Google Maps fix for RegistratorViewer (Windows)

[flip9]

If you visit rv.com in a private browser window it will automatically forward to random ad pages.

It doesn't always load an ad though, the next visit went into a index page of dashcam related spam links.

 

[DeLorean]

Okay... found the problem... it's quite obvious and simple one you analyse the data coming from RV.exe.
It's the domain www.registratorviewer.com that's causing all the issues.
RV uses IE extensively and the www.registratorviewer.com is now pumping out adverts etc and IE within RV is attempting to display these adverts.
As the domain is getting hammered RV.exe/IE will most often just see a "Too many requests" response so nothing happens.
However, if RV.exe/IE is able to hook up with www.registratorviewer.com up come the adverts.
So going back to my first comment... that's why I could hear adverts suddenly blasting from my PC... IE running in RV was doing it!
www.registratorviewer.com has been turned against us... everyone who earlier was commending whoever picked up the domain as a saviour may wish to change their opinion now
As security and protection in IE is almost non-exsistent your PC could be at risk if you keep using RV.exe

 

[DeLorean]

If you visit rv.com in a private browser window it will automatically forward to random ad pages.

It doesn't always load an ad though, the next visit went into a index page of dashcam related spam links.

You beat me to it by a couple of seconds

 

[flip9]

RV uses IE to load the maps window, which is HTML/JS. Thats why i asked you turn off the maps and see if it still tries to resolve the ads.

I definitely know certain pages like error/help pages are hosted in RV.com. I am editing what i can now and replacing RV.com with google.com

 

[DeLorean]

Blocking access to www.registratorviewer.com should protect you... hopefully with a bit of modding the links to www.registratorviewer.com can be removed from RV.
Asking RV to display no map made no difference as the link to www.registratorviewer.com is executed whenever you first execute RV.

 

[jokiin]

Maybe could add an entry in the hosts file to block access

 

[flip9]

Blocking access to www.registratorviewer.com should protect you... hopefully with a bit of modding the links to www.registratorviewer.com can be removed from RV.

While im working on a more proper fix, to block RV.com in windows

1) Go to C:\Windows\System32\drivers\etc
2) Edit the HOSTS file in notepad and
3) Add the entries:

127.0.0.1 update.registratorviewer.com
127.0.0.1 www.update.registratorviewer.com
127.0.0.1 registratorviewer.com
127.0.0.1 www.registratorviewer.com
127.0.0.1 googleadapis.l.google.com

4) Save
5) Restart machine or open command prompt and type ipconfig /flushdns
6) Now try visiting RV.com if an error page comes up then it has been successfully blocked.

 

[DeLorean]

I’ve spent many hours trying to get to the bottom of this RV problem
I’ve removed every link/URL/IP I can find in RV that attempts to connect to any sites apart from map providers and still it acts hostile.
I have a very strong suspicion that RV has some encrypted IP addresses or URLs coded into it.
Almost Immediately after RV is run it always attempts to connect to the following IP numbers:
37.48.65.153
208.91.196.145
These IP numbers host all the advertising rubbish we're seeing and lead to other scripts running and pulling other crap of the net or firing up additional pages.
As IE is about as secure a wet paper bag it’s allowing many of these scripts to execute.
It could be these IP numbers were originally benign or they were left as a safe guard to end RV’s life should something happen... which unfortunately it did
Any ideas would be very welcome as without the source code I’m a little lost as to what to do next

 

[DeLorean]

It turns out that Registration Viewer was usually packed using ASPack, however version 6.0.0.22 was never compressed using it.
However it appears version 6.0.0.22 has been processed to obfuscate it's contents which may make the job of sourcing the rogue code virtually impossible

 

[jokiin]

It turns out that Registration Viewer was usually packed using ASPack, however version 6.0.0.22 was never compressed using it.
However it appears version 6.0.0.22 has been processed to obfuscate it's contents which may make the job of sourcing the rogue code virtually impossible

a regular release version of RV was around 1mb in size, the large versions like 6.0.0.22 was an in process dev version, it was coming up for another scheduled lightweight release before things took an unfortunate turn

 

