Registry Monitor comparison

MJ RW undoes the change before alerting you that something tried to change the key. You can then opt to redo the change (accept it).

I opted to do it that way, so that if a trojan is installed that changes the registry, and then reboots the PC to stop the monitor's popup from appearing, the registry will already have been restored by the monitor, if it manages to do a scan before the reboot occurs. It refreshes at 5 second intervals, so the trojan would have to be fairly snappy (a system reboot notification message takes at least a couple of seconds to complete).

Graphic

 

Ahh, tabulation is bad again in post #1. I wish the forum engine would support tables.

May I suggest to submit the suspect files to http://www.virustotal.com/xhtml/index_en.html. The site scans with the newest version of the 10 most popular antivirus engines, and then displays the result. (Symantec, NOD, Kaspersky, etc) It also submits the viral file to all 10 antivirus companies - it seems a fast and easy way to fight back the bad guys.

Sorry, no docs. I do not really have time for that.

The List is in post #1.

-hojtsy-

 

OK, I got your response ref combak and usrbak. The question is, do they stay as start up items or can I remove them from the start up list? They contain duplicates of other start up items; PG, SG, RW, Task manager. Can I just remove those items from the folder?

 

While MJ Registry Watcher is *NOT* running, you can do what you like with these directories. If it is running, then leave them alone.

Graphic

 

Should you exit from WinPatrol, RW and Tea Timer when you install or uninstall another program? Any other programs to exit from? I have PG, Spywareguard, Spywareblaster and of course an AV and a firewall.

 

I was putting RW in a startup folder. Do I need to do that or does it work in the background like Spywareblaster and alerts you whenever there is a change to the registry?

 

I always shut down all running programs via Ctrl/Alt/Delete before I install any new program. The only things that are recommended to keep running are Explorer and Systray. If you aren't certain the program is safe to install then you shouldn't be installing it in the first place.

 

What other program? If it's not making changes to those parts of the Reg that are being monitored it is irrelevant.

If it is, you can just click to accept the change. If it's a big thing like a new Service pack etc, then switch off the monitor first, if you wish.

 

I was referring to installing or uninstalling software that makes registry changes. If I should exit the registry monitors and PG.

 

Jon, you don't need to switch off registry monitors. I don't switch off RW when I install something new, and it's nice to see the alerts to tell me what's going on. If you're not so technically-minded, then exit the monitors before you start an installation.

RegWatcher.exe should be placed in a folder you create for it (make one somewhere and call it what you like). Then add a shortcut to this executable into your Program Files Startup directory so that it starts at bootup. It will sit in the system tray checking the 52 keys every 5 seconds. To exit the monitor, right-click the tray icon (a padlock) and choose Exit.

Graphic

 

Hi,

I mentioned in another thread, but I think it is well worth mentioning here also. Last week, it appears, that there were conflicts between different registry monitors that were active on my system. This included BOClean, Giant (which monitors the registry), Prevx (which also monitors the registry), ZoneAlarm, KAV 4.5.104, and Process Guard. MJ Registry Watcher was also on for a short time during the week proceeding last week. It is not clear when the problems began to develop since they became more apparent over a week's time.

Some time during this period, my registry was corrupted and my guess is that one or more of these programs stepped on each other as their different algorithms for managing programs and registry entries became entangled.

I tried sever measures that in the past helped my recover to a stable state, but nothing worked this time, so I had to completely re-installed XP and all programs that I need including the data. Luckily, all data was accessible for a backup before I had to re-install.

Since I have seen over the past several months similar situations on this forum, I would highly recommend that anyone seeking to install a set of security programs - especially if they are newly released versions - that they have an good image copy of their system available so that recovery is straightforward. At this time I have KAV 4.5., BOClean, and ZoneAlarm running - all are very stable - until I get a image copy procedure in place. It has also been difficult verifying which image copying program is reliable. I think I will purchase one that runs under DOS. This is probably the safest way to go.

Regards,
Rich

 

Graphic,

I thought you were going to be stoppping at MJRW version 1.1.2.1.

