The Application Database suggests you which Windows startup programs are usefual and which are bad. The recommended tool for quickly removing the useless programs is RegRun Startup Optimizer. www.startupapps.com

---

Purchase RegRun Suite Download RegRun Suite

Search Database for:

RegRun > Greatis Startup Application Database > Dangerous > ?, 0-9

 

%windir%\lsass.exe
.exe
x-mas.exe
"renamed server".exe
%program files%\common files\updmgr\updmgr.exe
%program files%\svchost.exe
%sysdir%\desktop.exe
%sysdir%\explorer.exe
%sysdir%\msnmsgr.exe
%sysdir%\rundll.exe
%sysdir%\shimgapi.dll
%system%\a.exe
%system%\bridge.dll
%system%\cmd32.exe
%system%\load32.exe
%system%\ntsvc.exe
%system%\regedit.exe
%system%\rundll16.exe
%system%\taskmon.exe
%system%\windll.exe
%system%\windll32.exe
%system%\winupd.exe
%system%\wmiprvse.exe
%system32%\servics.bat
%systemroot%\system32\rundll32.exe setupapi,installhinfsection marketplacelinkinstall 896 %systemroot%\inf\ie.inf
%windir%\inetndata\services.exe
%windir%\msn.exe
%windir%\navapw32.exe
%windir%\services.exe
%windir%\system\svchost.exe
%windir%\userlogon.exe
%windir%\winsys.exe
%windir1%\system\svchost.exe
%winsystem%\internat.exe
%winsystem%\rundll.exe
\scandisk.exe
_.exe
_inst321.exe
_webcache_.exe
00b.exe
1.exe
1dailups.exe
1on1.exe
2kbug-mircfix.exe
386.exe
412124.tmp
53msong.exe
98s.exe

%windir%\lsass.exe

Nickser trojan program.
When run the trojan copies itself under the name lsass.exe name to the Windows directory and registers itself in the registry run key.
It allows to fully control victim computer.
Suggest to stop it by RegRun Startup Optimizer.

.exe

VL RAT. 5.3.0 trojan

x-mas.exe

Worm / Macro trojan / Virus dropper
Can load plug-ins from the Internet. From the start it used "Source of Chaos" in Japan.

"renamed server".exe

Remote Access / Steals passwords
The client also drops a server! The hacker could choose to log passwords only or all text written. One of the functions is to kill antivirus software.

%program files%\common files\updmgr\updmgr.exe

Adware supplied by eUniverse.com. KeenValue/v1 runs at startup, generates popup ads,
and is the original version. KeenValue/Incredifind adds capability, via a second process:
monitors web sites visited, so that ads may be targeted;

- hijacks the hosts file and redirects Netscape searches to incredifind.com;
- hijacks error pages and address bar searches to incredifind.com, which is then redirected to
sirsearch.com;
- adds an Internet Explorer toolbar providing a search field directed to sirsearch.com.
Read more:
http://pestpatrol.com/pestinfo/e/euniver...
Remove it from startup.

%program files%\svchost.exe

Spyware.Spytech
Monitors the following items:
- Keystrokes typed
- Website visits
- Applications run
- Internet connections made
- Files and documents viewed
- Chat conversations
- Windows opened
- Outgoing email and webmail

This Spyware gives the person who installed it a Web-based interface with summaries of logged information on the host computer.

Copies itself as C:\Program Files\svchost.exe.
Adds the value: "Srv32Win" = "C:\Program Files\svchost.exe"
to the registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Also can downloads updates from www.spytech-web.com.

Remove it with RegRun.

%sysdir%\desktop.exe

The backdoor's file is a PE executable about 32 kilobytes long, packed with a modified UPX file
compressor.
When the backdoor's file is started, it copies itself as DESKTOP.EXE to Windows System folder
and then creates the startup key in the Registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"desktop"="%WinSysDir%\desktop.exe"

where %WinSysDir% represents the Windows System folder name. The backdoor also creates the
following Registry keys:

[HKLM\SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo]
"DSQUERY"
"DBMSSOCN"

[HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareServer" = DWORD:0
"AutoShareWks" = DWORD:0

[HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous" = DWORD:1

[HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters]
"DisableWebDAV" = DWORD:1
"MaxClientRequestBuffer" = DWORD:4000

Then the backdoor installs the ecurity patch KB835732 on Windows 2000 and XP computers by
downloading a language-specific version from a Microsoft site and activating it. More
information about the security patch can be found here:

http://www.microsoft.com/technet/securit...

