The Application Database suggests you which Windows startup programs are usefual and which are bad. The recommended tool for quickly removing the useless programs is RegRun Startup Optimizer. www.startupapps.com

---

Purchase RegRun Suite Download RegRun Suite

Search Database for:

RegRun > Greatis Startup Application Database > Dangerous > H

 

h_client.exe
h_server.exe
hackstate trojan.exe
hack´a´tack.exe
hallo.exe
hamster.exe
handlesys.exe
happy99.exe
hbinst.exe
hcheck.exe
hconf.exe
hello.exe
hellz little spy 1.2.exe
hemany.exe
hex2script.exe
hgzserver.exe
hint.exe
hit it.exe
hkconf.exe
hkey.exe
hkeylog.exe
hls15.exe
hoconf.exe
hog.exe
hooconf.exe
hooker.exe
hool.exe
host control 20.exe
host control 25.exe
host control client 2.7.exe
host control client 26b.exe
host control professional.exe
host control.exe
hot_kiss.exe
http.exe
humor.exe
hvlrat client.exe
hxdef.exe

h_client.exe

Remote Access / Downloading trojan
Alters System.ini.

h_server.exe

Remote Access / Downloading trojan
Alters System.ini.

hackstate trojan.exe

Remote Access

hack´a´tack.exe

Remote Access / Hidden IP-Scanner
The trojan is able to decrypt cached passwords.

hallo.exe

Remote Access / Virus dropper
Among other features the trojan can drop the Ping-Pong virus.

hamster.exe

Worm / File virus
Alters Win.ini. "Between midnight and 2.00am on Wednesdays the worm attempts to display an animated graphic of Adolf Hitler shooting himself in the head." (Sophos)

handlesys.exe

Trojan.StartPage.C is a variant of Trojan.StartPage.
It changes the Internet Explorer home page to www.okww.net.

Copies itself to one of the following locations:
%System%\uewxdir.exe
%System%\handlesys.exe

Adds the value: "HandleSystem"="%System%\handlesys.exe"
to the registry keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Changes the value to: "(Default)"="%System%\uewxdir.exe "%1""
to the registry keys HKEY_CLASSES_ROOT\txtfile\shell\open\command
so that the Trojan runs when you open a text file.

Adds the value: "Start Page"="http:/ /www.okww.net/"
to the registry key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

For manual removal, please delete all values in the registry keys described above.

happy99.exe

Worm / Mail trojan
Alters WSock32.dll. Disguised as picture with fireworks and the message ""Happy New Year 1999!". ; "Replaces your current winsock in order to attach the trojan to outgoing email."

hbinst.exe

This is HotBar software:
http://www.hotbar.com
Spyware. It can cause hangs and crash of the computers.
To uninstall:
http://www.hotbar.com/help/uninstall.htm
If it doesn't work, remove it from startup by RegRun Start Control.

hcheck.exe

Worm / IRC Trojan / Mail trojan / Destructive trojan / Steals passwords
The worms spread through mail or IRC. It will also try to destroy all files with the extensions .vbs, .vbe, .js, jse,.css, .wsh, .sct, .hta and jpg, jpeg, mp3 and mp2 files. May be updated from the Internet.

hconf.exe

Keylogger / Downloading trojan / Steals passwords
Can download and execute programs using port 80. The keylogging DLL is packed by LZW. It can send information via mails on a regular schedule. Hooker can delete itself on a preconfiguered date.

hello.exe

Remote Access
Puts up a box allagedly from the NSA, that the program will scan the hard disk for pirated software.

hellz little spy 1.2.exe

Keylogger
Pressing Shift+F12 brings up a dialog box with the possibility to shut the trojan down. A bug in version 1.2 stopps it from autoloading.

hemany.exe

Remote Access
It kills more than 20 antivirus programs in memory and also four dedicated antitrojan softwares. The trojan can redirect ports and connect to several servers at the same time. It can also be used as a port scanner. Cafeini can also take another program´s place in the Registry. The server will automatically be updated using HTTP.

hex2script.exe

Remote Access / ActiveX trojan / Downloading trojan / Worm / Mail trojan / IRC trojan / Virus / Network trojan
By just viewing a HTML file or reading a mail a trojan can be downloaded to the users computer. As of now it installs The Thing 1.6 server. Spreads through MS Outlook, shared drives and IRC.

hgzserver.exe

GRAYBIRD.C VIRUS.

