Hello, This is very troubling. This is how you can reproduce the issue: - launch a unknown extension file (you can modify a file that you have and give it some bogus extension, it doesn't matter) - select "Use the Web service to find the correct program" - Windows 7 will open the website: http://www.filecure.com/lp/download/ Now, as more experienced users know, this should've opened a Microsoft archive site for known extensions, with the recommended application for opening the file; but this is not the point - the point is that we are presented with a 3rd party app (filecure) as a Microsoft recommendation. I have a very secure system, router, Kaspersky internet security 2011, everything updated, no kids playing on it, no torrenting, keygens etc. I also don't follow strange web links, don't buy medicines on the web, don't open spam, don't visit sites with questionable content... and so on. I only mentioned the above so you can understand the kind of environment that this problem appeared into... I do not expect that any members/moderators/admins here on msdn/technet would know what Microsoft marketing are about; but at least I would like a confirmation of the problem and a honest opinion from you guys on this issue. Thank you. Windows 7 x64 Ultimate, E7200, Asus P5Q, Kingston DDR2 800 4 GB, Asus EAH4850 512 MB, M-Audio Audiophile USB, latest Catalyst, Fujitsu-Siemens Amilo LSL 3230T 23", Western Digital WD3200AAKS 320 GB, Logitech Wave, Performance MX.

Toyz, Can you try this ... 1. Backup your registery more info is aviable on this link. http://support.microsoft.com/kb/322756/en-us 2. Copy the italic text into a file called fix.reg Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations] "XMLLookup"="http://shell.windows.com/fileassoc/fileassoc.asp?LangID=%04x&Ext=%s" "Application"="http://shell.windows.com/fileassoc/%04x/xml/redir.asp?Ext=%s" "intl"="http://shell.windows.com/fileassoc/fileassoc.asp?LangID=%04x&Ext=%s" 3. Double click on the fix.reg file and click ok on the messagebox. Kind Regards DFTIM me - TWiTTer: @DFTER

Hello daft and thank you for the answer. - I searched in the registry, and there was no "CurrentVersion" in the [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows]. I have Win 7 Ultimate x64. Is that normal? (Mistake, everything is there... I didn't searched correctly, sorry) - Anyway, I backed up, then imported your entries, and I get a big fat 404 error on the address "http://shell.windows.com/fileassoc/46a244/xml/redir.asp?Ext=http://shell.windows.com/fileassoc/%04x/xml/redir.asp?Ext=%s" - I'll go back to the registry snapshot I previously created now... Is anyone with Win 7 willing to run a unknown extension file (you can modify some file in your own computer temporarily...) and let me know where does the "Use the Web service to find the correct program" dialogue sends him on the web? Thank you. OS: Windows 7 x64 Ultimate CPU E7200 Motherboard Asus P5Q Memory Kingston DDR2 800 4 GB Graphics Card Asus EAH4850 512 MB, Catalyst 10.2 Monitor Fujitsu-Siemens Amilo LSL 3230T 23" FullHD HDD Western Digital WD3200AAKS 320 GB (16 MB buffer) Cooling: CPU:Arctic Cooling Freezer Pro PWM, case: 2xAC exahaust fans

Ok, I think I managed to solve this. In the registry, there was this entry in the location specified by daft: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations] It had the name "Application.AX.Backup"="http://go.microsoft.com/fwlink/?LinkId=57426&Ext=%s" I renamed it as Application, and it works OK now (I certainly hope so). But my question is WHY? From where this strange name? Who backed up my good entry and replaced it with trash (I'm trying now to edit somehow the backup without importing it, so I can find out what were the faulty entries). These are my former, TAMPERED entries: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Associations] "Application"="http://www.filefacts.net/redirect.php?ext=%s" "Application.AX.Backup"="http://go.microsoft.com/fwlink/?LinkId=57426&Ext=%s" I cannot imagine how these got into my registry. The "filefact.net" link now goes to a 404 on the Paretologic website. If you replace the %s variable with some letters simulating a extension, the link will immediately go to the BUY FileCure website. This indeed is a WOW! How could've this happened? OS: Windows 7 x64 Ultimate CPU E7200 Motherboard Asus P5Q Memory Kingston DDR2 800 4 GB Graphics Card Asus EAH4850 512 MB, Catalyst 10.2 Monitor Fujitsu-Siemens Amilo LSL 3230T 23" FullHD HDD Western Digital WD3200AAKS 320 GB (16 MB buffer) Cooling: CPU:Arctic Cooling Freezer Pro PWM, case: 2xAC exahaust fans