More details:
http://www.f-secure.com/v-descs/sdbot_md...

Remove it from startup using RegRun.

%sysdir%\explorer.exe

I-Worm.Mydoom.b
It is a modification of Mydoom.a that spreads via the Internet in the form of files attached to infected messages and via the Kazaa file-sharing network.
The worm contains a backdoor function, and is also programmed to carry out DoS attacks on the sites www.sco.com and www.microsoft.com.

During installation, the worm copies itself under the name explorer.exe to the Windows system directory, and registers this file in the system registry auto-run key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskMon" = "%System%\explorer.exe"

The worm creates the file ctfmon.dll in the Windows system directory which is a backdoor component (a proxy server) and also registers this in the system registry:
[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
"Apartment" = "%SysDir%\ctfmon.dll"

Mydoom.b replaces the standard file 'hosts' in the Windows directory into with its own version (under the same name).
This file will now prevent user access to the some important domains.

Use RegRun Startup Optimizer to remove this worm from startup.

%sysdir%\msnmsgr.exe

W32/Rbot-FQ is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.

Copies itself to the file MSNMSGR.EXE in the Windows system folder and creates entries at the following locations in the registry so as to run itself on system startup, resetting them every minute:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

It sets the following registry entries every 2 minutes:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"

Attempts to delete network shares on the host computer every 2 minutes.
Attempts to terminate processes relating to some files.

Automatic Removal: Use RegRun Startup Optimizer to remove it from startup.

%sysdir%\rundll.exe

PWSteal.Banpaes Trojan.
Creates the following files:
%System%\rundll.exe
%System%\rundll.dll
%System%\rundll32.dll
Reguisters in the Registry Run as:
"MSTray"="%System%\rundll.exe"
Remove it from startup by RegRun Start Control.

%sysdir%\shimgapi.dll

W32.Novarg.A@mm is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip.

When a computer is infected, the worm will set up a backdoor into the system by opening TCP ports 3127 through 3198, which can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources.
In addition, the backdoor can download and execute arbitrary files.

The worm will perform a Denial of Service (DoS) starting on February 1, 2004. It also has a trigger date to stop spreading on February 12, 2004. These two events will only occur if the worm is run between or after those dates. While the worm will stop spreading on February 12, 2004, the backdoor component will continue to function after this date.

Searches for the email addresses in the files with same extensions.
Attempts to send email messages using its own SMTP engine.
The worm looks up the mail server that the recipient uses before sending the email. If it is unsuccessful, it will use the local mail server instead.
Removal:
Open RegRun Start Control, go to the Shell DLL's tab.
Remove the "shimgapi.dll" item.
Use RegRun Terminate feature to kill taskmon.exe.
Warning!
Please, do not touch "taskmon.exe" located in the Windows folder.
The Taskmon is legitimate application for Windows 98/Me.
The worm is located in the Windows\System or in Windows\System32 folder.

%system%\a.exe

Adware WinFavorites.Bridge.
Software that brings ads to your computer. Such ads may or may not be targeted, but are
"injected" and/or popup, and are not merely displayed within the form of an ad-sponsored
application.
Read more:
http://www.pestpatrol.com/pestinfo/w/win...
Also, remove BHO item using Advanced Optimize:
c:\windows\system32\bridge.dll.

%system%\bridge.dll

Adware WinFavorites.Bridge.
Software that brings ads to your computer. Such ads may or may not be targeted, but are
"injected" and/or popup, and are not merely displayed within the form of an ad-sponsored
application.
Read more:
http://www.pestpatrol.com/pestinfo/w/win...
Also, remove BHO item using Advanced Optimize:
c:\windows\system32\bridge.dll.

