenshot (it doesn't mean anything to me, I'm afraid).

On the default program - setting the default to VLC means I can see the clip as normal at that time, but as soon as I exit and then try double-clicking on it again I get the original problem.

I have attached a txt file of a printout from regedit - I hope I understood your request for 'that section down to 2 levels'. I did not understand what you meant by the .avi entry?

I ran Malwarebytes' Anti-Malware last night (without all the stages described in the Readme in the Virus Forum) and it got about halfway through all my drives before I stopped it - and I enclose that report as well. I have a large number of external backup drives (USB) attached and it hasn't scanned them all yet - but it completed the 3 hard drives in my PC (C:, D: and E.

So the 3 attachments are:

CMD error-grace.jpg - screenshot of the CMD screen that opens when I double-click on the avi file
reg-grace_1.txt - my attempt at a printout of regedit
mbam-log-2009-02-11 (07-19-20).txt - log file from MBA-M run last night.

Meanwhile I will get started on the process in the virus forum.

Mike

Difficult to say what caused this. Did you try and take ownership of any media files?

Anyway, you can safely delete these two keys and reset your default for the media files.

Key Name: HKEY_CLASSES_ROOT\*\shell\runas
Key Name: HKEY_CLASSES_ROOT\*\shell\runas\command

The .avi key should have been further down in that part of the registry. I would have expected to see in ordinary circumstances something like (first three lines):

.avi
OpenWithList
VLC.ex


When you've removed those registry keys, re-booted and tried again, I don't expect these entries to come back unless something's putting them there.

When did this first occur? Date? Time if known-ish?

Check default program setting on Ctrl panel.
Then select VLC and set it to all files it is supposed to open.

After looking the image file, it looks like ownership problem. Try to copy that file into another Location and try to double click and see

Sorry everyone for not replying yet - I have been working through the procedure for trying to make sure I don't have any viruses or trojans and not logging onto the internet.

I am currently using another computer to catch up on e-mail - and I don't think I'll have access to my affected PC until tomorrow.

I will attempt your suggestions then and report back.

Meanwhile - here are your answers to the questions I can answer.

I did not try to take ownership of any files. I first noticed the problem about 2 days ago, but as I hadn't tried opening any media files for several days it might have started 3-4 days before that. Currently I have VLC as my default for avi files, and was using it for my MP3 files as well, but changed that about 6 days ago - and I tried a new audio player (which might have caused the problem). However, as I used System Restore it has removed the player from my PC. It was called UltraPlayer and i downloaded it from Download.com (which I assume to be a safe site). It did ask me to set files and I set mp3 and wav - but not avi or mpeg.

Currently I am unable to remove the lines from the registry and reboot (my PC is checking for malware and it is taking a long time). As soon as I know it's clear I'll do as you suggest and report back.

(Incidentally - I have found a number of tracking cookies which were deleted - but no other trojans yet).

That's fine. Just follow the steps I suggested (back up the registry first).

Let us know what's in the .avi line in the ROOT part of the registry.

If you have no trojan then I expect the aberrational behaviour to stop when you've deleted the registry entries. if those entries re-appear, then something's putting them there.

Oh - sorry.

Here is the avi printout. I can't try the registry fix yet.

The .avi key is what I would have expected and should govern behaviour when you click an avi file.

So let us know when you've deleted the registry keys, re-booted, tried it, re-inspected the registry etc.