BugHunter v2.2e Build 12208 (Released January 23rd, 2008) If you find errors of any kind in this documentation or have suggestions to make various things easier to understand, please contact me and email samples of your proposed changes. Thank you for your help. Index License and Disclaimer What is BugHunter? What is MalWare? Files included This Boot cd-rom business? BugHunter and read-only media So how do I use it? Can I remove MalWare while windows is running? Antispyware Websites About the BUGHUNT.INI file... About the WININIT.INI file... About the AUTOEXEC.NT & CONFIG.NT files... A little note about BugHunter and desktops... Can I automate it's operation? A logfile? Anything else? The Beta Testers! (Many Thanks!) The Author License and Disclaimer BugHunter is Copyrighted 2005-2008 by Dustin Cook. Copyright is retained by the author. Permission to use and or/distribute unmodified copies is freely granted. This program is licensed to you for personal and/or business use. Under the following conditions: 1. You will not modify either the executable (BUGHUNT.EXE) or the associated (BUGSIG.XXX,BUGIDX.XXX,BUGINFO.DAT) datafiles. Or this file (BUGHUNT.TXT) or the changes file (CHANGES.TXT). The faq file (BUGFAQ.TXT) should not be modified either. Please send suggestions for it to the author. Suggestions can be included in a future update this way. 2. This program is offered without warranty of any kind. Although BugHunter has been extensively tested, programs of this nature are not by definition error proof and can therefore pose a potential risk to your operating system due to a possible false positive. Always scan first, and post the logfile to a spyware removal helpsite or specialist if you're unsure, before taking the scan and kill option. Don't want to read the rest of the documentation, just want to start scanning for malware? See one of the HOWTO9X or HOWTONT text files available in the folder where you placed BugHunter. 9x is for Windows 9x/ME systems and NT is for windows NT based systems, such as Windows 2000, Windows XP, Windows 2003 Server, etc.. Reading the documentation is still highly recommended to become fully familiar with the software and the options available to you. What is BugHunter? BugHunter is a DOS based malware scanner which has a frequently updated database of signatures as well as engine updates. The program is designed to quickly scan for and optionally disable/remove any known malware found. BugHunter is able to detect browser hijackers, rogue programs, adware, keyloggers, spyware (including some commercial ones), rootkits which are file based, malicious java/html/vb scripts, and various worms. As BugHunter is DOS based and does not require installation of any sort, it can easily be copied to various media and used to disinfect other systems without those systems having potentially harmful code present in memory. While you can copy BugHunter to and from read-only media, BugHunter cannot properly function if executed from read-only media and/or a directory (folder) that is read-only. The scanning routine is very fast, and requires few resources from your machine. BugHunter will run well on DOS, Windows 3.x, Windows 9x, Windows NT, Windows 2k, Windows XP and Windows 2003. Some versions of Windows Vista 32bit have also been tested, and BugHunter will run under them. BugHunter does not edit the registry of the system in any way, it simply identifies and optionally removes found files. As BugHunter relies on dat file technology similar to that of a virus scanner, updates to the datafile and the program itself will be released from time to time on the Website. For NTFS based operating systems, BugHunter can be run from a BartPE cdrom. BugHunter will run under NTFSDOS, but odd results have been reported using it. For example, the date/time stamp of the log file will be wrong. Scanning does not seem to be affected. What is MalWare? From Wikipedia, the free encyclopedia. Malware (a portmanteau of "malicious software") is a type of software designed to take over and/ or damage a computer user's operating system, without his or her knowledge or approval. Once installed, it is often very difficult to remove, and depending on the severity of the program installed, its handiwork can range in degree from the slightly annoying (such as unwanted pop up ads while a user is performing regular computing tasks on or offline), to irreperable damage requiring the reformatting of one's hard drive, since much of malware is poorly written. Examples of malware include viruses and trojan horses. Files included The following files are included in the current archive: BUGHUNT.EXE = The BugHunter program file BUGHUNT.INI = Default configuration file BUGSIG,IDX.X = Signature Files. Contains identification information for thousands of malicious programs: adware, keyloggers, trojans, rootkits, worms, spyware, backdoors, bots, and malicious scripts. BUGINFO.X = Plain text files which will be updated often that allows BugHunter to identify by name the malware it has found. Do not modify. BUGHUNT.TXT = This file, that you are currently reading CHANGES.TXT = Text file that lists the changes / modifications made to the program since v1.0 of BugHunter NEWSIG.TXT = This file details changes for the signature updates. PARTLIST.TXT = This file contains a partial listing of the malware known to BugHunter. BUGFAQ.TXT = Frequently Asked Questions regarding the BugHunter program. LOCATE.COM = This file is required for full recursion support. The program is distributed with BugHunter in accordance to licensing information present in LOCATE.TXT which accompanies the program. LOCATE.TXT = Documentation for the accompanying LOCATE.COM program