%system%\cmd32.exe

Worm Win32.P2P.Tanked.
It connects to an IRC channel and waits for commands to be issued by an attacker. Thus, the
attacker may:
* send private and system information from the infected system
* download files into the infected computer
* execute files onto the infected computer
* perform a DoS attack (Denial of Service) on an IP
* send the worm to other users
Read more:
http://www.bitdefender.com/bd/site/virus...
Remove it from startup by RegRun Startup Optimizer.

%system%\load32.exe

Backdoor.Nibu.F is a Trojan horse that attempts to steal passwords and bank account information.
Logs keystrokes and steals information to send to the hacker.
Looks for windows that have certain strings in the title bar.
These strings vary, but may include the following:
Bank; bank; bull; Bull; cash; ebay; e-metal; Fethard; fethard; gold; Keeper; localhost; mull; PayPal; Storm; WebMoney; Winamp; WM Keeper

Captures keystrokes that are typed into windows that contain the previously listed strings and stores them in a log file.
This file may be named %Windir%\vxdload.log.
Launches a thread that monitors the Clipboard, saving to a log file any data that it finds.
The file may be named %Windir%\rundllx.sys.

Periodically checks the size of the files it uses for logging stolen information.
When the files are a certain size, the log files will be emailed to a hard-coded email address, along with System information such as the IP address and operating system.

Use RegRun Startup Optimizer to remove it from startup.

%system%\ntsvc.exe

Trojan.Gletta.A is a Trojan horse that steals Internet banking passwords.
It logs keystrokes when you visit certain Web pages and emails the log to the attacker.
Web pages that link to .CHM files to exploit the Microsoft Internet Explorer ITS Protocol Zone Bypass Vulnerability are known to distribute Trojan.Gletta.A.
Captures all the keystrokes entered into any windows that match predefined list, and writes them into a log file.
Uses its own SMTP engine to send the log file to an external mail account.
It uses an SMTP server in Russia to send the mail.

The mail has the following characteristics:
Both the FROM and TO addresses have the domain "mail.ru"
The subject starts with "Business News from "

Use RegRun Startup Optimizer to remove it from your system.

%system%\regedit.exe

Worm.Win32.Doomjuice.b
This worm spreads via the Internet, using computers infected by I-Worm.Mydoom.a and I-Worm.Mydoom.b to propagate.

Copies itself to:
%system%\regedit.exe

Adds the value: NeroCheck = %system%\regedit.exe
to registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The worm creates the unique identifier _sncZZmtx_133 to show its presence in memory.
The worm connects to TCP port 3127, which has been opened by shimgapi.dll, the backdoor component of Mydoom, to receive commands.
If the infected computer answers the command, then Doomjuice establishes a connection and sends a copy of itself.
The backdoor component of Mydoom accepts the file and executes it.
To determine which IP addresses to attack, the worm uses the following formula: (A.B.C.D) where A,B,C,D is a random numbers.
If the current date is not between the 8th and the 12th of the month and it's not January the worm will launch a DoS attack on the www.microsoft.com site.

With RegRun Startup Optimizer you can automatical remove it from startup.

%system%\rundll16.exe

W32.Mydoom.K@mm
It is an encrypted, mass-mailing worm that arrives as an attachment with either a .pif, .scr, .exe, .cmd, .bat, or .zip extension.
Allows unauthorized remote access. Kills the process of several antivirus and security applications.

Searches for email addresses in files with different extensions.
Attempts to send itself to the email addresses it found.
The email will have the following characteristics.

From: may be spoofed.
Subject: may be one from predefined list.
Message: different.
Attachment: file with .pif, .scr, .exe, .cmd, .bat, or .zip extension.

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete the value: "Taskmon" = "%System%\Rundll16.exe"

%system%\taskmon.exe

W32.Novarg.A@mm is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip.

When a computer is infected, the worm will set up a backdoor into the system by opening TCP ports 3127 through 3198, which can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources.
In addition, the backdoor can download and execute arbitrary files.

