New Tech Tool: D7

Discussion in 'malware problems & news' started by FoolishTech, May 9, 2011.

Thread Status:
Not open for further replies.
  1. FoolishTech

    FoolishTech Registered Member

    Joined:
    May 9, 2011
    Posts:
    19
    Forgive me if this is the wrong forum, I was recommended by a member of this forum (who found me on DSL Reports) to post here; although D7 is not merely a malware removal assistant...

    I have finally decided to release a tool that myself and a very select few have been using for quite some time.

    If you are interested, please remember two things before you read on. 1. I am not a programmer, really, but I try as a hobby. 2. I'm not a great technician, really, but I try, honestly.

    OK, there's more to remember. This app won't be without it's bugs, and isn't without it's risk, however I would like to offer it to those who would enjoy it's use and also consider it a BETA, WORK IN PROGRESS, and who won't hold me liable for it's use or misuse. I would hope that experienced technicians would offer feedback or assistance with bug reporting as they desire.

    Now...

    D7 is a tool for PC technicians to aid in many tasks and provide a uniform procedure for technicians to follow by automation. It has many capabilities and many uses including offline and live malware removal assistance, easy offline registry editing, data backup and restoration, CPU/RAM stress testing, information gathering and quality assurance uses, etc. etc. Too much to list here, right now at least. It also combines some other projects of mine such as DataGrab (quick client data retrieval tool) among other smaller things. D7 is growing all the time!

    Note that D7 is not the malware scanner or remover, YOU are. YOU control its behavior by whitelist/blacklist functionality for file system and registry objects, and by your own pair of hopefully good eyeballs. D7's MalwareScan functionality is designed to show you what D7 doesn't recognize, by whitelisting known good items, and automatically deleting known bad items (optionally!) MalwareScan then shows you what is left after the whitelisting/blacklisting is applied. From there, you have the option to whitelist, blacklist, delete, rename, ignore, google, or whatever you want with the results.

    I offer no guarantee of any sort, but hopefully I can have a manual published soon; for understanding D7's usage and behavior, (and quirks), some further explanation of some of its functions, and maybe a vid of using D7 in a live malware removal scenario.

    I will try to be available via email for assistance, and I will also try to monitor this thread for any questions or comments. Regardless, PLEASE if you don't understand something, don't use it until you do.

    www.foolishit.com

    Click the D7 link on the left...

    OR you can visit the product page on Majorgeeks.com, which recently approved and certified D7 as 100% tested clean of ad/spy/malware/viruses.

    Thanks,
     
  2. hayc59

    hayc59 Updates Team

    Joined:
    Oct 29, 2008
    Posts:
    2,128
    Location:
    R.I.P. Roger(roddy32)
    hello, and nice to see you made it and good luck!
    Gordon :cool:
     
  3. makios

    makios Registered Member

    Joined:
    Apr 18, 2008
    Posts:
    126
    Nod32 (beta 5) quarantained it :(
     
  4. FoolishTech

    FoolishTech Registered Member

    Joined:
    May 9, 2011
    Posts:
    19
    Oh yes. I always forget this because I personally don't use A/V.... but it's been reported to me that several A/V vendors detect this as a virus. The issue, I believe, is with D7's automatic update code, which downloads a small file from my website to determine if a new version is available.

    NOD32, Sophos, and McAfee all have received my sample for a false positive with their heuristics detection. The sample was submitted today. I'm not certain when I will hear back from them...

    MSSE (I know) and Symantec (I believe) do not trigger it as a false positive.

    I have not tested with other A/V software. EDIT: If anyone would like to inform me about other detections from A/V software I haven't listed here, please do. I will submit samples to the respective A/V companies as needed. (Thanks!)

    In the mean time, Majorgeeks did test D7 prior to posting it on their site today. Tim, a really cool guy, said they reject about 95% of submissions for one reason or another, but they approved me and gave me the Majorgeeks 100% clean ad/spy/malware/virus free certification.

    I'm not sure what that's worth to crafty and intelligent readers like yourself, but I hope you don't let a few heuristics-based false positives deter you!
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Looks interesting :thumb:

    D7 launched quickly & showed a potential problem, but it's only due to ScriptDefender set to intercept things, so OK.

    Cancelled that alert & it immediately shutdown ! Hardly time to fully scan, i would have thought ?

    Relaunched, no scan ? & got this error

    modal.gif

    After that

    sh.gif

    Then more errors, all tabs are blank ?

    bl.gif

    Closed the App, but 4 instances of D7 on my task bar, which i couldn't R-click and close ? so had to use TaskManager.