Backdoor.Graybird.C is a Backdoor Trojan and a variant of Backdoor.Graybird.
It gives a hacker unauthorized access to your computer. It opens port 52013 to listen for commands. The existence of the file, HGZSERVER.EXE, is an indication of a possible infection. The Trojan uses special icon to attempt to disguise itself as an ordinary .txt file.
Starts an FTP server on port 21, which allows the hacker to use the compromised computer as a temporary storage device.

To disable activity of this worm navigate to each of these the keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
and delete the value - huigezi %System%\HgzServer.exe

Also, make the changes in the Win.ini file
Use RegRun Startup Optimizer to remove it from startup.

hint.exe

W32/Atak-A is a worm that arrives in an email with the following characteristics:
Subject lines: Important Data! Read the Result!
Message text: Authorized Researcher Only.
Attached file: .zip

W32/Atak-A harvests email addresses from files on the hard disk.
When first run, W32/Atak-A copies itself to the Windows system folder as hint.exe

Sets the following registry entry to ensure it is run at system startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\ load = \hint.exe

W32/Atak-A will also add the following line to the win.ini file to ensure it is run at system startup:
load=C:\WINDOWS\SYSTEM\hint.exe

W32/Atak-A contains the following text inside its code:
-={ 4tt4(k 4g4!n$t N3tSky, B34gl3, MyD00m, L0vG4t3, N4ch!, Bl4st3r }=-

It's better to automatically remove this worm by using RegRun Startup Optimizer.

hit it.exe

Worm / Mail trojan

hkconf.exe

Keylogger / Downloading trojan / Steals passwords
Can download and execute programs using port 80. The keylogging DLL is packed by LZW. It can send information via mails on a regular schedule. Hooker can delete itself on a preconfiguered date.

hkey.exe

W32.Gaobot.AFW is a worm that spreads through open network shares and several Windows vulnerabilities.
The worm also spreads through backdoors that the Beagle and Mydoom worms and the Optix family of backdoors install.
W32.Gaobot.AFW can act as a backdoor server program and attack other systems.
It attempts to kill the processes of many antivirus and security programs.
Attempts to steal the product ID for Windows, and the CD keys of some computer games.

Copies itself to %System%\hkey.exe.
Opens a randomly selected TCP port and sends a copy of itself to any process connecting to that port.
Connects to a remote IRC server and awaits commands from the remote attacker.
Attempts to copy itself to other computers through the following remote administrative SMB shares, using weak user names and passwords.
Copies itself and executes on any remote shares to which it successfully authenticates.
Schedules a Network job to run the worm on the remote system.

Manual removal:
Navigate to the keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
and delete the value: "windows"="hkey.exe"

hkeylog.exe

Steals passwords / Keylogger
Smileys.exe is a version where trojan is disguised as a game that runs during the first time the trojan is installed.

hls15.exe

Keylogger
Pressing Shift+F12 brings up a dialog box with the possibility to shut the trojan down. A bug in version 1.2 stopps it from autoloading.

hoconf.exe

Keylogger / Downloading trojan / Steals passwords
Can download and execute programs using port 80. The keylogging DLL is packed by LZW. It can send information via mails on a regular schedule. Hooker can delete itself on a preconfiguered date.

hog.exe

Worm / Mail trojan
Uses several different names to name the attachement, which can be mailed by either Netscape Mail, MS Outlook or MSOutlook Express.

hooconf.exe

Keylogger / Downloading trojan / Steals passwords
Can download and execute programs using port 80. The keylogging DLL is packed by LZW. It can send information via mails on a regular schedule. Hooker can delete itself on a preconfiguered date.