The worm will perform a Denial of Service (DoS) starting on February 1, 2004. It also has a trigger date to stop spreading on February 12, 2004. These two events will only occur if the worm is run between or after those dates. While the worm will stop spreading on February 12, 2004, the backdoor component will continue to function after this date.

Searches for the email addresses in the files with same extensions.
Attempts to send email messages using its own SMTP engine.
The worm looks up the mail server that the recipient uses before sending the email. If it is unsuccessful, it will use the local mail server instead.
Removal:
Open RegRun Start Control, go to the Shell DLL's tab.
Remove the "shimgapi.dll" item.
Use RegRun Terminate feature to kill taskmon.exe.
Warning!
Please, do not touch "taskmon.exe" located in the Windows folder.
The Taskmon is legitimate application for Windows 98/Me.
The worm is located in the Windows\System or in Windows\System32 folder.

%system%\windll.exe

I-Worm.Bagle.al
Bagle.al is a worm that spreads as an email attachment and via file sharing networks.
Copies itself into the Windows system directory with the name windll.exe and registers the following system registry auto run key:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "erthgdr"="%system%\windll.exe"
Bagle.al creates two additional files in the Windows system folder: windll.exeopen; windll.exeopenopen
The worm uses a built-in SMTP server to mail copies of itself to all email addresses founded on the infected computer.
Bagle.al opens port 80 on the local HTTP server allowing the controller to download and execute files on the infected machine.
The worm component of Bagle.al is scheduled to stop functioning and slef-destruct after August 10, 2004.
However, the downloader module will remain available for possible use for an unspecified period of time.

Remove it from startup by RegRun Startup Optimizer.

%system%\windll32.exe

Trojan.Mitglieder.L is a trojan horse program that allows a compromised system to be used as an email relay.
Also known as TrojanProxy.Win32.Mitglieder.bi

Copies itself to %System%\windll32.exe
Attempts to end some processes associated with various antivirus and security applications.
Attempts to contact a specific page on predefined Web sites and notify the attacker.

Manual removal:
Navigate to the key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
and delete the value: "windll32.exe"="%System%\windll32.exe"

Also, delete the values:
HKEY_CURRENT_USER\SOFTWARE\Frame\pid=
HKEY_CURRENT_USER\SOFTWARE\Frame\uid=
HKEY_CURRENT_USER\SOFTWARE\Frame\port=

%system%\winupd.exe

Adware.SeachNew is a program that changes your Internet Explorer home page and search page.
Adds "thenewsearch.com" to the Internet Explorer Favorites.
Adds the following DNS entry to the hosts file: 69.50.173.250 auto.seach.msn.com
This Adware program must be manually installed or installed as a component of another program.

When Adware.SearchNew is executed, it performs the following actions:

Adds the value: "winupd" = "%System%\winupd.exe"
to the registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Adds the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\yun

Must be removed by RegRun.

%system%\wmiprvse.exe

Trojan.Gletta.A is a Trojan horse that steals Internet banking passwords.
It logs keystrokes when you visit certain Web pages and emails the log to the attacker.
Web pages that link to .CHM files to exploit the Microsoft Internet Explorer ITS Protocol Zone Bypass Vulnerability are known to distribute Trojan.Gletta.A.
Captures all the keystrokes entered into any windows that match predefined list, and writes them into a log file.
Uses its own SMTP engine to send the log file to an external mail account.
It uses an SMTP server in Russia to send the mail.

The mail has the following characteristics:
Both the FROM and TO addresses have the domain "mail.ru"
The subject starts with "Business News from "

Use RegRun Startup Optimizer to remove it from your system.

%system32%\servics.bat

Dangerous virus.
Remove it from startup.

%systemroot%\system32\rundll32.exe setupapi,installhinfsection marketplacelinkinstall 896 %systemroot%\inf\ie.inf

Adds link to windowsmarketplace.com site to the IE Links.
Installed with XP SP2.
Not required.

