Prevx Research Division
HH.EXE
System Back DoorFree PC Cleanup from Webroot
Use Webroot SecureAnywhere to remove HH.EXE.
"Just when you thought it couldn't get any better or faster. The Webroot scanning engine is 'high octane' with a hidden nitrous oxide system. Bravo!!!" W. Lodzinski, SecureAnywhere User
Associated Malware Groups
The unsafe files using this name are associated with the malware groups:
- System Back Door
- Malicious Software
- Worm
File Behavior
HH.EXE has been seen to perform the following behavior:
- Hooks the WININET.DLL function allowing it to read or copy Http and Https web page content and session information
- Executes a Process
- Registers a Dynamic Link Library File
- This process creates other processes on disk
- This Process Deletes Other Processes From Disk
- Disables safe mode on your PC
- Changes the Windows Security Center to stop Antivirus status alerts from being displayed
- Changes the Windows Security Center to stop Firewall status alerts from being displayed
- Changes the Windows Security Center to stop Firewall override alerts from being displayed
- Changes the Windows Security Center to stop warnings from being displayed if automatic Windows Updates are not enabled
- Injects code into other processes
- Performs DNS look ups to resolve URL IP addresses
- Found on infected systems and resists interrogation by security products
- Reads email address and phone book details
- The Process is packed and/or encrypted using a software packing process
- Looks at the contents of the autoexec.bat file
- Accesses web sites that have been associated with malicious software
- Visits web sites on your PC without you knowing
HH.EXE has been the subject of the following behavior:
- Executed as a Process
- Created as a process on disk
- Deleted as a process from disk
- Copied to multiple locations on the system
- This Process may have been infected by a file infecting virus
- Added as a Registry auto start to load Program on Boot up
Country Of Origin
The filename HH.EXE was first seen on May 29 2007 in the following geographical regions of the Webroot community:
- The United Kingdom on May 29 2007
- Italy on Feb 27 2008
- The United States on Apr 14 2009
- South Africa on Dec 8 2009
- Egypt on Dec 8 2009
- Nigeria on May 24 2012
File Name Aliases
HH.EXE can also use the following file names:
- WMISQTR.EXE
- DSC-MYPICTURE006.JPEG_WWW.MYSPACE.COM
- WMISRPC.EXE
- HHH.EXE
- CD[n].HTM
- HH.IVR
- YG.EXE
- LG.EXE
- LO.EXE
- RP.EXE
- KA.EXE
- QI.EXE
- KO.EXE
- MV.EXE
- CW.EXE
- QO.EXE
- FJ.EXE
- DY.EXE
- !I!HH.EXE
- 1916605306.EXE
- 3921604034.EXE
- 3741307324.EXE
- 1087811686.EXE
- QXZV85.EXE@
- QXZV47.EXE@
Filesizes
The following file size has been seen:
- 15,360 bytes
- 113,152 bytes
- 153,600 bytes
- 7,680 bytes
- 145,920 bytes
- 22,017 bytes
- 14,336 bytes
- 17,408 bytes
File Type
The filename HH.EXE is used by multiple object types including Dynamic Link LIbraries,executable programs.
File Activity
One or more files with the name HH.EXE creates, deletes, copies or moves the following files and folders:
- Opens/modifes c:\autoexec.bat
Website Activity
One or more files with the name HH.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- microfive .info / ff / sh .php?ver=ha5
- Remote server connection to microfive .inf
- Port 80 IP:94.75.227.111
Help the Webroot Community to fight cyber crime
We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.