How BugHunter Works; for those interested.

[4Q]

Dustbin Cook wrote:

<snip>

"...it gets two 32bit numbers in a specific order."

Q:

Excuse me dickhead, what does the above
mean. Can you explain what you wrote
in a more precise technical form and
not like some toothpaste marketing
bull****?

Thank you in advance.

;]]
4Q

[C J.]

I know exactly how BUGHUNTER works... just fine. Was able to save a
neighbor lady's badly infected harddrive with it over the weekend. The
confidence that his utility works, is all I - or anyonelse need to have 4Q.
Thanks again Dustin.


4Q wrote:
> Dustbin Cook wrote:
>> 4Q <paul_zest@hushmail.com> wrote in
>> news:1186210186.934565.261110@q75g2000hsh.googlegr oups.com:
>>
>
> <snip inane inner working of Dust****s
> diseased mind>
>
>>
>> Out of curiosity, what concern is it really of yours how it works
>> specifically?
>
> Because you started a thread stating
> "How Bug**** works; for those interested"
> then you made a big song and dance about
> fielding questions from anyone, then
> thanked everyone for attending your
> little marketing campaign.
>
> So there ya go, I'm asking one of them
> questions you invited us all to participate
> in and I'm interested "How Bug**** works"
> I know you are a thick ****snot but I
> thought you might have figured it out,
> without having to wave a magic wand over
> the screen?!
>
> Also I'd like to see some Assembly code
> that you keep telling us you are capable
> of writing. I mean I've put my Assembly
> code up for scrutiny and challenged you
> show us all you can analyse it. But I
> have a feeling you are bull****ing us.
>
>
> 4Q

[4Q]

C J. wrote:
> I know exactly how BUGHUNTER works... just fine.

Do you now. C J. has the blueprint of
the cobbled together "algorithm".

Okay idiot let's have it, blow by blow
technical analysis "exactly how BUG****
works..."

I'm going to get one of my research buddies to help me with the
mathematical
proof, just so we can verify your findings. We'll give you the credit
for the original analysis, though.

I'm Ready, you can start sending the
information over now!


4Q




=================

> Was able to save a
> neighbor lady's badly infected harddrive with it over the weekend. The
> confidence that his utility works, is all I - or anyonelse need to have 4Q.
> Thanks again Dustin.
>
>
> 4Q wrote:
> > Dustbin Cook wrote:
> >> 4Q <paul_zest@hushmail.com> wrote in
> >> news:1186210186.934565.261110@q75g2000hsh.googlegr oups.com:
> >>
> >
> > <snip inane inner working of Dust****s
> > diseased mind>
> >
> >>
> >> Out of curiosity, what concern is it really of yours how it works
> >> specifically?
> >
> > Because you started a thread stating
> > "How Bug**** works; for those interested"
> > then you made a big song and dance about
> > fielding questions from anyone, then
> > thanked everyone for attending your
> > little marketing campaign.
> >
> > So there ya go, I'm asking one of them
> > questions you invited us all to participate
> > in and I'm interested "How Bug**** works"
> > I know you are a thick ****snot but I
> > thought you might have figured it out,
> > without having to wave a magic wand over
> > the screen?!
> >
> > Also I'd like to see some Assembly code
> > that you keep telling us you are capable
> > of writing. I mean I've put my Assembly
> > code up for scrutiny and challenged you
> > show us all you can analyse it. But I
> > have a feeling you are bull****ing us.
> >
> >
> > 4Q

[Andy Walker]

kurt wismer wrote:

>Andy Walker wrote:
>> Dustin Cook wrote:
>>
>>> BugHunter is not the only program which can be defeated using the tricks
>>> Andy specified.
>>
>> And there are many programs that aren't as easy to defeat. I don't
>> need a lesson from any of you on how to defeat anti-malware programs.
>
>you seem to have an agenda here...

Nope, not at all.

>the weakness you pointed out is
>shared by most anti-malware programs... only behaviour-based detectors
>would be resistant to it...

My OP was in response to Dustin soliciting questions about his
program. The question I asked was more rhetorical than anything, but
Dustin's response sited "other programs" being just as susceptible. I
don't disagree that "some" other programs may be, and in my response
to him indicated that "some programs" enhance their ability to detect
malware. His response was to accuse me of having poor reading
comprehension because I didn't read a file he hosts on a web site...
like a give a crap. My response was not about his program, it was in
response to his blanket description of "other programs" having the
same weakness.

Your responses to my posts have been civil and useful to others (I
really got nothing new from them myself), and as such did not feel a
response was necessary. Dustin then came along and made some ad
hominem comments on what it is that I "know", when in fact he hasn't
one clue. Then he made more baseless attacks on me when he replied to
the post you just replied to. I simply don't have the time to suffer
fools gladly. IMHO, Dustin needs to understand that when people are
talking about his program, they are not attacking him personally.
Until that time I will simply keep him on a rolling 30 day killfile.

