MJ Registry Watcher

Discussion in 'other anti-malware software' started by Graphic Equaliser, Nov 13, 2004.

Thread Status:
Not open for further replies.
  1. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    i want to try it again:thumb: as a reg watcher MJ did way better than the new winpatrol when i tested them:thumb:
    i will see if i can terminate this baby:)
     
  2. Alan Baxter

    Alan Baxter Registered Member

    Joined:
    Mar 14, 2007
    Posts:
    35
    RegWatcher.exe seems to start up all right, but arwwdwin.exe doesn't start. I get this dialog which keep popping up, even after I click OK.
    Windows XP SP3
     

    Attached Files:

    Last edited: Jun 5, 2010
  3. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    same error here in xp home service pack 2
     
  4. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    423
    Location:
    London England UK
    Sorry about that :oops: A corrected version has been uploaded. Please download again. :gack:
     
  5. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,098
    Location:
    USA
    Once again, great job! :D

    I tried to kill either process using Task Manager and it comes back in just a second or so. Simple but very effective way to protect the app. RegWatcher is still a tool that comes in very handy...
     
  6. Alan Baxter

    Alan Baxter Registered Member

    Joined:
    Mar 14, 2007
    Posts:
    35
    Works just fine with the new version of arwwdwin.exe. It's a little bit bigger than the old one. Wonder what the difference could be? :)
     
  7. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    423
    Location:
    London England UK
    Alan, I had compiled arwwdwin.exe with a Borland C++ Builder switch on to "Build with Runtime Packages", which makes a smaller .exe file at the expense of requiring a run-time library vcl50.bpl to be on the path. On the PC I develop MJRW with, this library is available, but obviously not on most PCs, since it is part of the Borland C++ Builder developer environment. I just switched "Build with Runtime Packages" off and recompiled it, yielding a larger .exe file with the library routines included in the resultant .exe, rather than externally. Hope that explains what happened for you. Regards,
     
  8. Alan Baxter

    Alan Baxter Registered Member

    Joined:
    Mar 14, 2007
    Posts:
    35
    Thank you for the informative explanation, Mark. I figured something like that was the case -- hence the smiley in the last post. I mentioned it to a friend of mine yesterday who's a Delphi developer. He said: "I can send you a copy of the missing file." I thanked him but said you were pretty good about fixing stuff like this promptly. :D
     
  9. mcochran

    mcochran Registered Member

    Joined:
    Jun 28, 2010
    Posts:
    1
    Mark, I thought you would like to know that RegWatcher.exe alerted me to the "AV Security Suite" malware as it triggered RegWatcher pop ups as it tried to modify LAN proxy and home page settings on my son's computer. Because it was not able to dig in to deeply it was easy to remove.
    Thanks again
    marty
     
    Last edited: Jun 29, 2010
  10. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    423
    Location:
    London England UK
    That's nice to know Mr. Cochran. There is a lot of AV freeware/shareware that actually harms your PC more than it protects it. MJRW stopped a nasty coming aboard my home PC as I was releasing 1.2.7.1, while my daughter was surfing facebook. Faceache (as I call it!) is riddled with cleverly-disguised nasties just waiting for your approval to infect your PC. MJRW spotted the autorun entries being made and rejected them. It also gave me the full path to where they were located so I could easily quarantine them and send them to virustotal.com for analysis.

    However, MJRW is also dangerous enough to warrant using its "Backup Registry" option at least once a month. For example, I was allowing Adobe Flash Player update to proceed, but MJRW reported these :-

    =======================================================
    ** Thursday 24/6/2010 13:58:32 **
    Launched firefox.exe[2172]
    getPlusPlus_Adobe.exe[2484]
    dllhost.exe[3008] « svchost.exe[992] « services.exe[784] « winlogon.exe[740] « smss.exe[660] « System[4] « [System Process][0]
    svchost.exe[3984] « services.exe[784] « winlogon.exe[740] « smss.exe[660] « System[4] « [System Process][0]
    wmiprvse.exe[3788] « svchost.exe[992] « services.exe[784] « winlogon.exe[740] « smss.exe[660] « System[4] « [System Process][0]
    =======================================================
    ** Thursday 24/6/2010 13:58:36 **
    Security Settings
    Registry Key hkey_local_machine\software\microsoft\windows nt\currentversion\svchost
    Value getPlusHelper (M) will be a new value with data
    getPlusHelper 
    =======================================================
    ** Thursday 24/6/2010 13:58:52 **
    Change Rejected
    =======================================================
    ** Thursday 24/6/2010 13:58:52 **
    Security Settings
    Registry Key hkey_local_machine\software\microsoft\windows nt\currentversion\svchost
    Subkey getPlusHelper has been added
    =======================================================
    ** Thursday 24/6/2010 13:58:54 **
    MJRW Quarantined Subkey getPlusHelper
    =======================================================
    ** Thursday 24/6/2010 13:58:55 **
    Low-level Drivers and Services
    Registry Key hkey_local_machine\system\ControlSet001\services
    Subkey getPlusHelper has been added
    =======================================================
    ** Thursday 24/6/2010 13:58:58 **
    MJRW Quarantined Subkey getPlusHelper
    =======================================================
    ** Thursday 24/6/2010 13:58:58 **
    Launched wmiprvse.exe[3636] « svchost.exe[992] « services.exe[784] « winlogon.exe[740] « smss.exe[660] « System[4] « [System Process][0]
    =======================================================
    ** Thursday 24/6/2010 13:59:03 **
    Security Settings
    Registry Key hkey_local_machine\software\microsoft\windows nt\currentversion\svchost
    Value HTTPFilter (M) wants to change from
    HTTPFilter  
    to
    No Data.
    Value LocalService (M) wants to change from
    Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV  
    to
    No Data.
    Value NetworkService (M) wants to change from
    DnsCache  
    to
    No Data.
    Value netsvcs (M) wants to change from
    6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem FastUserSwitchingCompatibility
    HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation
    Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS Sharedaccess SRService Tapisrv Themes
    TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt wscsvc xmlprov BITS wuauserv ShellHWDetection helpsvc
    WmdmPmSN napagent hkmsvc  
    to
    No Data.
    Value DcomLaunch (M) wants to change from
    DcomLaunch TermService  
    to
    No Data.
    Value rpcss (M) wants to change from
    RpcSs  
    to
    No Data.
    Value imgsvc (M) wants to change from
    StiSvc  
    to
    No Data.
    Value termsvcs (M) wants to change from
    TermService  
    to
    No Data.
    Value eapsvcs (M) wants to change from
    eaphost  
    to
    No Data.
    Value dot3svc (M) wants to change from
    dot3svc  
    to
    No Data.
    =======================================================
    ** Thursday 24/6/2010 13:59:03 **
    Change Auto-Rejected
    =======================================================

    I had put MJRW into reject mode since I really could not see any reason for an Adobe product to be changing svchost keys in the registry, especially blanking them all out with "No data". These alerts kept happening every couple of seconds until I rebooted the PC, at which point I had lost those svchost keys for good. There was no LAN network service and the office domain was no longer available. Rather than typing in all those values by hand, and the subkeys still wouldn't be right, I restored an MJRW registry backup from a couple of weeks back, and the system was right as rain again. And that's Adobe! Jeez!
     
  11. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    thanks;)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.