Hooker Trojan Keylogger. How to remove? (Uninstall guide)

removal by Ugnius Kiguolis - - | Type: Keyloggers
12

Variants: Hooker Trojan Keylogger 2.0, Hooker Trojan Keylogger 2.4, Hooker Trojan Keylogger 2.5, Hooker Trojan Keylogger 2.52

From the publisher:
‘Hooker, the intelligent trojan keylogger
(version 2.4)
Disclaimer
This program was created in educational purposes only. Authors do not will be liable for data loss, damages, loss of profits for any other kind of loss while using or misusing this program. No person or company may charge a fee for the distribution of Hooker. Authors do not will be liable for any kind of illegal using of this program. Hooker may be distributed freely without any charge for it. Authors do not mind about the disassembling of any part of code. If you do not agree with this terms, stop using this program.
What is Hooker?
Hooker is the simple mailing trojan. Here is the list of it’s features:
– keylog function (fairly simple, not so extended like in HookDump)
– You can define any option you can imagine – there are tons of them
– Hooker can look for RAS-connections
– Hooker can download files from any location in internet and start them absolutely invisible from user
– you can use hooker as intruding module for starting the bigger trojans like NetBus or BO
– Works under any Win32 platform (Win95/98/NT)
– Well-commented sources are available for free – you can build your very own version of hooker 😉
Trojan part is written on MS Visual C++ 5.0. MFC or any another nonstandard libraries wasn’t used. Therefore, Hooker can be executed on any Win32 platform with minimum set of DLLs. May be, Hooker can be compiled under Borland C or even Watcom, but we have not tested it. I think that Hooker can be viewed as a classical sample of trojan. And may be, someone can build smth really good based on Hooker. And may be, he (or she) will even credit us… 🙂
Installation in system
During the first run Hooker moves it’s body into directory which is predefined in the configuration. You should keep in mind following things, when you will choose the place in registry from which Hooker will run:
HKEY_LOCAL_MACHINE – Hooker will start with any user
HKEY_CURRENT_USER – Hooker will start only with current user
\Software\Microsoft\Windows\CurrentVersoin\, and variants:
Run if there is only name of file w/o path, Hooker must be in the directory, which is defined in the %PATH% environment variable. Remember, that system directory is not defined in %PATH% by default.
RunServices file must be placed in the system directory (if there is only name without path). Works only under Win95/98.
RunOnce used to run file only once. During the boot, OS will start file, then wait for it’s termination and then kill it from RunOnce.
RunServicesOnce like a RunOnce, but for system directory. Does not work under WinNT.
Hooker can be called from RunOnce and RunServicesOnce, and it will not pause the boot process, because it will restart imediatelly with the Restart_ID key, where ID is the ident number (DWORD, computed from the date and time of configuration). Hooker will not be started only once, because it will rewrite it’s sting in RunOnce (RunServicesOnce) in a short period of time.
Keylogging
Keylogging feature is very simple under Win32. It can be done using the system hook. All you need is to redefine CallBack function used for keypresses to yours, which must be situated in DLL. In Hooker CallBack function writes pressed keys in little buffer in the segment of dynamic data for this DLL. By calling of the appropriate DLL-functions you can free this buffer or read information from it. We recommend to give different names to keylogging dll for every configuration you create. There are some options for keylog which you can choose depending of the aims you follow and preferred size of log:
– Hooker can log keypresses in the every window or only in windows which have predefined substring in it’s titles (for example, ‘login’, ‘passw’, ‘term’ etc).
– Hooker can log all keys including SHIFT, ALT, TAB, CTRL, Caps Lock etc or log only text-keys (chars etc).
– sometimes you want to spy for pc – then set ‘Log windows where nothing was pressed’ feature on. Believe us, you can get so many information just in looking the titles and links your ‘victim’ surfs.
If you do not want keylog feature, then just delete all substring to search and set ‘Full keylog’ option off.
Detecting of modem-connections.
How program can say, are you connected to internet or not? There is no solution which can cover all the situations. If user connects to inet using the Dial-Up Networking, then he or she is using RAS-functions – it’s the mostly used case, and in this case RASAPI32.DLL is used. But sometimes people connects to inet via LAN, and RAS is not used. Therefore, you must wisely set option ‘RAS’ – set it to on if RAS is used, and to off if not. If connection is successfully established, Hooker logs time, phone number, IP of user and IP of server.
Web-files downloading and executing
Number of programs for remote administering if countless. BackOrifice, NetBus, DeepThroat, WinCrash… Tons… And their weight (in kbs) is usually tons. 🙂 Hooker’s size is only 20 kb, but it is not so complex like BO. And here goes one of the innovating options: hooker can download and execute files from web using http protocol. Hooker downloads file from web in the system directory of windows and then executes it. If connection will be crashed during the download, Hooker will redownload file as far as possible. Check for a update performs every 30 minutes. If you want to download file from a nonstandard http port write addres like this: www.myhost.com/file.exe:8000
Thanks
Thanks to all who tested Hooker, gave ideas and simply wrote all that they think about us. 🙂 Eprst happy99@mail.ru, Harmer harmer@mail.ru, Alex tanatos@mail.ru, Plan paln@mail.ru, Ϡ⥫ praver@mail.ru, Dima dmetry@usa.net, Androyd androyd@chat.ru, Dark Monk darkmonk@mail.ru and to all I forgot…
Hooker, the intelligent trojan keylogger
(history)
1.0
Just a experimental program with very weak possibilities (just a simple keylog). Was completely rewritten in the next versions.
2.0
Now it sends a keylog. Added ripping of cached passwords (*.pwl). Installs in registry to the user-defined path. It is possible to define max size of a log-file, after which Hooker recreates it. Added keylog of windows with pre-defined words in title. Added self-destructing feature.
2.1
Added sending of log after overflow.
2.2 beta 1
Fixed huge bug in keylogging – hook-function must be in DLL! Troyan became much stable. Added feature of http-files download.
2.2 beta 2
Fixed bug in function which adds system dates.
2.3 beta 1..4
Added detection of a RAS-connections. Fixed bug in using of critical sections – sometimes there was conflicts of threads. Now keylogging DLL is packed by LZW. Some minor bugs fixed.
2.3 beta 5
Fixed bug with sending of keylog. If in window press only ‘.’, troyan wasn’t able to send mail preperly (Hooker simply flood mailbox with big amount of messages).
2.3 beta 6
Little changes in sendmail-procedure. Fixed unpleasant feature: Hooker didn’t start on machine without rasapi32.dll – for example, on WinNT, which is not using Dial-Up Networking. Now, if this dll is not present Hooker simply do not detect RAS-connections.
2.4
No more betas! It’s a release. Fixed little bug in username and hostname detection. Added a couple of features: full keylog: if not checked, Hooker will log only windows, where was keystrokes. advanced log: if not checked, Hooker will not log extended keys (such as ‘Shift’, ‘Alt’ etc). Also fixed bug in connection by IP.
ACrazzi & Shade, 24.7.1999′

