Windows Startup Programs database
Startup Programs - Dangerous - H
Home
Features
On-line Guide
Help On-line
Screenshots
Order
Download
Localization
Awards
Support
NI Forum
Mickey Forum
Greatis Forum
Startup Programs
Application Database
Hot!
Download:
RegRun 4.0 beta 2
What's new?
Greatis Home
Subscribe:
The Application Database
suggests you which Windows startup programs are usefual and which are bad.
The recommended tool for quickly removing the useless programs is
RegRun Startup Optimizer
.
www.startupapps.com
Purchase RegRun Suite
Download RegRun Suite
Search Database for:
RegRun
>
Greatis Startup Application Database
> Dangerous >
H
h_client.exe
h_server.exe
hackstate trojan.exe
hack´a´tack.exe
hallo.exe
hamster.exe
handlesys.exe
happy99.exe
hbinst.exe
hcheck.exe
hconf.exe
hello.exe
hellz little spy 1.2.exe
hemany.exe
hex2script.exe
hgzserver.exe
hint.exe
hit it.exe
hkconf.exe
hkey.exe
hkeylog.exe
hls15.exe
hoconf.exe
hog.exe
hooconf.exe
hooker.exe
hool.exe
host control 20.exe
host control 25.exe
host control client 2.7.exe
host control client 26b.exe
host control professional.exe
host control.exe
hot_kiss.exe
http.exe
humor.exe
hvlrat client.exe
hxdef.exe
h_client.exe
Remote Access / Downloading trojan
Alters System.ini.
h_server.exe
Remote Access / Downloading trojan
Alters System.ini.
hackstate trojan.exe
Remote Access
hack´a´tack.exe
Remote Access / Hidden IP-Scanner
The trojan is able to decrypt cached passwords.
hallo.exe
Remote Access / Virus dropper
Among other features the trojan can drop the Ping-Pong virus.
hamster.exe
Worm / File virus
Alters Win.ini. "Between midnight and 2.00am on Wednesdays the worm attempts to display an animated graphic of Adolf Hitler shooting himself in the head." (Sophos)
handlesys.exe
Trojan.StartPage.C is a variant of Trojan.StartPage.
It changes the Internet Explorer home page to www.okww.net.
Copies itself to one of the following locations:
%System%\uewxdir.exe
%System%\handlesys.exe
Adds the value: "HandleSystem"="%System%\handlesys.exe"
to the registry keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Changes the value to: "(Default)"="%System%\uewxdir.exe "%1""
to the registry keys HKEY_CLASSES_ROOT\txtfile\shell\open\command
so that the Trojan runs when you open a text file.
Adds the value: "Start Page"="http:/ /www.okww.net/"
to the registry key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
For manual removal, please delete all values in the registry keys described above.
happy99.exe
Worm / Mail trojan
Alters WSock32.dll. Disguised as picture with fireworks and the message ""Happy New Year 1999!". ; "Replaces your current winsock in order to attach the trojan to outgoing email."
hbinst.exe
This is HotBar software:
http://www.hotbar.com
Spyware. It can cause hangs and crash of the computers.
To uninstall:
http://www.hotbar.com/help/uninstall.htm
If it doesn't work, remove it from startup by RegRun Start Control.
hcheck.exe
Worm / IRC Trojan / Mail trojan / Destructive trojan / Steals passwords
The worms spread through mail or IRC. It will also try to destroy all files with the extensions .vbs, .vbe, .js, jse,.css, .wsh, .sct, .hta and jpg, jpeg, mp3 and mp2 files. May be updated from the Internet.
hconf.exe
Keylogger / Downloading trojan / Steals passwords
Can download and execute programs using port 80. The keylogging DLL is packed by LZW. It can send information via mails on a regular schedule. Hooker can delete itself on a preconfiguered date.
hello.exe
Remote Access
Puts up a box allagedly from the NSA, that the program will scan the hard disk for pirated software.
hellz little spy 1.2.exe
Keylogger
Pressing Shift+F12 brings up a dialog box with the possibility to shut the trojan down. A bug in version 1.2 stopps it from autoloading.
hemany.exe
Remote Access
It kills more than 20 antivirus programs in memory and also four dedicated antitrojan softwares. The trojan can redirect ports and connect to several servers at the same time. It can also be used as a port scanner. Cafeini can also take another program´s place in the Registry. The server will automatically be updated using HTTP.
hex2script.exe
Remote Access / ActiveX trojan / Downloading trojan / Worm / Mail trojan / IRC trojan / Virus / Network trojan
By just viewing a HTML file or reading a mail a trojan can be downloaded to the users computer. As of now it installs The Thing 1.6 server. Spreads through MS Outlook, shared drives and IRC.
hgzserver.exe
GRAYBIRD.C VIRUS.