hooker.exe

Keylogger / Downloading trojan / Steals passwords
Can download and execute programs using port 80. The keylogging DLL is packed by LZW. It can send information via mails on a regular schedule. Hooker can delete itself on a preconfiguered date.

hool.exe

Remote Access / Keylogger
Alters Win.ini. Is been disguised as a Y2K system updater.

host control 20.exe

Remote Access / Destructive trojan / Virus dropper
It copies itself to c:\recycled to avoid detection by some antivirus programs.

host control 25.exe

Remote Access / Destructive trojan / Virus dropper
It copies itself to c:\recycled to avoid detection by some antivirus programs.

host control client 2.7.exe

Remote Access / Destructive trojan / Virus dropper
It copies itself to c:\recycled to avoid detection by some antivirus programs.

host control client 26b.exe

Remote Access / Destructive trojan / Virus dropper
It copies itself to c:\recycled to avoid detection by some antivirus programs.

host control professional.exe

Remote Access / Destructive trojan / Virus dropper
It copies itself to c:\recycled to avoid detection by some antivirus programs.

host control.exe

Remote Access / Destructive trojan / Virus dropper
It copies itself to c:\recycled to avoid detection by some antivirus programs.

hot_kiss.exe

Dial/HotKiss-A is a premium rate porn dialler.
Dial/HotKiss-A copies itself to the Windows folder with the filename Hot_Kiss.exe and creates shortcuts on the Desktop and in the Start Menu.
The following registry entry is created so that dialler is run when Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Hot_Kiss= Hot_Kiss.exe -n.
Please, remove it from startup by RegRun Startup Optimizer.

http.exe

Remote Access
May alter System.ini and/or Win.ini. One can choose to let Mosucker randomly decide what autostart method to use. Produces an error message while installing ""Could not find setuplog.bat"" which apparently is used for autostarting. It copies itself to $temp first, as a file named pkg*.exe, ""pkg"" being a fix string. It also copied itself to $windows/unin0686.exe.

humor.exe

Worm / File virus
Alters Win.ini. "Between midnight and 2.00am on Wednesdays the worm attempts to display an animated graphic of Adolf Hitler shooting himself in the head." (Sophos)

hvlrat client.exe

Remote Access

hxdef.exe

W32.Lovgate.R@mm is a variant of W32.Lovgate@mm.
It is a mass-mailing worm that attempts to email itself to all the email addresses that it finds on the computer.
The "sender" of the email is spoofed, and the subject line and message body of the email vary.
Also known as W32/Lovgate.x@MM, I-Worm.LovGate.w

Copies itself as these files:
%System%\Hxdef.exe

Adds the values:
"Hardware Profile"="%System%\hxdef.exe
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Adds the value: "SystemTra"="%Windir%\Systra.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

Adds the values:
"run"="RAVMOND.exe"
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

May create the subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ZMXLIB1

Stops the following services: Rising Realtime Monitor Service, Symantec Antivirus Server, Symantec Client.
Scans all the computers on the local network, and uses the following passwords to attempt to log in as "Administrator."
Starts an FTP server on a random port, no authentication required, which means that the infected computer is accessible to anyone.
Creates the file, Autorun.inf, in the root folder of all the drives, except the CD-ROM drives, and copies itself as Command.com into that folder.

Scans all the drives, if the drive type is removable or mapped or the drive type is fixed with a drive letter greater than E.
The worm will do the following on all the found drives:
Attempts to rename the extension on all .exe files to .zmx.
Sets the attributes to Hidden and System on these files.
Copies itself as the original file name.
For example, if the worm finds OriginalFile.exe, it will be renamed to OriginalFile.zmx. The worm will then copy itself as OriginalFile.exe.

Attempts to spread to other computers by exploiting the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
Scans the system WAB file, temporary Internet files, and all the fixed and ram disks, and it sends itself to all the email addresses it found.
Uses its own SMTP engine to send itself to the email addresses that it finds in step 25 and 26.

Automatic removal:
Use RegRun Startup Optimizer to remove it from startup.