Jump to content


Photo

How to remove Hackerware


  • Please log in to reply
4 replies to this topic

#1 Bipin

Bipin

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 13 September 2006 - 10:35 AM

I was chatting Efnet via webchat on #pakistan channel

The hacker first used 2pac.txt to send torjan

then he melted the server on my machine

The symptoms after machine restart were as follows

The there was a blank image on PC and then it restarted automatically


Afterwards the registry had following Entries which even after deleting come automatically

The hackerware first uses svchost.exe to mal-function explorer.exe

then adds following entries in registry



HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count\, HRZR_PGYFRFFVBA

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_PGYFRFFVBA

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_PGYPHNPbhag:pgbe

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\Wnin\wer1.5.0_07\ova\whfpurq.rkr

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\Argjbex Nffbpvngrf\IvehfFpna\FUFGNG.RKR

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\Argjbex Nffbpvngrf\Pbzzba Senzrjbex\HcqngreHV.rkr

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\Pbzzba Svyrf\Argjbex Nffbpvngrf\GnyxOnpx\GOZba.rkr

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\JVAAG\Zvkre.rkr

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\Lnubb!\Zrffratre\LnubbZrffratre.rkr

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\Nqbor\Npebong 7.0\Ernqre\ernqre_fy.rkr

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\CEBTEN~1\ZVPEBF~2\BSSVPR11\JBEQIVRJ.RKR

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_HVFPHG

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\wi16 CbjreGbbyf 2006\wi16CG.rkr

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count\, HRZR_PGYFRFFVBA

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_PGYFRFFVBA

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_PGYPHNPbhag:pgbe

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\Wnin\wer1.5.0_07\ova\whfpurq.rkr

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\Argjbex Nffbpvngrf\IvehfFpna\FUFGNG.RKR

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\Argjbex Nffbpvngrf\Pbzzba Senzrjbex\HcqngreHV.rkr

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\Pbzzba Svyrf\Argjbex Nffbpvngrf\GnyxOnpx\GOZba.rkr

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\JVAAG\Zvkre.rkr

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\Lnubb!\Zrffratre\LnubbZrffratre.rkr

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\Nqbor\Npebong 7.0\Ernqre\ernqre_fy.rkr

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\CEBTEN~1\ZVPEBF~2\BSSVPR11\JBEQIVRJ.RKR

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_HVFPHG

HKUS\S-1-5-21-448539723-1563985344-1060284298-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\, HRZR_EHACNGU:P:\Cebtenz Svyrf\wi16 CbjreGbbyf 2006\wi16CG.rkr


These entries keep reoccuring

I has flashed my Bios but still it reoccurs The BIOS does not flash certain area of BIOS

The actual culprits due to which Hackers succeed in their purpose
are the motherboard manufacturers

If they can use ROM (Read Only Memory) in their motherboards
and EAROM for writing other information No hacker in world can melt his server in firmware

As ROM cannot be modified also PROM requires EP-ROM programmers where
25 V is required to write on ROM Once the chip is programmed
It cannot be reprogrammed in machine.

Even if BIOS upgrade is required which happens rarely in computer life cycle user
should be forced to buy new BIOS.


Hope Ad-Aware can provide solutions to the problem discussed above

#2 Bipin

Bipin

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 03 November 2006 - 12:58 PM

I tried to remove the hackerware

First i Zero Level Formatted Hard Drive

Also I got the Flash bios utility with BIOS file

Every other device was removed which may had possibility
of Firmware getting Infected

All these things did not Work

That was because the hacker had melted the Trojon in Firmware of RAM

Yes this is shocking, but in Your RAM chip some part is Reserved as EAROM
by the RAM Manufacturers. Hackers melt their Trojon in this part and Infect RAM
When you remove the RAM and put it in another machine.
The new machine will get infected.

There is mis-conception among many people that once PC is shut down RAM is cleared
but the EAROM contents still have the data which has been programmed in RAM-EAROM section

There are no tools to reset RAM so that this malware can be cleared
Hackers take advantage of this very fact and plant their trojon in RAM
Once this is done no matter you Re-partition HardDisk change new HardDisk
or go for new BIOS your machine will again get infected,
Because trojon still lies there in RAM.

If RAM manufacturers can introduce ROM concept, mal-functioning RAM
will be hard job for hackers

You can check if your PC is hacked by using utility UnHackMe developed by greatis software

If your machine contains Root Kits you can download RootKit UnHooker these utilities
will detect but wont remove hackerware as none has ability to remove the trojon
from RAM firmware. Buying them is waste of money.