Backdoor.Graybird.C is a Backdoor Trojan and a variant of Backdoor.Graybird.
It gives a hacker unauthorized access to your computer. It opens port 52013 to listen for commands. The existence of the file, HGZSERVER.EXE, is an indication of a possible infection. The Trojan uses special icon to attempt to disguise itself as an ordinary .txt file.
Starts an FTP server on port 21, which allows the hacker to use the compromised computer as a temporary storage device.
To disable activity of this worm navigate to each of these the keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
and delete the value - huigezi %System%\HgzServer.exe
Also, make the changes in the Win.ini file
Use RegRun Startup Optimizer to remove it from startup.
hint.exe
W32/Atak-A is a worm that arrives in an email with the following characteristics:
Subject lines: Important Data! Read the Result!
Message text: Authorized Researcher Only.
Attached file:
.zip
W32/Atak-A harvests email addresses from files on the hard disk.
When first run, W32/Atak-A copies itself to the Windows system folder as hint.exe
Sets the following registry entry to ensure it is run at system startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\ load =
\hint.exe
W32/Atak-A will also add the following line to the win.ini file to ensure it is run at system startup:
load=C:\WINDOWS\SYSTEM\hint.exe
W32/Atak-A contains the following text inside its code:
-={ 4tt4(k 4g4!n$t N3tSky, B34gl3, MyD00m, L0vG4t3, N4ch!, Bl4st3r }=-
It's better to automatically remove this worm by using RegRun Startup Optimizer.
hit it.exe
Worm / Mail trojan
hkconf.exe
Keylogger / Downloading trojan / Steals passwords
Can download and execute programs using port 80. The keylogging DLL is packed by LZW. It can send information via mails on a regular schedule. Hooker can delete itself on a preconfiguered date.
hkey.exe
W32.Gaobot.AFW is a worm that spreads through open network shares and several Windows vulnerabilities.
The worm also spreads through backdoors that the Beagle and Mydoom worms and the Optix family of backdoors install.
W32.Gaobot.AFW can act as a backdoor server program and attack other systems.
It attempts to kill the processes of many antivirus and security programs.
Attempts to steal the product ID for Windows, and the CD keys of some computer games.
Copies itself to %System%\hkey.exe.
Opens a randomly selected TCP port and sends a copy of itself to any process connecting to that port.
Connects to a remote IRC server and awaits commands from the remote attacker.
Attempts to copy itself to other computers through the following remote administrative SMB shares, using weak user names and passwords.
Copies itself and executes on any remote shares to which it successfully authenticates.
Schedules a Network job to run the worm on the remote system.
Manual removal:
Navigate to the keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
and delete the value: "windows"="hkey.exe"
hkeylog.exe
Steals passwords / Keylogger
Smileys.exe is a version where trojan is disguised as a game that runs during the first time the trojan is installed.
hls15.exe
Keylogger
Pressing Shift+F12 brings up a dialog box with the possibility to shut the trojan down. A bug in version 1.2 stopps it from autoloading.
hoconf.exe
Keylogger / Downloading trojan / Steals passwords
Can download and execute programs using port 80. The keylogging DLL is packed by LZW. It can send information via mails on a regular schedule. Hooker can delete itself on a preconfiguered date.
hog.exe
Worm / Mail trojan
Uses several different names to name the attachement, which can be mailed by either Netscape Mail, MS Outlook or MSOutlook Express.
hooconf.exe
Keylogger / Downloading trojan / Steals passwords
Can download and execute programs using port 80. The keylogging DLL is packed by LZW. It can send information via mails on a regular schedule. Hooker can delete itself on a preconfiguered date.
