PDA

View Full Version : Manual Removal Guide for Hacker.ag



Friday
2008-12-01, 11:22
The following instructions have been created to help you to get rid of "Hacker.ag" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).

Threat Details:

Categories:
dialer

Supposed Functionality:
Dialer for Germany, Belgium, Switzerland, Netherlands, Austria, Japan, USA, Italy, Spain, UK, Norway, Sweden, Denmark, Australia, Greece, Hongkong. 99.90 per call!
Links (be careful!):

Website: http://www.hacker.ag/
Removal Instructions:

Desktop:

Please remove the following files from your desktop.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.

Shortcuts named "Kontaktstudio69.de.lnk" and pointing to "_1-K69-0-0-.exe".
Shortcuts named "Heimwerker.AG.lnk" and pointing to "_38-HWK-0-0-.exe".
Shortcuts named "Tattoo-Base.lnk" and pointing to "_6-TOE-0-0-.exe".
Shortcuts named "Memberarea.lnk" and pointing to "_1-1-1-3-.exe".
Shortcuts named "Memberarea.lnk" and pointing to "_000001-1-2-3-.exe".
Shortcuts named "Erotik.lnk" and pointing to "_1000-1.exe".
Shortcuts named "P2P.TM.lnk" and pointing to "_3-P2P-1-0-.exe".
Shortcuts named "Kontaktanzeigenmarkt24.de.lnk" and pointing to "_11283-K24-0-0-.exe".
Shortcuts named "Hackercd-Online hcd-10240.lnk" and pointing to "security[hcd-10240,de].exe".
Shortcuts named "Memberarea.lnk" and pointing to "_0-0-0-0-.exe".
Shortcuts named "Exclusiver Bereich.lnk" and pointing to "_1-HGR-0-0-.exe".
Shortcuts named "Exclusiver Bereich.lnk" and pointing to "_244-SMS-0-0-.exe".
Shortcuts named "P2P.TM.lnk" and pointing to "P2P(3-p2p-1-0-#0).exe".
Shortcuts named "P2P.TM.lnk" and pointing to "_10-P2P-0-0-.exe".
Shortcuts named "Exclusiver Bereich.lnk" and pointing to "_3-SMOGO-0-0-.exe".
Shortcuts named "Exclusiver Bereich.lnk" and pointing to "_3-SMOGO-0-0-.exe".
Shortcuts named "Exclusiver Bereich.lnk" and pointing to "_2-TTO-0-0-.exe".
Shortcuts named "Exclusiver Bereich.lnk" and pointing to "_29-FSH-0-0-.exe".
Shortcuts named "Kazaalite.lnk" and pointing to "_1-KLI-1-0-.exe".
Shortcuts named "Mitgliederbereich.lnk" and pointing to "_7507-79-0-8-.exe".
Shortcuts named "P2P - Filesharing Programme.lnk" and pointing to "_1-mdp2p-0-0-.exe".
Shortcuts that include "Coder\_1-air-0-0-.exe" in the target they point to.
Shortcuts that include "Coder\_2-HAGS-1-0-.exe" in the target they point to.
Shortcuts that include "Coder\_1-????-0-0-.exe" in the target they point to.
Shortcuts that include "Coder\_1-hags-0-0-.exe" in the target they point to.
Shortcuts that include "Coder\_1-pirs-0-0-.exe" in the target they point to.
Shortcuts named "Exclusiver Bereich.lnk" and pointing to "<$WINDIR>\Coder\_*-*-0-0-.exe".
Shortcuts named "Exclusiver Bereich.lnk" and pointing to "<$WINDIR>\Coder\_*-*-0-0-.exe".
Shortcuts named "Exclusiver Bereich.lnk" and pointing to "<$WINDIR>\Coder\_*-*-0-0-.exe".

Start Menu:

Please remove the following items from your start menu.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.