Hi, According to your description, I suspect your registry key was changed by some program, however, it’s not easy to tell which program changed the registry. Therefore, you can try to audit a registry key, then audit events are displayed in the Security log of Event Viewer, it would help you find which change your registry key. Audit a Registry Key -------------------------- Note: This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: http://support.microsoft.com/kb/322756/ How to back up and restore the registry in Windows Click Start, and then click Run. In the Open box, type regedit, and then click OK. Locate and click the registry key that you want to audit, for example: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run On the Edit menu, click Permissions. Click Advanced, click the Auditing tab, and then click Add. Type the user account or group whose access to this registry key you want to audit, click Check Names to verify the name, and then click OK. In the Apply onto box, click the option that you want. Click to select the Successful and Failed check boxes next to the following access types: Set Value Create Subkey Click OK, and then click OK. You may receive the following message: The current Audit Policy for this computer does not have auditing turned on. If this computer receives audit policy from the domain, please ask a domain administrator to turn on auditing using Group Policy Editor. Otherwise, use the Local Computer Policy Editor to configure the audit policy locally on this computer. If auditing is not turned on, you must turn it on by following the steps in the Turn On Auditing in Group Policy section of this article. Click OK Quit Registry Editor. Audit events are displayed in the Security log of Event Viewer. Hope it helps! Regards, Miya YaoThis posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I FEEL YOUR PAIN MAN SORRY I CAN'T HELP. I'M JUST TIRED OF BEING HACKED TO DEATH YOU SHOULD TRY UTRACE AND FIND OUT THE IP OF THE CHINAMAN THATS HACKING YOU I SUSPECT FIND A PROGRAM THAT CAN TELL YOU WHAT PORT ARE IN USE REALTIME YOU WOULD BE REALLY SURPRISED AT WHAT AND WHO IS WATCHING YOUR EVERY MOVE HAVE A GREAT DAY

Thank you Miya Yao. Windows indeed is very smart if you know how to use it properly. Auditing gave this info: Auditing settings on object were changed. Subject: Security ID: - Account Name: - Account Domain: - Logon ID: 0xd3d0a Object: Object Server: Security Object Type: Key Object Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations Handle ID: 0x3e4 Process Information: Process ID: 0xc44 Process Name: C:\Windows\regedit.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;CINPSAFA;DCLC;;;LA) It's obvious that a application modified the registry, and only I could be the idiot that let that happen, so I guess not much point here supervising what other users might have done. It's also rather peculiar, as I have Kaspersky and it let's me know if some app wants to modify registry and what... I guess I was in a hurry or it was something I trusted. It's also probably not a malicious app, since it backed up my original key... curiously I did not ran any application related to Paretologic. I pretty much feel there's not much hope to find out which app was the culprit (as modifying a system registry entry for commercial purpose is rather shady), but I remain open to other suggestions. As for the hacking issue, I don't think it's the case, the computer is behind a hardware firewall, and Kaspersky's own firewall is also active (but never catches anything with the hardware firewall turned on). The traffic is monitored and only trusted apps with certificate talk to the net. Windows 7 x64 Ultimate, E7200, Asus P5Q, Kingston DDR2 800 4 GB, Asus EAH4850 512 MB, M-Audio Audiophile USB, latest Catalyst, Fujitsu-Siemens Amilo LSL 3230T 23", Western Digital WD3200AAKS 320 GB, Logitech Wave, Performance MX.

I have an update to this matter. I am also using Ghisler Total Commander. Opened a file with a unknown extension, and guess what, it went to the same Paretologic site. Searched through the registry with "filefacts.net" and I found another entry: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Associations] "Application"="http://www.filefacts.net/redirect.php?ext=%s" This time, there wasn't even a backup of the original entry, like in the previous entry. I replaced it with the default Microsoft value. I hope the info I provided could be of help to someone that can has the knowledge to find the guilty application. Have a good day!OS: Windows 7 x64 Ultimate CPU E7200 Motherboard Asus P5Q Memory Kingston DDR2 800 4 GB Graphics Card Asus EAH4850 512 MB, Catalyst 10.2 Monitor Fujitsu-Siemens Amilo LSL 3230T 23" FullHD HDD Western Digital WD3200AAKS 320 GB (16 MB buffer) Cooling: CPU:Arctic Cooling Freezer Pro PWM, case: 2xAC exahaust fans

I'm not a tech person, but I was searching the Microsoft site b/c exactly the same thing happened to me--an unknown file type sent me to the Microsoft site, and then Paretologic's Filecure appeared to be recommended by Microsoft. Further, in my search today, I've found Paretologic listed as a "Microsoft Certified Partner" (on www.simpledatarecovery.com/filecure-review.html). Can you please explain this? --Carol L.