Glad to see you've had extra time for additional development. Just installed 1.1.4.1, and it's way cool. Keep up the good work!

I'm dying to see what's coming in v1.1.5.1.

 

I'll second that!

 

I updated post #1 with a draft feature summary for the applications.
But it is hard to keep pace with MJ: he added 2 new keys again, which is currently not on The List.

HKLM\system\CCS\services\vxd
See these trojans reports about using this key:
backdoor.smorph
donaldd.trojan.c

HKU\.default\SW\MS\internet explorer\extensions\cmdmapping
See this report about trojans using this key:
ebates moneymaker

Good work. I will soon put hotlinks on every regkey in post #1 linking to a trojan report using that key.

-hojtsy-

 

It will be a while coming, but, thanks to Hojtsy's links about my new keys, I realise that the services\VxD one ought to be duplicated, but with an asterisk in front of it, so it catches additions and deletions of subkeys under it. That along with new keys as they arise, will probably be the changes coming up in 1.1.5.1

However, I did think about an idea to just restore from the registry backup RW makes, a single branch to the registry. That may mean another button "Restore" which prompts for a key name. The .reg file RW produces is in Unicode format, something I've had to work with for a Hebrew HTML survey we got a contract for at work. The wildcard idea is fading, because giving people the wherewithal to monitor their entire registry, would throw up so many alerts per second, it could wreck the darned thing. No, I'll stick with this restore idea, and keep my eyes peeled for any more keys to monitor.

Hojtsy, thanks for the helpful links on where keys are employed by certain trojans. A definitive list would be an absolute Godsend, but it will take a lot of work. Good luck, and I will keep you informed of any new keys I discover which you haven't covered.

Best regards everyone,
Graphic

 

New keys are coming. Have fun:

1 2 3 4 5 6 7 8 9
S R P R T S G W M
M P G R T S R P J
- - - - - - - - - ¦ HKLM\SW\MS\Windows\CV\Explorer\Advanced link
- - - - - - - - - ¦ HKLM\SW\MS\Windows\CV\app management\arpcache\ link
- - - - - - - - - ¦ HKCU\SW\MS\Internet Explorer\Toolbar
- - - - - - - - - ¦ HKLM\SW\MS\Internet Explorer\Toolbar link
- - - - - - - - - ¦ HKLM\SW\MS\Internet Explorer\Toolbar\WebBrowser
- - - - - - - - - ¦ HKLM\SW\MS\Internet Explorer\Explorer Bars\ link
- - - - - - - - - ¦ HKLM\SW\MS\Internet Explorer\MenuExt\
- - - - - - - - - ¦ HKLM\SW\MS\Internet Explorer\Main\ link
- - - - - - - - - ¦ HKLM\SW\MS\Internet Explorer\Search\ link
- - - - - - - - - ¦ HKLM\SW\MS\Internet Explorer\SearchUrl\
- - - - - - - - - ¦ HKLM\SW\MS\Internet Explorer\Styles
- - - - - - - - - ¦ HKCU\SW\MS\Internet Explorer\extensions\cmdmapping link
- - - - - - - - - ¦ HKLM\System\CCS\Control\Session Manager\KnownDLLs link
- - - + - - - - - ¦ HKCU\Control Panel\Desktop\scrnsave.exe link
- - - - - - - - - ¦ HKEY_CLASSES_ROOT\Protocols\Filter link
- - - - - - - - - ¦ HKLM\SW\Classes\Protocols\Filter link
- - - - - - - - - ¦ HKCU\SW\MS\Command Processor\AutoRun link
- - - - - - - - - ¦ HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MPRServices link

-hojtsy-

 

I have a question(s) I didn't see discussed here (unless I missed it- this is one long thread ).

Lets say I use MJRW (or one of the other reg monitors) to watch the keys Hojtsy is compiling, are there any applications that will make a legitimate change to any of the listed keys in this thread? Or can I expect malware to be the only thing(s) that would be making any changes to Hojtsy's listed keys?