%windir%\inetndata\services.exe

Troj/Krepper-G
Also known as TrojanDownloader.Win32.Krepper.g
It is a Trojan which changes browser settings, downloads and installs/runs new software and modifies the HOSTS file to redirect internet searches.
The Trojan copies itself to the Windows\inetdata folder as services.exe and creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\xp_system = c:\windows\inetndata\services.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\xp_system = c:\windows\inetndata\services.exe
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run = "C:\\WINDOWS\\inetdata\\services.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(5321E378-FFAD-4999-8C62-03CA8155F0B3)
HKCU\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"

You can automatical remove it from startup with RegRun Startup Optimizer.

%windir%\msn.exe

Backdoor.Ducy is a backdoor Trojan horse that uses MSN Messenger to give an attacker access to your computer.

When Backdoor.Ducy is run, it creates the file, %Windir%\Msn.exe.

Then adds the value: "control"="%Windir%\msn.exe "
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Also, it opens a backdoor on the infected system, allowing an attacker to connect to the system using MSN Messenger.


Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete the following value: "Control"="%Windir%\msn.exe"

Or use RegRun Startup Optimizer to automatically remove this troajn.

%windir%\navapw32.exe

W32.Joot.A@mm is a mass-mailing worm that attempts to send itself to the email addresses that it finds on the computer.
It also attempts to spread using open shares and the peer-to-peer file-sharing networks Kazaa, iMesh, and Grokster.
The worm tries to disable the processes of several antivirus and personal firewall applications.
Due to bugs in the code, it may not function as intended.

Copies itself as %Windir%\Regedit.exe.tmp.
%Windir%\Regedit.exe is then executed on a new virtual desktop, and %Windir%\Regedit.exe.tmp is injected into its process space.

Looks for the locations of the Kazaa, iMesh, and Grokster shared folders in these registry keys:
HKEY_LOCAL_MACHINE\Software\Grokster\LocalContent
HKEY_LOCAL_MACHINE\Software\iMesh\Client\LocalContent
HKEY_LOCAL_MACHINE\Software\Kazaa\LocalContent

Copies itself to:
%Windir%\Navapw32.exe
%Windir%\SBBServ.exe

Adds the value: "ScriptBBlocking"="SBBServ.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
(In Windows 95/98/Me.)

Adds the value: NAV Agent="navapw32.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Attempts to add itself to the [boot] section of the System.ini file and the "run=" line of Win.ini file.

Searches for the email addresses in the files that have these extensions: .html; .htm; .tmp; .bak
Tries to send itself to any addresses that it finds, using the email account details gathered from the following registry location:

HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts

The email will be one of the following:
Subject: Hi!
Message: This is a nice game I found. Beat my score: 5386 Points! Try it! :) See you later!

Subject: Something funny!
Message: This is my little test

May modify the following registry values to help it spread:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\Flags
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\Parm1enc
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\Parm2enc
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\Path
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\Remark
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\Type

Automatically remove this worm from your system by using RegRun Startup Optimizer.

%windir%\services.exe

I-Worm.Moodown.b
This worm spreads via the Internet as a file attached to infected emails.
Once launched, the worm displays a false error message on the screen: 'The file could not be opened'.

The worm copies itself to the Windows folder under the name 'services.exe' and adds the key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"service" = "%windir%\services.exe -serv"

The worm also creates the unique identifier 'AdmSkynetJklS003' to flag its presence in memory.
The worm creates a number of copies of itself in all sub-directories on disks which contain the word 'share' or 'sharing' in the directory name.
The copies will be under names chosen from the predefined list.

The worm finds files with some extensions, searches them for email addresses and sends a copy of itself to the addresses found.
Infected messages have random headers and subject text.

Use RegRun Startup Optimizer to remove this worm.

%windir%\system\svchost.exe

Worm Cycle
It uses LSASS vulnerability described in:
http://www.microsoft.com/technet/securit...
Please, do not confuse with the svchost.exe located in the Windows\system32 folder.
Download and install the patch. After that terminate it by RegRun Start Control.
Use Termintae option.