>> I was just asking the question because you seemed to want to discuss
>> your programs capabilities, which are not all that impressive.
>
>compared to those that have tens or hundreds of thousands of man-hours
>worth of development in them, i suppose not...

There it is.

>> That
>> said, I'm sure some people can use your program to help them clean
>> their system. I just don't see a commercial use for it in its present
>> state of development.
>
>then it's a good thing it's free...

I have never attacked Dustin's program, quite the opposite. I have
also never made disparaging remarks about Dustin, save for probably
the last post I shall send his way. If people can use his program and
get help cleaning their systems, that can only help all of us in the
long run.

[Kat Mandu]

4Q wrote:
> Dustbin Cook wrote:
>
> <snip>
>
> "...it gets two 32bit numbers in a specific order."
>
> Q:
>
> Excuse me dickhead, what does the above
> mean. Can you explain what you wrote
> in a more precise technical form and
> not like some toothpaste marketing
> bull****?
>
> Thank you in advance.
>
> ;]]
> 4Q
>

Can you explain what you wrote
in a more precise technical form and
not like some toothpaste marketing
bull****?

[kurt wismer]

Dustin Cook wrote:
> kurt wismer <kurtw@sympatico.ca> wrote in news:f97g09$8m5$5@aioe.org:
>> pcbutts1 wrote:
[snip]
>>> The registry keys are
>>> what causes re-infection on reboot.
>> no, failing to remove all the bad programs is what causes re-infection
>> on reboot...
>
> It's a bit scary to see how many people think the registry keys play
> more of a role then they actually do.
>
> False advertising claims made by other products? Who knows...

well, i'm confident that it is technically possible for malware to
reside/persist fully within the registry (as i discussed once in the
past), but i've never heard of it being done in practice so for all
intents and purposes the registry is a no-go for the time being...

(and no, i have no intention of developing a poc to explore the possibility)

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

[kurt wismer]

Dustin Cook wrote:
> kurt wismer <kurtw@sympatico.ca> wrote in news:f97g06$8m5$3@aioe.org:
>> Andy Walker wrote:
[snip]
>>> I was just asking the question because you seemed to want to discuss
>>> your programs capabilities, which are not all that impressive.
>> compared to those that have tens or hundreds of thousands of man-hours
>> worth of development in them, i suppose not...
>
> Which capabilities is it either of you seem to think BugHunter is
> missing? aside from resident protection... It scans, it can rename, it
> can delete, it can be told to do nothing but scan. What feature(s) am I
> not including that everyone else is then?

there are all sorts of more generic detection techniques out there that
you don't try to implement but more commercial products do - but as i
said, those products have a lot more time/effort/money behind them...

[snip]
> Commercial interest has never been what drives me. And as far as someones
> opinion of commercial quality; I personally wouldn't have thought
> hijackthis or cwssearch were commercial quality but guess what? They're
> both commercial now.

and one of them is now being called spyware...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

[pcbutts1]

You have a lot to learn about malware. If I were you I'd hate myself for
being so stupid. These are just a few.
[HKEY_CLASSES_ROOT\
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
[HKEY_CLASSES_ROOT\AppID\
[HKEY_CLASSES_ROOT\CLSID\
[HKEY_CLASSES_ROOT\Interface\
[HKEY_CLASSES_ROOT\software\microsoft\windows\curre ntversion\explorer\browser
helper objects
[HKEY_CLASSES_ROOT\Typelib\
[HKEY_CURRENT_USER\
[HKEY_CURRENT_USER\clsid

These are good ones do you know what these do? probably not.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\policies\explorer\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Shell]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Shell
Extensions]

You CANNOT completely remove Malware without removing the registry entries.
You know nothing about Spyware.


--

Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
The list grows. Leythos the stalker http://www.leythosthestalker.com, David
H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell



"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:BRxti.34003$rX4.27744@pd7urf2no...
> "pcbutts1" <pcbutts1@leythosthestalker.com> wrote in message
> news:f963ph$si$1@blackhelicopter.databasix.com...
>> "Dustin Cook" <spamfilterineffect.see.sig@nowhere.com> wrote in message
>> news:Xns9983B2AE42C73HHI2948AJD832@69.28.186.121.. .
>>> BugHunter does not edit the registry of the system in any way, it
>>> simply identifies and optionally removes found files. As BugHunter
>>> relies on dat file technology similar to that of a virus scanner,
>>> updates to the datafile and the program itself will be released from
>>> time to time on the Website.
>>>
>>> For NTFS based operating systems, BugHunter can be run from a BartPE
>>> cdrom. BugHunter will run under NTFSDOS, but odd results have been
>>> reported using it. For example, the date/time stamp of the log file
>>> will be wrong. Scanning does not seem to be affected.
>>
>> That makes it a crappy program. How can you completely remove malware
>> without modifying the registry keys they generate? The registry keys are
>> what causes re-infection on reboot. my program Remove-it does modify the
>> registry it completely removes all targeted malware/Spyware and every
>> known variant and it has no problems with NTFS.
>
>
> How can a registry key cause a re-infection if the files it refers to
> don't exist? It is impossible for a registry key by itself to cause an
> infection. I guess technically it's possible for a registry key to cause a
> legitimate program to execute with a parameter that caused a stack
> overflow or something but have you ever seen this? If a re-infection
> happens on a reboot there are still some malware files on the computer.
>
> Your program can run from a WinPE environment, load the registry from the
> OS on the hard drive, including all the user portions, and remove every
> trace of malware? How come we're not all using it? I'd actually pay money
> for a program that could do that. I have to do it manually now.
>
> Removing malware registry keys is a nice feature but not required to get
> rid of malware.
>
> --
> Kerry Brown
>
>