    Using XP/SP2 no updates
     
  6. FoolishTech

    FoolishTech Registered Member

    Joined:
    May 9, 2011
    Posts:
    19
    Sophos has a very fast response time! They provided me with a clue as to why D7 is being detected, and I have recompiled D7 with the corrections.

    If you download version 3.4.4 from my website (unfortunately I will still need to get Majorgeeks to update their copy) this should correct the issues with false positives. I'm hoping this will fix false positives with other A/V as well.

    Thanks!
     
  7. FoolishTech

    FoolishTech Registered Member

    Joined:
    May 9, 2011
    Posts:
    19
    Interesting. I will look into this ScriptDefender and see why that sets off D7. If it was the very first thing D7 did, then I will need to make some sort of accommodation in D7 for this behavior; and I should probably tell you that D7 may have disabled your ScriptDefender (if it in fact writes a non-default value to HKEY_CLASSES_ROOT\exefile\shell\open\command) in which case I'm sad to say that you may consider D7 incompatible with ScriptDefender - at least until I can examine it's behavior and make an allowance for it. I will keep you abreast of my progress on that.

    As for the other issue, that is odd, but may have had something to do with the ScriptDefender software. For one, D7 does not run multiple copies of itself. Now I have noticed a (what I thought to be rare) timing issue which until now I had only been able to reproduce (quite unreliably) on Win7 64... which causes the "...cannot display modal form..." but have not tracked down the cause of it quite yet - but I am working on it!

    Thank you for the feedback!
     
  8. hayc59

    hayc59 Updates Team

    Joined:
    Oct 29, 2008
    Posts:
    2,128
    Location:
    R.I.P. Roger(roddy32)
    No problems with avast! at all
    but sure did light up a whole lot of pop-ups
    with Online Armor Firewall.....;)
     
  9. FoolishTech

    FoolishTech Registered Member

    Joined:
    May 9, 2011
    Posts:
    19
    D7's automatic update check - AND - it's ping to Google for internet connectivity :D
    EDIT - AND it's network path check for definition synchronization (refer to one of my YouTube vids for an explanation on Malware Scan Definition Sync.)
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    ScriptDefender still working :)

    scd.gif

    As for the other issue, that is odd, but may have had something to do with the ScriptDefender software. For one, D7 does not run multiple copies of itself. Now I have noticed a (what I thought to be rare) timing issue which until now I had only been able to reproduce (quite unreliably) on Win7 64... which causes the "...cannot display modal form..." but have not tracked down the cause of it quite yet - but I am working on it!

    OK :thumb:

    Thank you ;)
     
  11. makios

    makios Registered Member

    Joined:
    Apr 18, 2008
    Posts:
    126
    Tried it, but Nod32 still reacting negative
     
  12. FoolishTech

    FoolishTech Registered Member

    Joined:
    May 9, 2011
    Posts:
    19
    DRAT! Thanks for the report! Well I am still waiting to hear back from NOD32 on my original submission. Hopefully they will be as helpful as Sophos has been.

    @ CloneRanger

    That's awesome! I'm going to look into that app, sounds sweet.
     
  13. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ FoolishTech

    Just wondered, does your App make use of wscript.exe ? As i have disabled it.

    Also, as i cancelled the Script fix when i scanned, why would you think that D7 may have disabled ScriptDefender ? I would expect cancelling to leave things as they are !

    TIA
     
  14. FoolishTech

    FoolishTech Registered Member

    Joined:
    May 9, 2011
    Posts:
    19
    Nope, no wscript.

    D7's first action on startup is to check HKEY_CLASSES_ROOT\exefile\shell\open\command for a non-default value. If found, it assumes it's malware - because I've never seen anything other than malware write to that key (not saying I shouldn't look harder for some legitimate software that does...) The very next action D7 takes is to overwrite that reg value with it's default before even prompting you for the suspected malware file that D7 asks if you wish to delete.

    The process is detailed in my Malware Removal Showcase 1 on YouTube.

    If I assume that ScriptDefender writes to that value, then I'm impressed that it must monitor the key for changes and write itself back. Of course, most malware does this as well, so D7's immediate behavior is almost a moot point... but that's why I thought D7 may have disabled ScriptDefender.
     
  15. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    Very interesting...and potentially dangerous. As the developer advises - THIS TOOL IS INTENDED FOR EXPERIENCED PC TECHNICIANS ONLY, NOT FOR "END USERS."

    PS I ran it from H: drive ;)
     

    Attached Files:

  16. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ FoolishTech

    OK thanks.

    When you test ScriptDefender Versus D7 it'll be good to hear what you discovered :thumb:
     
  17. FoolishTech

    FoolishTech Registered Member

    Joined:
    May 9, 2011
    Posts:
    19
    Just tested ScriptDefender, there's nothing it does to set of D7!

