How BugHunter Works; for those interested.

[pcbutts1]

The files are generated by the registry entries you idiot. Random generated
file names don't just appear out of nowhere. Those registry entries can call
various dll's, If a call is made incorrectly meaning it calls a legit dll
and the function it asks for, because it was deleted, a General Protection
Fault (BSOD) may occur.

--

Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
The list grows. Leythos the stalker http://www.leythosthestalker.com, David
H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell



"Dustin Cook" <spamfilterineffect.see.sig@nowhere.com> wrote in message
news:Xns9984E4F4CE40BHHI2948AJD832@69.28.186.121.. .
> "pcbutts1" <pcbutts1@leythosthestalker.com> wrote in
> news:f98h91$iav$1@blackhelicopter.databasix.com:
>
>> You have a lot to learn about malware. If I were you I'd hate myself
>> for being so stupid. These are just a few.
>> [HKEY_CLASSES_ROOT\
>> [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
>> [HKEY_CLASSES_ROOT\AppID\
>> [HKEY_CLASSES_ROOT\CLSID\
>> [HKEY_CLASSES_ROOT\Interface\
>> [HKEY_CLASSES_ROOT\software\microsoft\windows\curre ntversion\explorer\b
>> rowser helper objects
>> [HKEY_CLASSES_ROOT\Typelib\
>> [HKEY_CURRENT_USER\
>> [HKEY_CURRENT_USER\clsid
>
> These keys are neutered the moment you relocate/delete/rename the file
> referenced. A registry cleaning application would likely remove them once
> the associated files are no longer available. Otherwise, they waste a
> small amount of registry space, but pose NO threat.
>
>> These are good ones do you know what these do? probably not.
>> [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\policies\e
>> xplorer\Run]
>
> Explorer has it's own run keys, which again, references a file. If the
> file is gone, guess what doesn't happen?
>
>> [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\S
>> ystem]
>
> A completely legitimate registry key. Not malware.
>
>> [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run]
>> [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Shell]
>> [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Shell
>> Extensions]
>
> All 3 of these, will do nothing without the files referenced. IE: worst
> case, your wasting a little space in the registry. You are not causing
> your system to run anything, if the files referenced are removed,
> renamed, or relocated.
>
> You want to try again? We can do this all day long. I know many common
> registry locations for things to hide. If you kill the file, the key is
> worthless. If the key points instead to a url, that's different entirely;
> the file isn't on YOUR computer. Also, cleaning up your browser settings
> should be a step you perform in safe mode, without the computer having an
> internet connection. You aren't leaving the internet connection alive
> while cleaning a machine are you?
>
>> You CANNOT completely remove Malware without removing the registry
>> entries. You know nothing about Spyware.
>
> Wrong. I can completely remove the Malware, without touching the
> registry. The keys you've specified (the top section) become neutered
> without the exe/dll files they reference. They pose absolutely NO threat
> of any kind without the executable! The other keys are legitimate keys!
> Depending on the machine in question, a parent/employer may have invoked
> some/all of those key settings. It's not BugHunter's place to alter
> security/policy settings on a machine; Other applications exist designed
> specifically for this.
>
> --
> Dustin Cook
> Author of BugHunter - MalWare Removal Tool - v2.2c
> email: bughunter.dustin@gmail.com.removethis
> web..: http://bughunter.it-mate.co.uk
> Pad..: http://bughunter.it-mate.co.uk/pad.xml
>

[pcbutts1]

If a file called xxx.exe is sitting in the root of C how is that file going
to execute without the user selecting it? I call them feeder files, it could
be a perfectly safe file but when executed will create it's own bad stuff.
My Vista version of Remove-it creates, modifies and then removes some
registry keys as needed in order to function properly and execute some
commands. My XP/2000 version does this with a batch file. Remove-it only
deletes the registry keys associated with the detected Malware.

--

Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
The list grows. Leythos the stalker http://www.leythosthestalker.com, David
H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell



"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:MRQti.39399$fJ5.16217@pd7urf1no...
> "pcbutts1" <pcbutts1@leythosthestalker.com> wrote in message
> news:f98h91$iav$1@blackhelicopter.databasix.com...
>> You have a lot to learn about malware. If I were you I'd hate myself for
>> being so stupid. These are just a few.
>> [HKEY_CLASSES_ROOT\
>> [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
>> [HKEY_CLASSES_ROOT\AppID\
>> [HKEY_CLASSES_ROOT\CLSID\
>> [HKEY_CLASSES_ROOT\Interface\
>> [HKEY_CLASSES_ROOT\software\microsoft\windows\curre ntversion\explorer\browser
>> helper objects
>> [HKEY_CLASSES_ROOT\Typelib\
>> [HKEY_CURRENT_USER\
>> [HKEY_CURRENT_USER\clsid
>>
>> These are good ones do you know what these do? probably not.
>> [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\policies\explorer\Run]
>> [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System]
>> [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run]
>> [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Shell]
>> [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Shell
>> Extensions]
>>
>> You CANNOT completely remove Malware without removing the registry
>> entries. You know nothing about Spyware.
>>
>>
>
>
> Can you tell me how a registry key in any of those places without a
> corresponding file somewhere on the computer would cause a re-infection of
> the system? Something has to run to re-infect the system. If the files
> don't exist what will run? I can actually accept that it may be
> theoretically possible to hide some code in a registry key and then
> somehow get that code to execute. I've never heard of it being done and
> even though I can conceive of the possibility I certainly don't know how
> to do it. If it was easy or even only moderately hard I think we'd have
> seen it already. Currently if there is no malware code somewhere on the pc
> it doesn't matter what is in the registry. As I said in my first post it
> is nice if anti-malware software cleans up the registry but it is not
> required to ensure the pc is clean.
>
> And yes I know about all of those places in the registry hives. You've
> actually missed a couple of places where very common malware like the
> vundo trojan hides. All you are doing is proving how little knowledge you
> really have.
>
> --
> Kerry Brown
>
>

