magicJack and MagicJack Plus Support, Reviews, FAQs and Hacks

techhound · MagicJack Newbie Joined: 07 Mar 2010 Posts: 4

I've noticed strange behavior lately with my MagicJack.

1.Starting about two months ago, I was baffled when a program I bought and registered over five years ago (CaptureOne) suddenly started displaying a notice that the trial period was over. It asked me to input my validation number (which I did), but would not save the data. It became useless.

2. This week I was transferring files to a new USB external Buffalo Tech HD and, when finished, I clicked the "safely remove hardware" icon to shut it down. I could not get system permission to shut it down and Windows reported a program was using the drive. Problem is, I had no open programs at the time, just my blank desktop screen, BUT MagicJack was running.

I installed process monitor to sort out these issues and focused on MagicJack, using the following filters:

Image Path CONTAINS magic
Process Name CONTAINS magicjack

I found that MagicJackLoader.exe was calling CaptureOne (the program that quit working. see above):

IRP_MJ_CREATE c:\program files\PHASE ONE
IRP_MJ_CREATE c:\program files\PHASE ONE\CAPTURE ONE....

With regard to my external USB HD that I couldn't disconnect (Drive Letter I: ), I found that MagicJack was accessing the drive to read it.

Numerous other program directories were receiving read calls, including directories that had nothing to do with VoIP.

I found some of these program directories hard-coded in the MagicJack prefetch files (windows\prefetch), which probably explains why MagicJack continues to try to access CaptureOne, even though I deleted the program in frustration.

Now the hammer:
Further examining the process monitor logs, I found that MagicJackLoader.exe was and still is making the following calls:

FASTIO_NETWORK_QUERY_OPEN f:\Movies\aDersertion.smk
FASTIO_NETWORK_QUERY_OPEN f:\Panzer Elite\Panzer_Elite.exe
FASTIO_NETWORK_QUERY_OPEN f:\UrbanOperations.exe
FASTIO_NETWORK_QUERY_OPEN f:\RogueSpear.exe

and many others...

Note: I don't have ANY games on my computer, and never have. It is strictly for business. F:\is the MagicJack dongle.

I have a WinXPsp2 system with solid security, firewall with quite a few custom rules; ESET NOD32, also with custom rules, etc.
I've also blocked several extraneous MagicJack adserver/datamining server connections, so I was pretty shocked to see this "under the hood" activity. I am NOT saying or suggesting that the MagicJack company is exploiting computers. The fact is, I just don't know. I will also add that I've formatted the dongle twice in the three years or so that I've had MagicJack.

I would appreciate any comments or user reports, especially reports of your process monitor logs.

Peace,
Techhound

Google · AdSense

techhound · MagicJack Newbie Joined: 07 Mar 2010 Posts: 4

UPDATE:

I renamed three MJ prefetch files in Windows\Prefetch to render them inaccessible to the program, one MAGICJACKLOADER.EXE file and two
MAGICJACKSPLASH.EXE files. On reboot MJ created a MAGICJACK.EXE file in the Prefetch, but did not replace the others. I renamed the new file to block it.

Then I made backup copies of Addressbook.xml,CallLogs.clm, CfgCache.dat and Profiles.db in the H:\magicjack directory and formatted H:\. I reloaded the back-up files onto the drive and rebooted.

On boot, I had MJ working again, but no prefetch files (fine!). I ran a series of process monitor logs, soft-booting and hard-booting in between to see if MJ is behaving better. It is. I've had no more calls to read files and directories not related to VoIP; no more calls to game icons, images and EXE files, and no more capturing my external USB HD.

Interesting. I'm going to monitor this over the next few days to be sure.
I've also dropped MJ's software privileges down from unrestricted to basic user. See Didier Stevens blog -
http://blog.didierstevens.com/2009/09/28/quickpot-safer-and-malicious-documents/

I tried setting MJ's privileges to restricted, but that was a no go.

Techhound