[Dustin Cook]

"pcbutts1" <pcbutts1@leythosthestalker.com> wrote in
news:f98h91$iav$1@blackhelicopter.databasix.com:

> You have a lot to learn about malware. If I were you I'd hate myself
> for being so stupid. These are just a few.
> [HKEY_CLASSES_ROOT\
> [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
> [HKEY_CLASSES_ROOT\AppID\
> [HKEY_CLASSES_ROOT\CLSID\
> [HKEY_CLASSES_ROOT\Interface\
> [HKEY_CLASSES_ROOT\software\microsoft\windows\curre ntversion\explorer\b
> rowser helper objects
> [HKEY_CLASSES_ROOT\Typelib\
> [HKEY_CURRENT_USER\
> [HKEY_CURRENT_USER\clsid

These keys are neutered the moment you relocate/delete/rename the file
referenced. A registry cleaning application would likely remove them once
the associated files are no longer available. Otherwise, they waste a
small amount of registry space, but pose NO threat.

> These are good ones do you know what these do? probably not.
> [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\policies\e
> xplorer\Run]

Explorer has it's own run keys, which again, references a file. If the
file is gone, guess what doesn't happen?

> [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\S
> ystem]

A completely legitimate registry key. Not malware.

> [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run]
> [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Shell]
> [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Shell
> Extensions]

All 3 of these, will do nothing without the files referenced. IE: worst
case, your wasting a little space in the registry. You are not causing
your system to run anything, if the files referenced are removed,
renamed, or relocated.

You want to try again? We can do this all day long. I know many common
registry locations for things to hide. If you kill the file, the key is
worthless. If the key points instead to a url, that's different entirely;
the file isn't on YOUR computer. Also, cleaning up your browser settings
should be a step you perform in safe mode, without the computer having an
internet connection. You aren't leaving the internet connection alive
while cleaning a machine are you?

> You CANNOT completely remove Malware without removing the registry
> entries. You know nothing about Spyware.

Wrong. I can completely remove the Malware, without touching the
registry. The keys you've specified (the top section) become neutered
without the exe/dll files they reference. They pose absolutely NO threat
of any kind without the executable! The other keys are legitimate keys!
Depending on the machine in question, a parent/employer may have invoked
some/all of those key settings. It's not BugHunter's place to alter
security/policy settings on a machine; Other applications exist designed
specifically for this.

--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

[Kerry Brown]

"pcbutts1" <pcbutts1@leythosthestalker.com> wrote in message
news:f98h91$iav$1@blackhelicopter.databasix.com...
> You have a lot to learn about malware. If I were you I'd hate myself for
> being so stupid. These are just a few.
> [HKEY_CLASSES_ROOT\
> [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
> [HKEY_CLASSES_ROOT\AppID\
> [HKEY_CLASSES_ROOT\CLSID\
> [HKEY_CLASSES_ROOT\Interface\
> [HKEY_CLASSES_ROOT\software\microsoft\windows\curre ntversion\explorer\browser
> helper objects
> [HKEY_CLASSES_ROOT\Typelib\
> [HKEY_CURRENT_USER\
> [HKEY_CURRENT_USER\clsid
>
> These are good ones do you know what these do? probably not.
> [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\policies\explorer\Run]
> [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System]
> [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run]
> [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Shell]
> [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Shell
> Extensions]
>
> You CANNOT completely remove Malware without removing the registry
> entries. You know nothing about Spyware.
>
>


Can you tell me how a registry key in any of those places without a
corresponding file somewhere on the computer would cause a re-infection of
the system? Something has to run to re-infect the system. If the files don't
exist what will run? I can actually accept that it may be theoretically
possible to hide some code in a registry key and then somehow get that code
to execute. I've never heard of it being done and even though I can conceive
of the possibility I certainly don't know how to do it. If it was easy or
even only moderately hard I think we'd have seen it already. Currently if
there is no malware code somewhere on the pc it doesn't matter what is in
the registry. As I said in my first post it is nice if anti-malware software
cleans up the registry but it is not required to ensure the pc is clean.

And yes I know about all of those places in the registry hives. You've
actually missed a couple of places where very common malware like the vundo
trojan hides. All you are doing is proving how little knowledge you really
have.

--
Kerry Brown