Google Maps fix for RegistratorViewer (Windows)

[Zhivko Nikolov]

Hi all, sorry for my long absence. I will be back for a short while.

I have updated the Leaflet API (OSM). I have removed all the invalid layers as they now require an API key (thus giving the errors)

Please try out the latest version below and provide me feedback. Leaflet and Google maps should be functional with no errors.

https://www.dropbox.com/s/hcfyx7nkv3svbvx/RegistratorViewer_v.6.0.0.22b.zip?dl=0

Keep note that IF you change the filename of the RV executable, it will also need to reflect on the regedit entry.

Hello flip9,
Excellent work, Google Maps and Leaflet maps are working without script errors at all.!!! I would like to buy you a beer, please give me your PayPal email address.

 

[DeLorean]

WTF!!!
I've just had something very suspicious happen a few minutes ago whilst running the unmodded version of Registrator Viewer v.6.0.0.22 (with reg fix).
I started the program as usual, but it displayed various script errors different from the usual ones we've been experiencing (I can't remember what they were) and then suddenly my PC blasted out a long audio advert about how to become a millionaire!
I closed Registrator Viewer v.6.0.0.22 and the audio stopped... on opening it back up again there no comments about scripts displayed and it ran as normal.
Has anyone else experienced this... is there something sinister buried in the code of Registrator Viewer that we don't know about?

 

[DT MI]

WTF!!!
I've just had something very suspicious happen a few minutes ago whilst running the unmodded version of Registrator Viewer v.6.0.0.22 (with reg fix).
I started the program as usual, but it displayed various script errors different from the usual ones we've been experiencing (I can't remember what they were) and then suddenly my PC blasted out a long audio advert about how to become a millionaire!
I closed Registrator Viewer v.6.0.0.22 and the audio stopped... on opening it back up again there no comments about scripts displayed and it ran as normal.
Has anyone else experienced this... is there something sinister buried in the code of Registrator Viewer that we don't know about?

Just ran my version (same as yours with reg fix) and nothing like that happened. Seems to be running properly.

 

[DeLorean]

Just ran my version (same as yours with reg fix) and nothing like that happened. Seems to be running properly.

I ran it again and again and nothing strange happened... and then suddenly out of the blue another web page error popped up and then a script error pointing at a domain eu.aldaniti.net which is a marketing company!
Without doubt there's something hidden inside Registrator Viewer v.6.0.0.22.
Does anyone know the executable packer that Registration Viewer uses as I've failed to get into it... I did read somewhere it was of Vadim Kozlov's own design.

 

[DeLorean]

It's pulling down this java script... perhaps someone who's competent in Java programming can tell us more?
My basic knowledge of scripting makes me think this script is attempting to fire up various media players in the background to stream stuff

 

[DeLorean]

Oh crap... I've now had Registration Viewer popup half a dozen windows attempting to connect to lots of different scripts hosted by eu.aldaniti.net

 

[jokiin]

WTF!!!
I've just had something very suspicious happen a few minutes ago whilst running the unmodded version of Registrator Viewer v.6.0.0.22 (with reg fix).

maybe try using the modified version instead

 

[DeLorean]

Okay, I'm giving Registrator Viewer v.6.0.0.22b a bash, but the code is essentially the same apart from a few tweaks to accomodate the changes with the Google Maps API.
When I have a mo I'll fire up Microsoft Network Monitor to see what's going where on the net.

 

[DeLorean]

I've run a few test on a mankey old XP machine that I have in the workshop for testing stuff on.
Most of the time the original Registrator Viewer v.6.0.0.22 is sending out requests to IP number: 37.48.65.143
This IP number resolves to: update.registratorviewer.com
However the original Registrator Viewer v.6.0.0.22 also appears to randomly (on executing) send out shed loads of requests to IP number: 109.201.133.56
This IP number resolves to: survey-winner.com
So I think I've found the answer to my question.... it does have some nasties hidden in it's code
Registrator Viewer v.6.0.0.22b appears to only send requests to registratorviewer.com although it doesn't appear to run properly under XP so I'll try running a similar test on a Windows 10 PC asap.

 

[DeLorean]

Well... well... well... Registrator Viewer v6.0.0.22 and v6.0.0.22b suddenly spat out a whole pile of calls to various dodgy IP numbers.
It appears that rebooting your system triggers Registrator Viewer's dodgy behaviour!
Here's a sample of some of the IP numbers it communicated with...
5.135.228.231 = www.aldanitinetwork.com
51.254.146.18 = www.aldanitinetwork.com
69.172.200.185 = Error holding page
95.211.196.120 = www.online-casino-bingo.co.uk or survey-prize.com
95.211.219.67 = Dead
34.237.217.112 = "Could not find target for this domain" error.
109.201.133.54 = survey-winner.com
151.101.17.147 = GitHub page error
I've just tested Registrator Viewer v6.0.0.8 and it's worse than v6.0.0.22 initially pumping out 12 IP numbers connected to dodgy websites!!!
If someone else has a moment could they run some tests on Registrator Viewer as it apprears it may be a big malware engine or harvesting personal information

 

[DeLorean]

Here's a sample of what RV v6.0.0.8 spat out... some are links to map services, but the rest are very suspicious.
109.201.133.54
2.21.184.152
95.211.219.67
54.230.199.71
207.46.194.46
185.73.44.30
109.201.133.54
34.226.60.53
95.211.196.120
69.172.200.185
51.254.146.18
5.135.228.231
5.10.110.36
54.230.199.106
That's enough for the moment... bed time

 

[DeLorean]

I've just remebered that back in 2014 RV was triggering virus and malware warnings for many users... perhaps there was a good reason why this was happening?

 

[jokiin]

If someone else has a moment could they run some tests on Registrator Viewer as it apprears it may be a big malware engine or harvesting personal information

@flip9 is the only one I know that has done any poking around with RV that might have some ideas

 

[DT MI]

Something is happening for sure. Earlier today RV was working just fine but in the last few minutes Norton Security has been blocking intrusion activity.

 

[jokiin]

the RV website was offline for a while but someone put it back up with a bunch of different links, always a chance that whoever took control of that isn't doing the right thing with it when the programs calls home to check for updates

 

[flip9]

It looks like the expired RV domain is now pointed to a string of ad pages

So every time the program executes a line of code which links to RV.com, it will resolve as ads instead.

I did not notice it because my router has the MVPS hosts file loaded which stops these ad sites from resolving in my network.

Not sure what to do at this point, i can only change certain bits of the program.

@DeLorean can you try setting the Maps window to None, and see if it still tries to resolve those ads?

 

[jokiin]

That makes sense

 

[DeLorean]

It appears that RV may be pulling a script from on-line (possibly registrationviewer.com) which could be triggering all this activity.
I've had a quick HEX poke through RV.exe but didn't see anything obvious as most of the RV.exe is packed.
flip9 I’ll try a few more things asap and get back to you.

 

[DeLorean]

Humm... after a quick check... RV.exe is also linking to a second domain ww1.registratorviewer.com which resolves to a domain holding page.
It's also now communicating with 9145.searchmagnified.com.
The sites it's linking to appear to be changing regularly so I can only assume it must be pulling a script up from somewhere but I heven't found where yet

 

[jokiin]

the program used to call home to check for updates, I'm guessing whoever is controlling the domain has redirected those requests to serve some other purpose