[4Q]

Kak Manpoop wrote:
> 4Q wrote:
> > Dustbin Cook wrote:
> >
> > <snip>
> >
> > "...it gets two 32bit numbers in a specific order."
> >
> > Q:
> >
> > Excuse me dickhead, what does the above
> > mean. Can you explain what you wrote
> > in a more precise technical form and
> > not like some toothpaste marketing
> > bull****?
> >
> > Thank you in advance.
> >
> > ;]]
> > 4Q
> >
>
> Can you explain what you wrote
> in a more precise technical form and
> not like some toothpaste marketing
> bull****?

Sorry I didn't reply much early, I have
only just recovered from laughing myself
to near death! That repeat what the
other guy says gag is such top
entertainment. But alas I have now fully
recovered from the bellyache laughs and
Dustbin's psuedo technobabble doesn't
appear to be any clearer.

"...it gets two 32bit numbers in a
specific order." It sort of sounds
a bit technical, I'm sure most computer
illiterate saps would be happy to hand
over money for such an enlightening
description. Well you know what they
say about a fool and his money.

Just because you come from 'alt.freeware'
newsgroup doesn't mean you should
automatically suspend critical thinking
when it comes to so called technical
descriptions.


4Q
http://fourq.host.sk

[Mail Man Bob]

I'm wondering... what the f*** are you doing wasting time posting this crap?

"4Q" <paul_zest@hushmail.com> wrote in message
news:1186460255.621423.153420@g4g2000hsf.googlegro ups.com...
> Kak Manpoop wrote:
> > 4Q wrote:
> > > Dustbin Cook wrote:
> > >
> > > <snip>
> > >
> > > "...it gets two 32bit numbers in a specific order."
> > >
> > > Q:
> > >
> > > Excuse me dickhead, what does the above
> > > mean. Can you explain what you wrote
> > > in a more precise technical form and
> > > not like some toothpaste marketing
> > > bull****?
> > >
> > > Thank you in advance.
> > >
> > > ;]]
> > > 4Q
> > >
> >
> > Can you explain what you wrote
> > in a more precise technical form and
> > not like some toothpaste marketing
> > bull****?
>
> Sorry I didn't reply much early, I have
> only just recovered from laughing myself
> to near death! That repeat what the
> other guy says gag is such top
> entertainment. But alas I have now fully
> recovered from the bellyache laughs and
> Dustbin's psuedo technobabble doesn't
> appear to be any clearer.
>
> "...it gets two 32bit numbers in a
> specific order." It sort of sounds
> a bit technical, I'm sure most computer
> illiterate saps would be happy to hand
> over money for such an enlightening
> description. Well you know what they
> say about a fool and his money.
>
> Just because you come from 'alt.freeware'
> newsgroup doesn't mean you should
> automatically suspend critical thinking
> when it comes to so called technical
> descriptions.
>
>
> 4Q
> http://fourq.host.sk
>

[Dustin Cook]

"pcbutts1" <pcbutts1@leythosthestalker.com> wrote in
news:f98oq4$77k$1@blackhelicopter.databasix.com:

> The files are generated by the registry entries you idiot. Random
> generated file names don't just appear out of nowhere. Those registry
> entries can call various dll's, If a call is made incorrectly meaning
> it calls a legit dll and the function it asks for, because it was
> deleted, a General Protection Fault (BSOD) may occur.

generated by the registry entries? WTF have you been smoking? I'm sure it's
not pot.

Why would I intentionally delete a legit dll? BugHunter does have false
alarms I'm sure, but I usually correct those when I'm notified or when I
discover them on my own.

And aside from some very specific software, a BSOD will NOT usually occur.




--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

[Dustin Cook]

"pcbutts1" <pcbutts1@leythosthestalker.com> wrote in
news:f98qdm$fac$1@blackhelicopter.databasix.com:

> If a file called xxx.exe is sitting in the root of C how is that file
> going to execute without the user selecting it? I call them feeder
> files, it could be a perfectly safe file but when executed will create
> it's own bad stuff. My Vista version of Remove-it creates, modifies
> and then removes some registry keys as needed in order to function
> properly and execute some commands. My XP/2000 version does this with
> a batch file. Remove-it only deletes the registry keys associated with
> the detected Malware.
>

If the file is renamed to explorer.exe and left in the root directory,
windows will autoexecute it. You knew that right?