%windir%\userlogon.exe

Trojan.Gletta.A is a Trojan horse that steals Internet banking passwords.
It logs keystrokes when you visit certain Web pages and emails the log to the attacker.
Web pages that link to .CHM files to exploit the Microsoft Internet Explorer ITS Protocol Zone Bypass Vulnerability are known to distribute Trojan.Gletta.A.
Captures all the keystrokes entered into any windows that match predefined list, and writes them into a log file.
Uses its own SMTP engine to send the log file to an external mail account.
It uses an SMTP server in Russia to send the mail.

The mail has the following characteristics:
Both the FROM and TO addresses have the domain "mail.ru"
The subject starts with "Business News from "

Use RegRun Startup Optimizer to remove it from your system.

%windir%\winsys.exe

I-Worm.Naver
This is email worm spreading by affecting MS Outlook.
When the worm is run it displays the dialog box with "OK" and "Cancel" buttons, allows users to upgrade for Microsoft Windows 9x/Me/NT/2000 to solve some protocol TCP/IP problems and for SSL
(Secure Sockets Layer) secure system exploration.
Then, as well as on "Cancel" or "OK" click, the worm installs itself to the system.
The worm also creates additional registry key that indacates that the system is already infected:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion WLKey = 1
The worm also creates NAVER.TXT file in Windows system directory and writes to there a text that is then used in infected messages body.
The worm then connects to MS Outlook address book, get email addresses from there and sends itself attached to these emails.

Manual removal:
Please, go to the key in the system registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete the value: WLWin = %windir%\WINSYS.EXE

%windir1%\system\svchost.exe

I-Worm.Plexus.a
Plexus is an Internet worm which spreads in three different ways: as an email attachment, via file-sharing networks and using the LSASS
and RPC DCOM vulnerabilites in MS Windows like Sasser and Lovesan respectively.
In addition, Plexus carries a potentially dangerous payload.

Upon execution, the worm displays a fake error message, chosen at random from predefined list:
- CRC checksum failed.
- Pack method not implemented.
- Could not initialize installation. File size expected=26523, size returned=26344.
- File is corrupted.

Plexus copies itself into the Windows\System32 directory as upu.exe.
It then installs two files:
- a file named setpupex.exe to the Windows\System32 directory
- a file named svchost.exe to the Windows root directory - the main module of Plexus.a.

Plexus copies itself to shared folders and accessible network resources under different names.
Plexus exploits the LSASS vulnerability described in >MS Security Bulletin MS04-011
Plexus also exploits the DCOM RPC vulnerability described in MS Security Bulletin MS03-026 just like last year's Lovesan.

Plexus searches local disks for files with the following extensions: htm; html; php; tbb; txt
and sends copies of itself to all email addresses found in these files.

Plexus attempts to prevent Kaspersky Anti-Virus databases from being updated by replacing the contents of the 'hosts' file in
Windows\System32\drivers\etc\hosts with the following data:
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads-eu1.kaspersky-labs.com
127.0.0.1 downloads-us1.kaspersky-labs.com

Plexus opens and tracks port 1250, making it possible for files to be remotely loaded onto the victim machine and launched

Automatic removal:
Remove it from startup by RegRun Startup Optimizer.

%winsystem%\internat.exe

W32/Protoride-H is a Windows worm that spreads via network shares.
The worm also has a backdoor component that allows a malicious user remote access to an infected computer via the IRC network.
This worm can also copy itself into the shared folders of several peer-to-peer (P2P) file sharing utilities.

Copy itself into the Windows system folder as INTERNAT.EXE and set the following registry entries so that it is executed automatically upon restart:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ "" = \"%1\" %*

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Windows Taskbar Manager = C:\\internat.exe

In order to run automatically when Windows starts up the worm may change the following registry entry so that it is executed before any EXE files:
HKCR\exefile\shell\open\command\ "" = C:\ "%1 %*"

W32/Protoride-H may also set the registry entry: HKLM\Software\BeyonD inDustries\ProtoType[v3]

Use RegRun Startup Optimizer to remove it from your system.