written by Charles Dye. FIXSPY.REG = This registry file resets various keys back to default settings; It also removes many registry keys which are created by adware and spyware. This file was kindly provided by the author of Multi-AV - David H. Lipman NTFILES.ZIP (AUTOEXEC.NT = Only required if your system doesn't already CONFIG.NT) have suitable ones. These files are very basic in nature and only allow BugHunter to function, no guarantee is made that they will allow other dos based applications to run. They should ONLY be used if you do not already have suitable ones. SAFEBUG.ZIP = An encrypted zipfile which contains PROCESS.EXE written by Craig.Peacock; And a batch file for using the program. The extraction password is "bughunter" without the quotes. It's password protected due to some virus scanners being overzealous in protecting you. Process.exe is NOT a harmful program. You should temporarily disable your virus scanner before extracting/use just in case yours is one of the overzealous ones. My apologies for any inconvience this may cause you. MALWARE.TXT = Instructions for submitting suspicious files for analysis and possible inclusion into a future update. This Boot cd-rom business? More information concerning DOS boot diskettes or the BartPE cdrom disk can be found on the internet. Those processes are beyond the intended scope of this document. BugHunter and read-only media... BugHunter will not function properly if executed from read-only media. Please copy the files listed above to a temporary directory on the machine you wish to scan with several megabytes of space available for temporary use. It's suggested to use C:\BUGHUNT (change drive to suit you) unless you have a specific reason to place it elsewhere. So how do I use it? BugHunter has a simple and straight forward menu system which normally requires only one keypress from you. The hot key is normally shown in brackets [] with a description to the right of the key. BugHunter supports 4 modes of operation. These are: [A] - Scan Only [B] - Scan and rename found files [C] - Scan and remove (delete) found files [D] - Scan and ask what to do with found files. [Q] - Quit the program Make your selection and BugHunter will display the directories that are configured for scanning. Press Y (or y) and BugHunter will do what you selected previously. As BugHunter is scanning, it will let you know when it has found files to take a closer look at and when it's looking for files deserving of a closer look. This information stays in one place, and depending on your system configuration can be very fast. :) Can I automate BugHunter? BugHunter can be told to do one of three things from the command line, without any further response from you. This can be controlled by typing BUGHUNT A, B, or C. These are the same letters you would use for the Main Menu, and they will do the same job. They must be specified as capital letters and when using, BugHunter will only use the BUGHUNT.INI file found in current directory. Can I remove MalWare while windows is running? BugHunter can in most cases, remove known MalWare without the use of a boot disc. To take advantage of this feature, you must have administrator rights on the account you're logged in with, and have full control over the affected drive. These conditions may not apply in your case depending on the operating system you are using. BugHunter is unable to affect some malware in this fashion due to file access rights, in such cases, you have two options. (1) You can try using the SAFEBUG.BAT file to put the Windows NT based system into a safer state for scanning by killing and suspending certain processes. If you do this, be sure you save and close as many applications as you can. Open a console window and do not close it. It will be your only access to your computer until the effects of the batch file are reversed. Again, As your desktop will disappear, running the batch file and BugHunter should both be done via a console window. If you do not, you will have no way to execute BugHunter or any other applications. You also will be unable to logoff or restart the computer normally. Depending on how many dlls are currently loaded, it could take a few minutes before the batch file finishes running. This is normal! :) When the batch file has completed, you can run BugHunter by following the instructions below. Select Option B from the Main Menu. If the known malware amount is the same as the malware successfully renamed, restart your computer. Run BugHunter again, this time selecting Option C from the Main Menu. This will remove the *.BUG files left behind from using Option B previously. **This only applies to Windows2000/XP/2003 operating systems. Renaming executing applications is not supported on Windows 9x/ME. Note: to allow your machine to restart, you must type process -r smss.exe *** This should be done as the last thing you enter, as your computer will restart moments after typing it. This only applies for Windows NT systems, please do not attempt to use the batch file on Win9x/me systems. When BugHunter starts scanning you will see either "Checking: " directory/filename) followed by the current pass of total passes OR "Searching ." Each pass represents one segment or piece of the database file, which is stored in the BUGSIG and BUGIDX files respectively. Antispyware Websites Antispyware Websites: Information and programs to assist you in the removal of the pesky malware often found lurking on the net. http://www.tomcoyote.org http://www.spywareinfo.com/ http://www.spywarewarrior.com/ These experts may also be able to help you with Bughunter log files, but always ask permission before posting. BugHunter is able to