[DeLorean]

a regular release version of RV was around 1mb in size, the large versions like 6.0.0.22 was an in process dev version, it was coming up for another scheduled lightweight release before things took an unfortunate turn

Previous versions of RV.exe had been compressed using ASPack which results in a file 27% the size of the original RV.exe.
In this case RV version 6.0.0.22 is 10.2MB will compress down to 2.84MB using ASPack v4.42.
However analysing RV version 6.0.0.22 shows that the exe has already been processed to disguise some of its contents prior to being compressed.
This could have been done to protect his work or it could have been done to avoid detection.
Unfortunately this is commonly done to avoid detection by anti-malware and anti-virus software.
As it’s now attempting to stream malware and hostile scripts onto people’s systems I suspect the latter.
Since I first discovered something was going on (advertising audio playing in RV) I've been inundated with hundreads of spam e-mails.
It could be just a coincidence but it feels too coincidental for my liking
https://www.virustotal.com/#/file/5...1c5e03bae3f79fb64f3c8be1ec946af119370/details

 

[jokiin]

yeah hard to say what's going on but a real shame to see it come to this, I know that not long after Vadim died the domain went offline and when it did come back a lot of the links were to spam sites etc, the text was as per previous but things were all pointing to other places, was like that for a fair while before it went to the host page it's at now

where did you download the copy of RV 6.0.0.22 that you have now?

 

[jokiin]

Previous versions of RV.exe had been compressed using ASPack which results in a file 27% the size of the original RV.exe.
In this case RV version 6.0.0.22 is 10.2MB will compress down to 2.84MB using ASPack v4.42.

the release versions were only ever around 1mb, from memory from previous conversations I'd had with Vadim there was a lot of stuff in the development builds that was stripped out before they were done as release versions so maybe there's stuff there that has no relevance to what would have been the next release version that was due, don't recall what version it is but this is one of the previous release versions that I had before http://www.mediafire.com/file/a9shgnrmuq4l7le/RegistratorViewer.exe it's from sometime in 2015 I think

 

[DeLorean]

Like I said before, when RV runs it first attempts to communicate with a whole host of server on the net supplying advertising, phising and other services.
After analysing RV's behaviour it's apparent this is by design and not an accident.
Even a utility as simple as Process Explorer will show you all the IP numbers the RV is attempting to connect to on the internet.
I think we've all been duped and this little Easter egg has hatched

 

[jokiin]

it always had a phone home feature, I think if you check that older version I posted it should be doing the same thing

 

[DeLorean]

Oh yeah sorry I forgot to mention that older versions of RV (I've gone back as far as v5.2.0.10) exhibit the same behaviour, so this is not a new thing for version 6.0.0.22.

 

[jokiin]

Oh yeah sorry I forgot to mention that older versions of RV (I've gone back as far as v5.2.0.10) exhibit the same behaviour, so this is not a new thing for version 6.0.0.22.

it used to have a feature where it would check if a new version was available and would prompt the download, was phoning home to Russia to do that, whatever else it was doing was pretty well unknown

 

[DeLorean]

it always had a phone home feature, I think if you check that older version I posted it should be doing the same thing

This is not a phone home feature... RV is deliberately communicating with lots of servers and one that shows it face more than others is www.aldanitinetwork.com which is a marketing company.
Perhaps it's date triggered... I'm sure the mechanism causing this in RV has been hidden from detection as I've carried out some lots of editing of RV and I can't find or stop the process
Hopefully someone else more skilled than me can find the solution.

 

[DeLorean]

it used to have a feature where it would check if a new version was available and would prompt the download, was phoning home to Russia to do that, whatever else it was doing was pretty well unknown

Yes, that process can be easily found in RV "http://update.registratorviewer.com/file/registratorviewer.ini"...this is something else and it's been hidden from view.
It's very sad that Vadim Kozlov's legacy should come to such an end

 

[jokiin]

This is not a phone home feature... .

yeah I'm aware of what you're saying, aside from what it does now there was always polling back to Russia going on, perhaps there was intentional backend processes all along, only when things start breaking do people go looking, with the massive user base this program has that could have been quite lucrative, keep in mind the old saying, 'if the service is free, you're the product' it was after all quite a lot of product for zero upfront cost to the end users