%winsystem%\rundll.exe

W32/Agobot-KN
Aliases: Gaobot, Nortonbot, Phatbot, Polybot.
This is an IRC backdoor Trojan and network worm which establishes an IRC channel to a remote server in order to grant an intruder access to the compromised computer.
This worm will move itself into the Windows system folder as RUNDLL.EXE or WIN.EXE.

Create the values:
RegistryConfig = rundll.exe
Windows32 = win.exe
in the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\

May also attempt to collect email addresses from the Windows Address Book and send itself to these email addresses using its own SMTP engine
with itself included as an executable attachment.

May attempt to terminate anti-virus and other security-related processes, in addition to other viruses, worms or Trojans.
May also be used to terminate some services on remote computers.
It may search for shared folders on the internet with weak passwords and copy itself into them.

A text file named HOSTS in C:\\drivers\etc\ may be created or overwritten with a list of anti-virus and other security-related websites, each bound to the IP loopback address of 127.0.0.1 which would effectively prevent access to these sites.
For example: 127.0.0.1 www.symantec.com

W32/Agobot-KN can sniff HTTP, ICMP, FTP and IRC network traffic and steal data from them.
Can also be used to initiate denial-of-service (DoS) and distributed denial-of-service (DDoS) synflood / httpflood / fraggle / smurf etc attacks against remote systems.
This worm can steal the Windows Product ID and keys from several computer applications or games.
W32/Agobot-KN will delete all files named 'sound*.*'.

\scandisk.exe

Dangerous worm Worm.Ganda or
Spreading via the Internet as an email attachment.
Terminates well known antiviral programs.
Sends e-mails using user's e-mail database.
Removal:
Stop it by RegRun Startup Optimizer.

_.exe

Worm / Mail trojan
Alters Win.ini. The worm is encrypted. It propagates to users who earlier has mailed the user of the infected computer.

_inst321.exe

Remote Access / Steals passwords
Alters Win.ini (v 2.0).

_webcache_.exe

Steals passwords

00b.exe

Remote Access

1.exe

DoS tool / ICQ trojan / Steals passwords (?)
Can be used to flood a chanel with thousands of messages.

1dailups.exe

Steals passwords
It steals dailup passwords and hides them in Rasxnfo.dll, which is encrypted. It sends the file through a SMTP server to the following mail addresses: addr2@server.com , addr3@server.com, majlisb@yahoo.com.

1on1.exe

Dialer OneOnOne prno dialer.
This program gets access to various Web sites by dialing a high-cost phone number using the modem.
Removal:
Remove it from startup by RegRun Terminate feature.

2kbug-mircfix.exe

Worm / Macro trojan / Virus dropper
Can load plug-ins from the Internet. From the start it used "Source of Chaos" in Japan.

386.exe

W32.IRCBot.D is a backdoor trojan horse that connects to a remote IRC server and awaits commands from the attacker.
Attempts to steal license keys for various games.
Allows unauthorized remote access to an infected computer.
Attempts to remove the following shares on the local drive: c$; d$; IPC$; admin$
Attempts to connect to the IRC server metal.electrogiant.com on TCP port 5599.
Joins a predefined channel, using a random username, and waits for commands from the IRC server.
These commands can allow the attacker to:
- Managing installation of back door.
- Transmitting the back door to designated IRC channels.
- Downloading and executing arbitrary files.
- Performing DoS attacks against attacker specified targets.
- Send out private information.
- Terminating arbitrary processes.
- Visiting websites.
- Start socks proxy service.
- Copying itself to shared folders on other machines.
- Steal license keys for different games

Manual removal:
Navigate to each of these keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
From each key that is found, delete the value: "Win32 USB2.0 Driver" = "386.exe"

412124.tmp

Back Orifice trojan

53msong.exe

Worm / File virus
Alters Win.ini. "Between midnight and 2.00am on Wednesdays the worm attempts to display an animated graphic of Adolf Hitler shooting himself in the head." (Sophos)

98s.exe

DoS tool / ICQ trojan / Steals passwords (?)
Can be used to flood a chanel with thousands of messages.