display identifying names for malware, but I still have many entries to do. As such, for ones it identifies as "Full Match!" you can submit them to the following two websites for more thorough identification. Please report any false alarms to my email address so that I may fix the signature files. http://virusscan.jotti.org http://www.virustotal.com About the BUGHUNT.INI file... The configuration file has command directives which can be placed in almost any location inside the file. They are: APPEND, CREATE, NOLOG, YES and FULL respectively. YES controls recursive scanning, The others control the access mode used for the logfile, as well as how much detail you want in the logfile. Commands are provided in UPPER CASE only; Lower case instructions are ignored. You may, at your option, turn recursive scanning off and select upto 32 directories specified in the msdos 8.3 naming style to scan instead. The Default configuration is to scan all local fixed disks only, append to a logfile if one is already present, and only log found malware, action taken and result. This can all be changed, by you, from the configuration file. You may use any editor which saves an msdos text file, such as edit.com, and notepad.exe. The configuration file is designed to be readable by normal humans. :) For full recursion, the following options are preset: create the temporary file BUGHUNT.DAT using LOCATE.COM (in current executing directory), scan fixed drives only, store paths only in a specified file. BugHunter can only read files created by locate.com in this fashion, while you may alter any other parameters passed, the temporary file can only contain directories as specified in the msdos 8.3 naming convention. The name BUGHUNT.TMP is reserved for use by the program, you cannot use this for a temporary file name! You can specify the name of an .ini file customized by you on the command line and BugHunter will use it instead of bughunt.ini. This allows you to maintain a separate .ini file for various scanning needs you might have. The BUGHUNT.INI file is designed for the old MS-DOS 8.3 naming convention. Directories with long names, embedded spaces, etc., cannot be specified that way. You must use it's 8.3 name instead. About the WININIT.INI file... For Windows 9x/ME systems, BugHunter cannot rename running files. If you select option C instead, BugHunter will create a WININIT.INI file for you to copy to the Windows installation folder. When you restart your computer and allow windows to boot normally, files that BugHunter could not remove will be deleted by windows. ! Important: If the amount of found malware is not equal to the amount renamed, then you will need to boot your system clean as explained above to successfully remove the MalWare. Usually this will only occur with malware that uses the app_init_dlls startup key. ! Update: As BugHunter only targets the executables of known malware, and does nothing with your registry; After removing some malware programs, your computer may complain about files missing when you restart it. It's recommended to use HijackThis to delete those invalid registry keys. About the AUTOEXEC.NT & CONFIG.NT files... These are only necessary if you are getting an error similar to the following: The system file (either CONFIG.NT or AUTOEXEC.NT) is not suitable for running MS-DOS and Windows Applications. The error message will include the exact location and name of the file. Copy one of the included ones to this location. It may be necessary to copy both files, this shouldn't concern you as many systems depending on how windows was loaded do not support running old MSDOS programs by default. ** These files are present in the NTFILES.ZIP file included with the original archive. A little note about BugHunter and desktops... If you wish to execute BugHunter via an icon, You should create a .pif file which ensures the working directory is where BUGHUNT.EXE resides. This allows BugHunter to retrieve its configuration data. If executed from a console window; You should ensure you are in the directory that BUGHUNT.EXE resides in before executing it. Again, this allows BugHunter to retrieve its configuration data. A logfile? BugHunter can be told to create a logfile called BUGHUNT.LOG which will list various information such as date/time, database build date/time, files found, malware identification if known, signature ID, Results of file activity (if anything was chosen to be done) total time taken to scan, and the amount of files that were scanned. This file is a normal ASCII readable text file, suitable for loading into NOTEPAD or WORDPAD. Anything else? BugHunter was written on Windows XP Professional, and is designed to work with virtually any version of windows. Windows is a registered trademark owned by Microsoft Corporation. It is my sincere hope that you find BugHunter useful and easy to use. Updates to the program and its associated signature files will occur from time to time. The Beta Testers! (Many Thanks!) I would like to thank the following individuals for their time, and suggestions in the testing phases of BugHunter. Should you find any problems or have suggestions for future features, feel free to contact me at the email address provided. Charles Scaglione Creeper Gerald Miller Jay Emrie Roadkil Wheels Wilk Auiler I would also like to thank the following bands for providing much of the music I've been listening to as I work to update this program. Clutch Dope Alice In Chains Metallica AC/DC GodSmack The Charlie Daniels Band Led Zeppelin Megadeth Korn Seether Shinedown Alice Cooper The Doors Eric Clapton The Author Regards, Dustin Cook Email: bughunter.dustin@gmail.com Web..: http://bughunter.it-mate.co.uk