    Which makes me wonder. The first message box you saw, that you said you cancelled.... that's not in one of your screen shots above. Was that the one as seen on in the Showcase 1 YouTube vid? (if you've got the time to check it out...)
     
  18. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Upload it to VirusTotal, and most existing AV's will scan it. They also share samples with vendors, but the vendors don't receive it as quickly as direct submission, nor do they get details like if it's a false positive or why.
     
  19. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Oh good :)

    Ran it again

    mal.gif

    Copy/pasted from the dialogue box, 4 instances showing

    C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*
    C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*
    C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*
    C:\Program Files\AnalogX\Script Defender\sdefend.exe %1 %*

    Once again after cancelling, i get the same errors :(
     
  20. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ FoolishTech

    On retesting ScriptDefender with other things, i started wondering if it is now ****ed ! So i uninstalled it & reinstalled it, but i believe it is ****ed due to the D7 test :(

    What would you suggest as the best way to fix it back ? :thumb:

    Also, i really do think D7 automatically deleting things like this is not good, as after all that's what the CANCEL button should be for ;)
     
  21. FoolishTech

    FoolishTech Registered Member

    Joined:
    May 9, 2011
    Posts:
    19
    Point taken. Really, I installed ScriptDefender in my VM and it didn't mess with those entries that D7 checks...

    So I just looked at it again and my default config in it is ".VBS,.VBE,.JS,.JSE,.HTA,.WSF,.WSH,.SHS,.SHB"
    ...
    but you obviously must have a few of D7's check points in there, (that being .BAT, .CMD, .EXE, .COM, or .SCR)

    Regardless, this is the first legitimate application I've seen write to that key, ever. As I said before, maybe I don't look hard enough, but on the other hand maybe enough "power users" (who might potentially have apps such as these) don't bring their PCs in my shop to get virus removals done. ;)

    I'm glad you pointed it out. I will plan on the next version making this an optional thing.

    Back to D7 screwing ScriptDefender, yeah all D7 does is rewrite that registry key to it's default value. That shouldn't hose ScriptDefender if you reconfig or reinstall it. But consider it incompatible with D7 until the next version 3.4.5 which I will get on that for you right away.
     
    Last edited: May 10, 2011
  22. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    Last edited: May 11, 2011
  23. FoolishTech

    FoolishTech Registered Member

    Joined:
    May 9, 2011
    Posts:
    19
    Uploading v3.4.5 now.

    * D7 won't overwrite the registry values automatically now, so the cancel button will cancel all operations now.

    * Did you one better, (I hope) in that if D7 specifically detects ScriptDefender in those keys, it should no longer alert you at all....
     
  24. FoolishTech

    FoolishTech Registered Member

    Joined:
    May 9, 2011
    Posts:
    19
  25. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ FoolishTech

    Hi

    Before you came back i went tinkering. Used RegSeeker to search for AnalogX & it found ALL these entries !

    **********************

    View attachment ScriptD.txt

    **********************

    As i had reinstalled ScriptDefender i hadn't got round to adding in other extenstions yet, so those must be linked to the default ones in some way's ?

    Googling i discovered that "sometimes" uninstalling doesn't always delete the protection, due to not disabling them first. The App gets uninstalled, but not the REG entries ! So i did that, uninstalled & rebooted. Then i deleted the above RegSeeker entries with RS. Double checked they'd All gone with RegEdit & they had. "Funny" thing is, even after doing that when i D'click a safe test .VBS file i get this.

    fin.gif

    Now my OS doesn't recognise that extension :( & probably the other deleted ones too. If i reinstall ScriptDefender it jumps in and stops/alerts to it, but if i allow it the OS asks for me to choose an association for it, so it doesn't activate. Obviously this isn't how things should be, so i'm still trying to put things back to "normal" without ScriptDefender for now. When they are i can think about reinstalling it and adding in extensions.

    Any ideas on how to do that ?

    By the way, i take FULL responsibility for this situation, as i usually enable ShadowDefender to test things, especially after your warnings, but when i started testing D7 i didn't for some reason !

    Still v.3.4.4 Beta here - http://www.majorgeeks.com/D7_d6954.html - Guess it'll update soon !

    ,

    Great :thumb:

    You mean totally close, or just cancel operations pertaining to the ScriptDefender Reg things, & then carry on ?

    .

    Thanks, & for a speedy update etc too :) I'll look forward to testing the new V soon, but with ShadowDefender enabled this time :D Before that though, i need to fix ALL the Associations in the OS !

    Regards
     
Loading...
Thread Status:
Not open for further replies.