Items named "Kontaktstudio69.de.lnk" and pointing to "_1-K69-0-0-.exe".
Items named "Heimwerker.AG.lnk" and pointing to "_38-HWK-0-0-.exe".
Items named "Tattoo-Base.lnk" and pointing to "_6-TOE-0-0-.exe".
Items named "Memberarea.lnk" and pointing to "_1-1-1-3-.exe".
Items named "Memberarea.lnk" and pointing to "_000001-1-2-3-.exe".
Items named "Erotik.lnk" and pointing to "_1000-1.exe".
Items named "Exclusiver Bereich.lnk" and pointing to "<$WINDIR>\coder\_*-*-0-0-.exe".
Items named "P2P.TM.lnk" and pointing to "_3-P2P-1-0-.exe".
Items named "Kontaktanzeigenmarkt24.de.lnk"_11283-K24-0-0-.exe" and pointing to "filesize=34304,md5=506A35B8CAEC16241CB9EA249DEEDD3B".
Items named "Memberarea.lnk" and pointing to "_0-0-0-0-.exe".
Items named "Exclusiver Bereich.lnk" and pointing to "_152-JOKE-0-0-.exe".
Items named "Exclusiver Bereich.lnk" and pointing to "_1-HGR-0-0-.exe".
Items named "Exclusiver Bereich.lnk" and pointing to "_244-SMS-0-0-.exe".
Items named "P2P.TM.lnk" and pointing to "filesize=62976,md5=331EB8678BC29852CBE60D23575D9158".
Items named "P2P.TM.lnk" and pointing to "_10-P2P-0-0-.exe".
Items named "Exclusiver Bereich.lnk" and pointing to "_3-SMOGO-0-0-.exe".
Items named "Exclusiver Bereich.lnk" and pointing to "_3-SMOGO-0-0-.exe".
Items named "Exclusiver Bereich.lnk" and pointing to "_2-TTO-0-0-.exe".
Items named "Exclusiver Bereich.lnk" and pointing to "_29-FSH-0-0-.exe".
Items named "Kazaalite.lnk" and pointing to "_1-KLI-1-0-.exe".
Items named "Mitgliederbereich.lnk" and pointing to "_7507-79-0-8-.exe".
Items named "P2P - Filesharing Programme.lnk" and pointing to "_1-mdp2p-0-0-.exe".
Items that include "Coder\_1-air-0-0-.exe" in the target they point to.
Items that include "Coder\_2-HAGS-1-0-.exe" in the target they point to.
Items that include "Coder\_1-????-0-0-.exe" in the target they point to.
Items that include "Coder\_1-hags-0-0-.exe" in the target they point to.
Items that include "Coder\_1-pirs-0-0-.exe" in the target they point to.
Items named "Exclusiver Bereich.lnk" and pointing to "coder\_*-*-0-0-.exe".
Items named "Exclusiver Bereich.lnk" and pointing to "coder\_*-*-0-0-.exe".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.

Products that have a key or property named "Kontaktstudio69.de".
Products that have a key or property named "Heimwerker.AG".
Products that have a key or property named "Tattoo-Base".
Products that have a key or property named "Erotik".
Products that have a key or property named "Kontaktanzeigenmarkt24.de".
Products that have a key or property named "P2P.TM".
Products that have a key or property named "Jokeserver".
Products that have a key or property named "Exclusiver Bereich".
Products that have a key or property named "Mitgliederbereich".
Products that have a key or property named "P2P - Filesharing Programme".
Products that have a key or property named "Manga-Sex.de".
Products that have a key or property named "HackerAG".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