I refer to those files as droppers. I usually get them and the files they
drop.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

[Dustin Cook]

kurt wismer <kurtw@sympatico.ca> wrote in news:f99lch$d94$3@aioe.org:

> Dustin Cook wrote:
>> kurt wismer <kurtw@sympatico.ca> wrote in news:f97g09$8m5$5@aioe.org:
>>> pcbutts1 wrote:
> [snip]
>>>> The registry keys are
>>>> what causes re-infection on reboot.
>>> no, failing to remove all the bad programs is what causes
>>> re-infection on reboot...
>>
>> It's a bit scary to see how many people think the registry keys play
>> more of a role then they actually do.
>>
>> False advertising claims made by other products? Who knows...
>
> well, i'm confident that it is technically possible for malware to
> reside/persist fully within the registry (as i discussed once in the
> past), but i've never heard of it being done in practice so for all
> intents and purposes the registry is a no-go for the time being...

I agree, via scripting and url references, it is. It's just not a very
feasable method of attack. The malicious trojans are short lived as it
is.

> (and no, i have no intention of developing a poc to explore the
> possibility)

I won't develop anything to exploit machines any further than I already
did years ago.



--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

[Dustin Cook]

"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in
newseIti.35736$rX4.32872@pd7urf2no:

> "Dustin Cook" <spamfilterineffect.see.sig@nowhere.com> wrote in
> message news:Xns998452D06FD0FHHI2948AJD832@69.28.186.121.. .
>> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in
>
>>
>> It's incapable of many of the things he claims it'll fix. It relies
>> on filenames and locations, not file content. If you have a good file
>> in what it considers to be the wrong place with a name it knows,
>> it'll delete it, no backups, no options for not doing it.
>>
>
> I'm well aware of how his program works, where it comes from, and the
> history of pcbutts1. I was being sarcastic. I don't post to this
> newsgroup very often but I couldn't resist poking him with a sharp
> stick for a bit of fun.

Careful where you poke. Lest you be accused of troll feeding. LoL.

> Good point about the home page in the registry. I'd forgotten about
> that possible means of attack. I'm used to manually cleaning malware.
> Fixing the home page then updating Windows and programs that might be
> exploited is always part of the process to make sure that a drive by
> attack is not likely to re-occur. It's so second nature that I had
> forgotten about it :-)

HEHEHE. No problem. It's one of those things you don't even think about,
since you do it so often you have a routine, it's just part of it. hehe.




--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

[Dustin Cook]

kurt wismer <kurtw@sympatico.ca> wrote in news:f99lcd$d94$2@aioe.org:

> Dustin Cook wrote:
>> kurt wismer <kurtw@sympatico.ca> wrote in news:f97g06$8m5$3@aioe.org:
>>> Andy Walker wrote:
> [snip]
>>>> I was just asking the question because you seemed to want to
>>>> discuss your programs capabilities, which are not all that
>>>> impressive.
>>> compared to those that have tens or hundreds of thousands of
>>> man-hours worth of development in them, i suppose not...
>>
>> Which capabilities is it either of you seem to think BugHunter is
>> missing? aside from resident protection... It scans, it can rename,
>> it can delete, it can be told to do nothing but scan. What feature(s)
>> am I not including that everyone else is then?
>
> there are all sorts of more generic detection techniques out there
> that you don't try to implement but more commercial products do - but
> as i said, those products have a lot more time/effort/money behind
> them...

Hueristics etc? No, I don't implement them. Many of the generic detection
methods that worked great for viruses don't work so well for trojans.
Behavior blocking etc works for everything, but that would require
BugHunter to remain resident, and it's really not designed for that.
I certainly do understand your point. Thanks for speaking up.

I didn't intend to confuse anyone by trying to say BugHunter is a
replacement for what you already use. It's not a replacement, it's an
addition to what you already use in the fight against malware. No single
program, commercial or not is going to get them all. It's somewhat unique
in the aspect that it can be executed even when windows is down for the
count.

>> Commercial interest has never been what drives me. And as far as
>> someones opinion of commercial quality; I personally wouldn't have
>> thought hijackthis or cwssearch were commercial quality but guess
>> what? They're both commercial now.
>
> and one of them is now being called spyware...

Yes, saddened to see this. I quit using cwssearch years ago, but I'm
still an avid fan of the older HiJackthis utility.





--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

[Dustin Cook]

"C J." <no.reply@example.invalid> wrote in
news:AcLti.12839$eY.8927@newssvr13.news.prodigy.ne t:

> I know exactly how BUGHUNTER works... just fine. Was able to save a
> neighbor lady's badly infected harddrive with it over the weekend.
> The confidence that his utility works, is all I - or anyonelse need to
> have 4Q. Thanks again Dustin.

Your very welcome C.J. Glad it was helpful to you.

--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml