• Announcements

    • Andrew Browne

      Support for other products than adaware, ad block and Web Companion

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock


      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/

Sign in to follow this  
Followers 0
bipingharat

How to remove Hackerware

5 posts in this topic

I was chatting Efnet via webchat on #pakistan channel

 

The hacker first used 2pac.txt to send torjan

 

then he melted the server on my machine

 

The symptoms after machine restart were as follows

 

The there was a blank image on PC and then it restarted automatically

 

 

Afterwards the registry had following Entries which even after deleting come automatically

 

The hackerware first uses svchost.exe to mal-function explorer.exe

 

then adds following entries in registry

 

 

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count\, HRZR_PGYFRFFVBA

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_PGYFRFFVBA

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_PGYPHNPbhag:pgbe

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\Wnin\wer1.5.0_07\ova\whfpurq.rkr

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\Argjbex Nffbpvngrf\IvehfFpna\FUFGNG.RKR

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\Argjbex Nffbpvngrf\Pbzzba Senzrjbex\HcqngreHV.rkr

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\Pbzzba Svyrf\Argjbex Nffbpvngrf\GnyxOnpx\GOZba.rkr

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\JVAAG\Zvkre.rkr

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\Lnubb!\Zrffratre\LnubbZrffratre.rkr

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\Nqbor\Npebong 7.0\Ernqre\ernqre_fy.rkr

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\CEBTEN~1\ZVPEBF~2\BSSVPR11\JBEQIVRJ.RKR

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_HVFPHG

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\wi16 CbjreGbbyf 2006\wi16CG.rkr

 

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count\, HRZR_PGYFRFFVBA

 

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_PGYFRFFVBA

 

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_PGYPHNPbhag:pgbe

 

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU

 

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\Wnin\wer1.5.0_07\ova\whfpurq.rkr

 

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\Argjbex Nffbpvngrf\IvehfFpna\FUFGNG.RKR

 

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\Argjbex Nffbpvngrf\Pbzzba Senzrjbex\HcqngreHV.rkr

 

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\Pbzzba Svyrf\Argjbex Nffbpvngrf\GnyxOnpx\GOZba.rkr

 

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\JVAAG\Zvkre.rkr

 

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\Lnubb!\Zrffratre\LnubbZrffratre.rkr

 

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\Nqbor\Npebong 7.0\Ernqre\ernqre_fy.rkr

 

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\CEBTEN~1\ZVPEBF~2\BSSVPR11\JBEQIVRJ.RKR

 

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_HVFPHG

 

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\wi16 CbjreGbbyf 2006\wi16CG.rkr

 

 

These entries keep reoccuring

 

I has flashed my Bios but still it reoccurs The BIOS does not flash certain area of BIOS

 

The actual culprits due to which Hackers succeed in their purpose

are the motherboard manufacturers

 

If they can use ROM (Read Only Memory) in their motherboards

and EAROM for writing other information No hacker in world can melt his server in firmware

 

As ROM cannot be modified also PROM requires EP-ROM programmers where

25 V is required to write on ROM Once the chip is programmed

It cannot be reprogrammed in machine.

 

Even if BIOS upgrade is required which happens rarely in computer life cycle user

should be forced to buy new BIOS.

 

 

Hope Ad-Aware can provide solutions to the problem discussed above

Share this post


Link to post
Share on other sites

I tried to remove the hackerware

 

First i Zero Level Formatted Hard Drive

 

Also I got the Flash bios utility with BIOS file

 

Every other device was removed which may had possibility

of Firmware getting Infected

 

All these things did not Work

 

That was because the hacker had melted the Trojon in Firmware of RAM

 

Yes this is shocking, but in Your RAM chip some part is Reserved as EAROM

by the RAM Manufacturers. Hackers melt their Trojon in this part and Infect RAM

When you remove the RAM and put it in another machine.

The new machine will get infected.

 

There is mis-conception among many people that once PC is shut down RAM is cleared

but the EAROM contents still have the data which has been programmed in RAM-EAROM section

 

There are no tools to reset RAM so that this malware can be cleared

Hackers take advantage of this very fact and plant their trojon in RAM

Once this is done no matter you Re-partition HardDisk change new HardDisk

or go for new BIOS your machine will again get infected,

Because trojon still lies there in RAM.

 

If RAM manufacturers can introduce ROM concept, mal-functioning RAM

will be hard job for hackers

 

You can check if your PC is hacked by using utility UnHackMe developed by greatis software

 

If your machine contains Root Kits you can download RootKit UnHooker these utilities

will detect but wont remove hackerware as none has ability to remove the trojon

from RAM firmware. Buying them is waste of money.

 

Once your PC is hacked the trojon will use NetBIOS Datagram and intimate hacker

The hacker then further hacks your PC collect information and malfunction it.

 

Even Zero Fill is useless as Information still lies in HardDrive

This can be read by special hardware machine called Beamer which reads HardDisk

Cluster wise and forms Images these images can then be converted to file and data

can be re-collected.

 

The only solution to this problem is that Device Manufacturers must avoid using EAROM

and if they use them then they should provide utilities to reset firmware to default settings

Share this post


Link to post
Share on other sites

Hi Bipin,

 

don't worry too much. :) The registry-key entries you are mentioning, are encrypted using Rot13.

 

For instance:

 

HRZR_PGYFRFFVBA = UEME_CTLSESSION

P:\Cebtenz Svyrf\Wnin\wer1.5.0_07\ova\whfpurq.rkr=C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe

 

HRZR_EHACNGU:P:\Cebtenz Svyrf\Argjbex Nffbpvngrf\IvehfFpna\FUFGNG.RKR=

UEME_RUNPATH:C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

 

P:\Cebtenz Svyrf\Argjbex Nffbpvngrf\Pbzzba Senzrjbex\HcqngreHV.rkr=

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

 

and so on.

 

I quote tele-pro.co.uk: "Rot13 is a simple Caesar-cypher encryption, that replaces each English letter with the one 13 places forward or back along the alphabet. The Rot13 cypher is used to obfuscate text in the Windows registry, to make captured data on your browsing habits and recent files less noticable."

 

If you want to see for yourself, and try out a bit, here's an example of how it works on their site: http://www.tele-pro.co.uk/scripts/misc/rot13.htm

 

kind regards,

 

Gizzm0

Share this post


Link to post
Share on other sites

Hello,gizzm0 & Welcome

 

Please show us an updated Ad-Aware Se logfile and a HijackThis logfile

if not sure how to go about this, have a look at the links in the quote box

at the bottom of my page.

 

Gogo :)

Share this post


Link to post
Share on other sites
Also I got the Flash bios utility with BIOS file

 

Every other device was removed which may had possibility

of Firmware getting Infected

 

All these things did not Work

 

That was because the hacker had melted the Trojon in Firmware of RAM

This is a myth. (btw, you mean rom, not ram)

 

Yes this is shocking, but in Your RAM chip some part is Reserved as EAROM

by the RAM Manufacturers. Hackers melt their Trojon in this part and Infect RAM

When you remove the RAM and put it in another machine.

The new machine will get infected.

You don't mean ram here. And this is not actually possible.

 

There is mis-conception among many people that once PC is shut down RAM is cleared

but the EAROM contents still have the data which has been programmed in RAM-EAROM section

You don't mean ram, ram is random access memory, even if a computers ram wasn't cleared, no programs execute code from un-initialized parts of ram, if they did, all uninfected computers would always crash and never boot.

 

There are no tools to reset RAM so that this malware can be cleared

Hackers take advantage of this very fact and plant their trojon in RAM

Once this is done no matter you Re-partition HardDisk change new HardDisk

or go for new BIOS your machine will again get infected,

Because trojon still lies there in RAM.

That statement is illogical.

 

If RAM manufacturers can introduce ROM concept, mal-functioning RAM

will be hard job for hackers

Not sure what you mean here...

 

You can check if your PC is hacked by using utility UnHackMe developed by greatis software
That is for kernel and user mode rootkits, nothing to do with maliciously code flashed to the bios (which isn't possible)

 

If your machine contains Root Kits you can download RootKit UnHooker these utilities

will detect but wont remove hackerware as none has ability to remove the trojon

from RAM firmware. Buying them is waste of money.

The term "RAM firmware" is nonsense. There is no such thing.

 

Once your PC is hacked the trojon will use NetBIOS Datagram and intimate hacker

The hacker then further hacks your PC collect information and malfunction it.

What does netbios (aka window file sharing, which has nothing to do with computer bios chips) have to do with this?

 

Even Zero Fill is useless as Information still lies in HardDrive

This can be read by special hardware machine called Beamer which reads HardDisk

Cluster wise and forms Images these images can then be converted to file and data

can be re-collected.

Data can be collected from an erased hard drive with special hardware. So what? What does that have to do with what you have been talking about?

 

The only solution to this problem is that Device Manufacturers must avoid using EAROM

and if they use them then they should provide utilities to reset firmware to default settings

How about what they are already doing? You have to move a jumper on the motherboard to make the bios flashable.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0