A file with an unknown location named "web(62-pgg-0-0-,DE).exe".
A file with an unknown location named "web(1-k69-0-0-,DE).exe".
The file at "<$WINDIR>\APPLOG\HILFE.LGC".
A file with an unknown location named "_38-HWK-0-0-.exe".
A file with an unknown location named "web(38-hwk-0-0-,DE).exe".
A file with an unknown location named "web(6-toe-0-0-,DE).exe".
A file with an unknown location named "decoder-crack.exe".
A file with an unknown location named "dialer(1-1-1-3-).exe".
A file with an unknown location named "dialer(000001-1-2-3-).exe".
The file at "<$WINDIR>\Recent\erdial_001.HTM.lnk".
A file with an unknown location named "hilfe.exe".
A file with an unknown location named "_1000-1.exe".
A file with an unknown location named "P2P(3-p2p-1-0-#0).exe".
A file with an unknown location named "web(237-tat-0-0-,DE).exe".
A file with an unknown location named "web(759-smogo-0-0-,DE).exe".
A file with an unknown location named "web(11283-k24-0-0-,DE).exe".
A file with an unknown location named "security[hcd-10240,de].exe".
A file with an unknown location named "96-0-0-.exe".
A file with an unknown location named "web(152-joke-0-0-,DE).exe".
A file with an unknown location named "web(1-hgr-0-0-,DE).exe".
A file with an unknown location named "web(244-sms-0-0-,DE).exe".
The file at "<$WINDIR>\Coder\_280-JOKE-0-0-.exe".
A file with an unknown location named "web(280-joke-0-0-,DE).exe".
The file at "<$WINDIR>\Coder\_10-P2P-0-0-.exe".
A file with an unknown location named "p2p[p2p-10102,de].exe".
A file with an unknown location named "web(10210-p-0-0-,DE).exe".
A file with an unknown location named "web(519-hobby-0-0-,DE).exe".
A file with an unknown location named "web(746-smogo-0-0-,DE).exe".
A file with an unknown location named "web(180-cast-0-0-,DE).exe".
A file with an unknown location named "web(155-a2p-0-0-,DE).exe".
A file with an unknown location named "web(15062-p-0-0-,DE)_001.exe".
A file with an unknown location named "web(3-smogo-0-0-,DE)_001.exe".
A file with an unknown location named "web(15062-p-0-0-,DE).exe".
A file with an unknown location named "web(2-tto-0-0-,DE).exe".
A file with an unknown location named "web(29-fsh-0-0-,DE).exe".
A file with an unknown location named "Kli(1-kli-1-0-#22).exe".
The file at "<$WINDIR>\TEMP\~YG52A2.exe".
A file with an unknown location named "Sex Great New Asian Porn.exe".
The file at "<$WINDIR>\Coder\_1-mdp2p-0-0-.exe".
The file at "<$WINDIR>\Coder\coder.log".
A file with an unknown location named "trojai.exe".
The file at "<$WINDIR>\Coder\_1-air-0-0-.exe".
A file with an unknown location named "manga.exe".
A file with an unknown location named "wupdate.exe".
A file with an unknown location named "hilfe.exe".
A file with an unknown location named "crack-decoder.exe".
A file with an unknown location named "Dialer.Hacker.AG.exe".
A file with an unknown location named "erostars.exe".
The file at "<$WINDIR>\coder.ini".
The file at "<$WINDIR>\coder.log".
The file at "<$WINDIR>\Coder\_2-HAGS-1-0-.exe".
The file at "<$WINDIR>\Coder\_1-hags-0-0-.exe".
The file at "<$WINDIR>\Coder\_1-pirs-0-0-.exe".
Make sure you set your file manager to display hidden and system files. If Hacker.ag uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

The directory at "<$WINDIR>\Coder".
Make sure you set your file manager to display hidden and system files. If Hacker.ag uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

Delete the registry key "decrypter_2" at "HKEY_CURRENT_USER\RemoteAccess\Profile\".
Delete the registry value "decrypter_2" at "HKEY_CURRENT_USER\RemoteAccess\Addresses\".
References to the file "C:\WINDOWS\Downloaded Program Files\ieloader.dll" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
Delete the registry key "wupdate_2" at "HKEY_CURRENT_USER\RemoteAccess\Profile\".
Delete the registry value "wupdate_2" at "HKEY_CURRENT_USER\RemoteAccess\Addresses\".
Delete the registry key "lollygirls_2" at "HKEY_CURRENT_USER\RemoteAccess\Profile\".
Delete the registry value "lollygirls_2" at "HKEY_CURRENT_USER\RemoteAccess\Addresses\".
Delete the registry key "xgeniusjp" at "HKEY_CURRENT_USER\".
If Hacker.ag uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.