MJ Registry Watcher

Discussion in 'Trojan Defence Suite' started by Dazed_and_Confused, Nov 1, 2004.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Oops, sorry Alan, my bad English was failing me once again :oops: :oops: :oops:

    Sorry again !!!
     
  2. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    How about popping up a dialog informing the user who terminated what application for what reason, and then offer buttons for restarting each application?
    Also note that DiamondCS guys themselfs told multiple times that TDS does not terminate running malwares for the very reason that process termination can render the system unstable, and cause crashes. Compare this to intentionally terminating legit applications.
    I can believe TDS-4 will solve all problems of mankind :D, including the one with MJ, and that is something worth waiting for. But for those of us who would like to use MJ and TDS before the legendary "real soon", a TDS patch or sub-version or setting which do not terminate MJ, would be very much appreciated!
    -hojtsy-
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hojsty, All development work on TDS3 has finished. I very much doubt there will be any patch for what is minor but annoying little nit. :)

    DCS are now concentrating on TDS4 and, personally, that to me is more important.

    Cheers. Pilli
     
  4. I have just added 20 more default keys to Registry Watcher, making the total 50 keys that are scanned for changes. It also writes a log of any suspect activity to a .log file on exit.

    It saved my bacon yesterday. I had "picked up" some Microsoft updates about a month ago, and despite avoiding SP2, some of these had SP2 in their name in the Add/Remove list. After putting them on, my PC booted in 2-3 minutes instead of the normal 30 seconds I was used to. Also, everything would grind to a halt when you loaded anything that wasn't in cache, and it seemed that any disc access temporarily stalled the CPU! Anyway, I took my XP Pro SP1 CD, and installed the OS again. It kept all my apps and data and settings really well, and, the speed had come back (thankyou Lord!). However, the network settings weren't entirely preserved and it had set File and Print sharing on. I went online. I had been connected for about 30 seconds, when RegWatcher popped up with this :-

    Registry Key hkey_local_machine\software\microsoft\windows\currentversion\run
    Value Popup Blocker System32 Monitoring will be a new value with data
    PopUpBlockerd.exe
    Registry Key hkey_local_machine\software\microsoft\windows\currentversion\run
    Value Microsoft DirectX will be a new value with data
    PDSched.exe

    My PC felt like treacle and Task Manager showed 97% utilisation by one of the SVCHOST.EXEs. I disconnected amidst a bevy of traffic. I found the nasties, deleted them, and got rid of the keys. There were a couple of other places it had hidden keys, so I incorporated them into my new default RegWatcher list. I found out about the RPC trojan dropper method that had been used, and applied the relevant Microsoft patch (no SP2 in its name TG!), switched off File and Print sharing that had let it in, and started running ZA to see what volume and sort of traffic was hitting my connection. It was mostly ports 135, 137 and 445 that were being investigated, and they're the 3 main File and Print sharing ports used by Windows.

    PDSched.exe is nasty, but easy to delete, and has been known about since July this year. I can't even find PopUpBlockerd.exe on Google. I have them both quarantined if anyone's interested in discombobulating them.

    Graphic
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
  6. When DCS contact us about what is wrong with RW and TDS-3, I'll send it then. Until then, we'll wait and see what DCS say. I must say, that despite my keen interest in PG, I won't buy until I hear from a programmer at DCS as to why (they have my private email address and I have heard nothing in over a week now) ...

    Can someone else tell me whether TDS-3 terminates the new version of RegWatcher at http://www.jacobsm.com/index.htm#sft ? If it doesn't, then something is wrong with TDS-3's algorithms. If it does, then at least it is wrong consistently.

    Graphic
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi GE, I know they are rather busy ATM and I doubt TDS3 program is anywhere near the top of the list but collecting malware is ;)

    It has been explained by Wayne that it is part of TDS3's protection and was written well over two years ago. My guess is it that simple reg watchers try to look at TDS3 in a way that the script kiddies used when they tried to crack TDS, this type of code is now common and therefore likely to be stopped by TDS and used by programmers such as yourself albeit in a non malware form. It does not effect any other programs except registry watching type programs as far as I know, so that may tell you something.
    None of the professional security organizations have questioned DCS's motives, methods or integrity, though, of course, you have every right to do so.

    Cheers. Pilli :)
     
  8. Oremina

    Oremina Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    209
    Location:
    England
    I'm currently trying out PerfectDisk v6.0 on a 30 day trial. As far as I am aware PDSched.exe is a legitimate component of this program!

    Are you saying that this is in someway dodgy or unsavoury...or are we talking about something else...or am I missing the point here? o_O
     
  9. What would be nice, is if one of the TDS-3 programmers could explain exactly what I can and can't do in terms of watching the registry. Can I read the values and subkeys of any keys? Just read them, that's all, and in read-only mode too! Because that is all RW does, is read keys in the registry. Going along your lines of logic would imply that even regedit could be terminated if reading from the wrong keys. So, I will do a swap - my trojans for a chat with a programmer of TDS-3. That's fair enough, AFAIAC.