In other words will I ever get a pop up notification while using MJRW that's ok to allow because it is a change that is safe to allow? Any ideas what programs might make a change to Hojtsy's listed keys that are safe to allow? I just don't want to deny a reg change that could be necessary for a program to function properly. Thanks.

 

Judging by the way these trojans create new subkeys, I think 1.1.5.1 of RW should abandon the asterisk prefix, and check both values and subkeys for the specified keys in the list. This is tricky, but I think it will be worth it. For example, hkey_local_machine\system\currentcontrolset\services\vxd can load device drivers from either itself or any subkeys it has. Hence I need to monitor both the values and subkeys for this. Version 1.1.4.1 would require 2 entries in the key list (one with an asterisk and one without) to accomplish this monitoring. I think v1.1.5.1 should do both for each key in the list, thereby making the use of asterisk obsolete. Any objections?

Graphic

 

Good idea!

Thanks,

Chris

 

Jack Black,

Registry monitors can alert you to legitimate changes that are going on. For example, if you were installing some new hardware or software, and MJRW was running, it would pop up several times to prompt you as to whether to accept the proposed change or not. If I know the software I'm installing is OK, I will stop MJRW from monitoring until installation has completed (using the Stop button).

Having said that, I did have MJRW pop up on me when I was using IE to download a file. I navigated to a different than usual directory and downloaded it there. MJRW popped up to ask me whether I wanted the registry key that stores the default download directory for IE, to change to the new directory, and I declined. In this instance, it was beneficial for me to have MJRW pop up, but that probably won't always be the case.

Another example is when you launch a program that requires a service to be running, like WCPUID which comes up with this in MJRW :-

Registry Key *hkey_local_machine\system\currentcontrolset\services
Subkey NRKCTL32 has been added

when it is started (and similarly deleted when ended).

Graphic

 

Re: MJ Registry Watcher

Hello..
I too have problems with registry watcher ,and an application...namely boclean.They dont get on well at all on my sytem (98se).I know registry watcher was made for XP so its possibly that.However the conflict with registry watcher and boclean is severe on my system and stops boclean actually loading with a critical data file missing popup.See attach.The conflict happens on reboot.Any comments appreciated.
ellison

 

@Graphic - Many thanx for 1.1.4.1.

@ALL RegWatcher fans -- I think we should start posting news of RegWatcher changes to Wilder's update forum. I just did so HERE.

I hope that other RW fans will also ensure that update news gets posted there -- I am often absent for a day or so, or else have one of my *senior moments* ^_^

 

See post #1 for trojan report links on almost every included reg key. Maybe it will convince some software authors?

Ahh, so that's why you have both "*hkey_local_machine\system\currentcontrolset\services" and "hkey_local_machine\system\currentcontrolset\services" ! But the already included "*hkey_local_machine\system\currentcontrolset\services" covers subkeys of vxd doesn't it? Then why do you need the vxd entry at all?!

Sorry but I have to object. I expect to include reg keys such as "HKEY_USERS" which have very deep subtrees, but I only want the main key watched. For example to detect creations of new users, in this case. So, if you are making subtree monitoring the default behaviour, then please provide the option to disable this for specific entries.

How about changing the meaning of asterisk so, that "*hkey_local_machine\system\currentcontrolset\services\vxd" monitors both itself and subkeys. And then putting asterisk to selected entries.

I have one more improvement idea:
- Define a special character to indicate that the key should be watched in all subtrees of HKEY_USERS. Would be better then HKCU.

-hojtsy-

 

I just posted version 1.2.1.5 of a much improved RegWatcher on my website at http://www.jacobsm.com/index.htm#sft

It checks the subkeys for additions and deletions, as well as changes to any values for each key. It has some nice new touches, including silent running modes! Hope you like it.

P.S. It now has a defualt set of 70 keys including Hojtsy's new ones.

Graphic

 

Hojtsy,
MJRW does not recurse keys. See above message for how it works now. It is much better than before.

Graphic