Once your PC is hacked the trojon will use NetBIOS Datagram and intimate hacker
The hacker then further hacks your PC collect information and malfunction it.

Even Zero Fill is useless as Information still lies in HardDrive
This can be read by special hardware machine called Beamer which reads HardDisk
Cluster wise and forms Images these images can then be converted to file and data
can be re-collected.

The only solution to this problem is that Device Manufacturers must avoid using EAROM
and if they use them then they should provide utilities to reset firmware to default settings

#3 gizzm0

gizzm0

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 04 February 2007 - 11:40 PM

Hi Bipin,

don't worry too much. :) The registry-key entries you are mentioning, are encrypted using Rot13.

For instance:

HRZR_PGYFRFFVBA = UEME_CTLSESSION
P:\Cebtenz Svyrf\Wnin\wer1.5.0_07\ova\whfpurq.rkr=C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe

HRZR_EHACNGU:P:\Cebtenz Svyrf\Argjbex Nffbpvngrf\IvehfFpna\FUFGNG.RKR=
UEME_RUNPATH:C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

P:\Cebtenz Svyrf\Argjbex Nffbpvngrf\Pbzzba Senzrjbex\HcqngreHV.rkr=
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

and so on.

I quote tele-pro.co.uk: "Rot13 is a simple Caesar-cypher encryption, that replaces each English letter with the one 13 places forward or back along the alphabet. The Rot13 cypher is used to obfuscate text in the Windows registry, to make captured data on your browsing habits and recent files less noticable."

If you want to see for yourself, and try out a bit, here's an example of how it works on their site: http://www.tele-pro..../misc/rot13.htm

kind regards,

Gizzm0

#4 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 05 February 2007 - 01:06 PM

Hello,gizzm0 & Welcome

Please show us an updated Ad-Aware Se logfile and a HijackThis logfile
if not sure how to go about this, have a look at the links in the quote box
at the bottom of my page.

Gogo :)
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#5 Ai_Tak

Ai_Tak

    Advanced Member

  • Members
  • PipPipPip
  • 1372 posts

Posted 08 February 2007 - 05:23 AM

Also I got the Flash bios utility with BIOS file

Every other device was removed which may had possibility
of Firmware getting Infected

All these things did not Work

That was because the hacker had melted the Trojon in Firmware of RAM

This is a myth. (btw, you mean rom, not ram)

Yes this is shocking, but in Your RAM chip some part is Reserved as EAROM
by the RAM Manufacturers. Hackers melt their Trojon in this part and Infect RAM
When you remove the RAM and put it in another machine.
The new machine will get infected.

You don't mean ram here. And this is not actually possible.

There is mis-conception among many people that once PC is shut down RAM is cleared
but the EAROM contents still have the data which has been programmed in RAM-EAROM section

You don't mean ram, ram is random access memory, even if a computers ram wasn't cleared, no programs execute code from un-initialized parts of ram, if they did, all uninfected computers would always crash and never boot.

There are no tools to reset RAM so that this malware can be cleared
Hackers take advantage of this very fact and plant their trojon in RAM
Once this is done no matter you Re-partition HardDisk change new HardDisk
or go for new BIOS your machine will again get infected,
Because trojon still lies there in RAM.

That statement is illogical.

If RAM manufacturers can introduce ROM concept, mal-functioning RAM
will be hard job for hackers

Not sure what you mean here...

You can check if your PC is hacked by using utility UnHackMe developed by greatis software

That is for kernel and user mode rootkits, nothing to do with maliciously code flashed to the bios (which isn't possible)

If your machine contains Root Kits you can download RootKit UnHooker these utilities
will detect but wont remove hackerware as none has ability to remove the trojon
from RAM firmware. Buying them is waste of money.

The term "RAM firmware" is nonsense. There is no such thing.

Once your PC is hacked the trojon will use NetBIOS Datagram and intimate hacker
The hacker then further hacks your PC collect information and malfunction it.

What does netbios (aka window file sharing, which has nothing to do with computer bios chips) have to do with this?

Even Zero Fill is useless as Information still lies in HardDrive
This can be read by special hardware machine called Beamer which reads HardDisk
Cluster wise and forms Images these images can then be converted to file and data
can be re-collected.

Data can be collected from an erased hard drive with special hardware. So what? What does that have to do with what you have been talking about?

The only solution to this problem is that Device Manufacturers must avoid using EAROM
and if they use them then they should provide utilities to reset firmware to default settings

How about what they are already doing? You have to move a jumper on the motherboard to make the bios flashable.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users