    Again, I will state that RW uses a standard Windows timer to trigger the reading of registry keys in read-only mode. This is a completely standard programming methodology in use everywhere else, without TDS-3 terminating them, so what gives?

    Graphic
     
  10. What is the size of your PDSched.exe file? What was its last modified date? The answers to these questions should allay your fears. The trojan has a file size of about 40KBytes and a modified date and time of whenever it was delivered to your PC by the faulty RPC mechanism in Windows SP1. I doubt that your answers will be the same, and if not, you are probably safe, and do not have the trojan with PerfectDisk's namesake.

    Graphic
     
  11. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    GE wrote
    Yes, it is strange that only registry watchers are affected, thousands of programs run quite happily including programs like AdAware, spybot, SpySweeper, SSM, prevX etc.etc. all of which watch some registry keys and bury themselves quite deep in the sytem.

    Hopefully one of the DCS will find time to answer your question :) but probably not until Monday Perth time unless they happen to drop by...
     
  12. Oremina

    Oremina Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    209
    Location:
    England
    Graphic Equaliser

    Thanks for your reply... you had me worried for a little while there. :)

    Mine is the legit one, d/l'd it a weeks or so ago from Raxco. It is 196KB, in the Raxco folder, v 6.0.0.34 (which is the correct one).

    Running XP SP2 here, all updates done and regularly scanned for viruses, trojans and assorted dross. PC is squeaky clean.... but you did take me a little by surprise so thanks for your quick answer. Now I can go back to my beer. :D
     
  13. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    1) The PDSched.exe I've got does not have any version information. It is 77,824 bytes long. The PopUpBlockerd.exe I've got is 99,328 bytes long.

    2) I must apologise to DCS since the e-mail address I gave them (the one with cwcom) does not receive emails, but does allow sending! (These freebie accounts...). Don't worry, I will send from an alternative address. My main address is so swamped with spam (7,000 spam emails per *DAY* !) that I've had to write an email program that only retrieves emails from email addresses in my address book (another text file!). You should see my account when I get back from hols - it takes half an hour for the remote server to prepare the drop, and tell me how many messages are waiting! I had to switch off the timeout in my POP3 component to even get the drop, and then it takes 5 hours retrieving headers and throwing most away, not fetching any down. Computers are both a blessing (I put food on the table with them), and a curse (Airbus A320 - deepest commiserations).

    Graphic :doubt:
     
  14. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    [SHADOW=""]It appears that I can receive stuff on that email, but it's slow.[/SHADOW]

    [GLOW=""]I am sorry[/GLOW] for my previous outburst, but spam has truly ruined my domain's email account.

    Anyway, what I wanted to say was that we should spend more time enjoying our computers and less time protecting them.

    Graphic
     
  15. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Agreed, Graphic. And your app makes this more possible. Thanks! ;)
     
  16. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    I have just done the finished first version of RegWatcher at http://www.jacobsm.com/index.htm#sft - version 1.1.2.1

    This has 52 keys and covers most of Hojtsy's key list at https://www.wilderssecurity.com/showthread.php?t=32823&page=1&pp=25

    This has a help screen, a log file interface, and version information. The webpage documents it better too, with the version number on the download link.

    That will be the last update for a while (barring severe bug fixes) - please enjoy. And thanks for your support,

    Graphic :)
     
  17. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Running it now, Graphic. Thanks. :D

    By the way, where in your app does it state the version?
     
  18. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    The version information can be viewed in 4 places :-

    1) Use Right-click properties Version info tab under Explorer
    2) Look at the title bar when RW is put on screen (restored from the system tray)
    3) Look at the bottom of the help screen
    4) Look at the download link on my website

    Best regards,
    Graphic ;)
     
  19. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    The current version is now 1.1.4.1

    Graphic
     
  20. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Ellison,

    You might get more attention on this thread, which discusses Registry Monitors, including MJRW. This thread here concerns issues relating to TDS. Just a suggestion...

    Gosh...I'm scaring myself...I'm starting to sound like a Moderator... :D :eek:
     
  21. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,278
    Location:
    New England
    ellison64,

    Your post was moved over to the thread mentioned by D&C. It is located here:

    https://www.wilderssecurity.com/showthread.php?p=296944

    :ninja: *puppy*
     
  22. tigercatt9403

    tigercatt9403 Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    7
    Hello Daisy:

    I am not running TDS 3 on my system at this time , but all of this talk
    sounds interesting , but I am going to sitback and let the pros here do
    the talking while I absorb it. I suppose that if I do run TDS 3 on this system
    and MJ Regwatcher , that I am going to have problems just like you are
    having and so at least I know that in advance. I have some very good
    security on this system , so sound , that I do not , at this time , need
    Trojan protection , but TDS 3 is the greatest.

    tigercatt
     
  23. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Hello, Tigercatt

    Please understand the conflict between MJRW and TDS is a minor one. To get around the problem, simply start MJRW after starting TDS. I would definately not let this inconvenience keep you from running either app. They are both the best in their respective fields, IMO.

    And regarding security in general, it's only matter of time before a Trojan finds you. Better to be prepared... ;)
     
  24. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    This thread has run it's course now so I am closing it. :)

    Thanks. Pilli
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.