do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Hooker Trojan Keylogger you agree to our privacy policy and agreement of use.
Reimage is recommended to uninstall Hooker Trojan Keylogger. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

Note: Manual assistance required means that one or all of removers were unable to remove parasite without some manual intervention, please read manual removal instructions below.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.
Alternate Software
Plumbytes Anti-Malware
We have tested Plumbytes Anti-Malware's efficiency in removing Hooker Trojan Keylogger (2012-01-14)
Malwarebytes Anti Malware
We have tested Malwarebytes Anti Malware's efficiency in removing Hooker Trojan Keylogger (2012-01-14)
Hitman Pro
We have tested Hitman Pro's efficiency in removing Hooker Trojan Keylogger (2012-01-14)
Webroot SecureAnywhere AntiVirus
We have tested Webroot SecureAnywhere AntiVirus's efficiency in removing Hooker Trojan Keylogger (2012-01-14)

Hooker Trojan Keylogger manual removal:

Kill processes:
hkconf.exe, hooconf.exe, hooker.exe, quikerc.exe, os3211.exe, trojan.psw.hooker.b.exe

Delete registry values:
HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionrunservicesms registry

Unregister DLLs:
pvdsdll.dll, kedwin.dll, mailer.dll

Delete files:
common.cpp, common.h, config.bat, dropper.dat, hkconf.cpp, hkconf.dsp, hkconf.dsw, hkconf.exe, hkconf.ini, hooconf.exe, hooker.dat, hooker.dsp, hooker.dsw, hooker.exe, hooker.h, hooker.rc, index.html, kdll, keylogdll.def, keylogdll.dsp, keylogdll.dsw, logfunc.cpp, logfunc.h, lzw.cpp, lzw.h, lzwpack.cpp, lzwunpack.cpp, main.cpp, pvdsdll.dll, quikerc.exe, ras.h, resource.h, os3211.exe, kedwin.dll, mailer.dll, trojan.psw.hooker.b.exe

About the author

Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

More information about the author


  • Guest

    same body steal my face book its like hookers so i don't know what to do please i need help