hooker.exe
Keylogger / Downloading trojan / Steals passwords
Can download and execute programs using port 80. The keylogging DLL is packed by LZW. It can send information via mails on a regular schedule. Hooker can delete itself on a preconfiguered date.
hool.exe
Remote Access / Keylogger
Alters Win.ini. Is been disguised as a Y2K system updater.
host control 20.exe
Remote Access / Destructive trojan / Virus dropper
It copies itself to c:\recycled to avoid detection by some antivirus programs.
host control 25.exe
Remote Access / Destructive trojan / Virus dropper
It copies itself to c:\recycled to avoid detection by some antivirus programs.
host control client 2.7.exe
Remote Access / Destructive trojan / Virus dropper
It copies itself to c:\recycled to avoid detection by some antivirus programs.
host control client 26b.exe
Remote Access / Destructive trojan / Virus dropper
It copies itself to c:\recycled to avoid detection by some antivirus programs.
host control professional.exe
Remote Access / Destructive trojan / Virus dropper
It copies itself to c:\recycled to avoid detection by some antivirus programs.
host control.exe
Remote Access / Destructive trojan / Virus dropper
It copies itself to c:\recycled to avoid detection by some antivirus programs.
hot_kiss.exe
Dial/HotKiss-A is a premium rate porn dialler.
Dial/HotKiss-A copies itself to the Windows folder with the filename Hot_Kiss.exe and creates shortcuts on the Desktop and in the Start Menu.
The following registry entry is created so that dialler is run when Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Hot_Kiss=
Hot_Kiss.exe -n.
Please, remove it from startup by RegRun Startup Optimizer.
http.exe
Remote Access
May alter System.ini and/or Win.ini. One can choose to let Mosucker randomly decide what autostart method to use. Produces an error message while installing ""Could not find setuplog.bat"" which apparently is used for autostarting. It copies itself to $temp first, as a file named pkg*.exe, ""pkg"" being a fix string. It also copied itself to $windows/unin0686.exe.
humor.exe
Worm / File virus
Alters Win.ini. "Between midnight and 2.00am on Wednesdays the worm attempts to display an animated graphic of Adolf Hitler shooting himself in the head." (Sophos)
hvlrat client.exe
Remote Access
hxdef.exe
W32.Lovgate.R@mm is a variant of W32.Lovgate@mm.
It is a mass-mailing worm that attempts to email itself to all the email addresses that it finds on the computer.
The "sender" of the email is spoofed, and the subject line and message body of the email vary.
Also known as W32/Lovgate.x@MM, I-Worm.LovGate.w
Copies itself as these files:
%System%\Hxdef.exe
Adds the values:
"Hardware Profile"="%System%\hxdef.exe
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Adds the value: "SystemTra"="%Windir%\Systra.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Adds the values:
"run"="RAVMOND.exe"
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
May create the subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ZMXLIB1
Stops the following services: Rising Realtime Monitor Service, Symantec Antivirus Server, Symantec Client.
Scans all the computers on the local network, and uses the following passwords to attempt to log in as "Administrator."
Starts an FTP server on a random port, no authentication required, which means that the infected computer is accessible to anyone.
Creates the file, Autorun.inf, in the root folder of all the drives, except the CD-ROM drives, and copies itself as Command.com into that folder.
Scans all the drives, if the drive type is removable or mapped or the drive type is fixed with a drive letter greater than E.
The worm will do the following on all the found drives:
Attempts to rename the extension on all .exe files to .zmx.
Sets the attributes to Hidden and System on these files.
Copies itself as the original file name.
For example, if the worm finds OriginalFile.exe, it will be renamed to OriginalFile.zmx. The worm will then copy itself as OriginalFile.exe.
Attempts to spread to other computers by exploiting the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
Scans the system WAB file, temporary Internet files, and all the fixed and ram disks, and it sends itself to all the email addresses it found.
Uses its own SMTP engine to send itself to the email addresses that it finds in step 25 and 26.
Automatic removal:
Use RegRun Startup Optimizer to remove it from startup.
Copyright © 1998-2004 Greatis Software |
Privacy Policy
|
Recommend to a friend