The Application Database suggests you which Windows startup programs are usefual and which are bad. The recommended tool for quickly removing the useless programs is RegRun Startup Optimizer. www.startupapps.com

---

Purchase RegRun Suite Download RegRun Suite

Search Database for:

RegRun > Greatis Startup Application Database > Dangerous > E

 

eastav.exe
easyav.exe
ebxtar.exe
edit-keylogger.exe
editora2.exe
editserver.exe
editsrv1.exe
editsvr.exe
edtsrv.exe
eiexplorer32.exe
emmanuel.exe
encrypt.exe
energy.exe
enterprise.exe
epp32.exe
eps.exe
eps16.exe
eps161.exe
error!.exe
error32_client.exe
error32_server.exe
eschlp.exe
exec.exe
execfg4.exe
exesmasher.exe
expiorer.exe
expl32.exe
exploier.exe
explor.exe
explore.exe
explorer.scr
explupd.exe

eastav.exe

I-Worm.Netsky.t
This worm spreads via the Internet as an attachment to infected emails.

Characteristics of infected messages
Message header (chosen at random from the list below)
Message body (chosen at random from the texts below)
Attachment
A file with a .pif extension and a randomly generated name.

The worm is activated when the user opens the attached file.
Once launched, the worm installs inself to the system and starts propagating.

Copies itself to the Windows directory under the name EastAV.exe and registers this file in the system registry auto-run key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"EastAV"="%windir%\EastAV.exe"

The worm searches for files with the extensions listed below: adb; asp; cfg; cgi; dbx; dhtm; doc; eml; htm; html; jsp; mbx; mdx; mht etc.
harvests email addresses and sends copies of itself to all addresses found.
The worm uses its own SMTP library to send messages.

The worm will attempt to conduct DoS attacks on the following sites in accordance with the system clock local settings:
- www.cracks.am
- www.emule.de
- www.freemule.net
- www.kazaa.com
- www.keygen.us

Use RegRun Startup Optimizer to remove it from startup.

easyav.exe

W32.Netsky.S@mm is a mass-mailing worm and a variant of W32.Netsky.R@mm.
It also contains backdoor functionality and may perform Denial of Service (DoS) attack against specified Web sites.
If the system date is between April 14, 2004 to April 23, 2004, the worm will try to perform a DoS attack against the following Web sites:
www.cracks.am; www.emule.de; www.kazaa.com; www.freemule.net; www.keygen.us

The email has a variable subject line and attachment name. The attachment will have a .pif file extension.

Copies itself as %Windir%\EasyAV.exe.
Creates the file, %Windir%\Uinmzertinmds.opm, which contains a MIME-encoded copy of the worm's executable.

Adds the value:
"EasyAV"="%Windir%\EasyAV.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Listens on port 6789. If the attacker sends an executable file to an infected computer, the worm will save it as .exe, and then execute that file.

Scans and retrieves email addresses from the files with some extensions.
If the system date is not April 2004, or if it is and the day is less than 14 or greater than 16, the worm will attempt to use its own SMTP engine
to send itself to all the email addresses that it finds.

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete the value: "EasyAV"="%windir%\EasyAV.exe"

ebxtar.exe

W32/Rbot-IC.
It is a worm which attempts to spread to remote network shares and allows unauthorised remote access to the computer via IRC channels.
It spreads to network shares with weak passwords and via network security exploits.

Copies itself to the file ebxtar.exe in the Windows system folder and creates entries at the following locations in the registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
with the value: BIOS XP Loader = ebxtar.exe

Use RegRun Startup Optimizer to automatically remove it from startup.

edit-keylogger.exe

Keylogger / ICQ trojan
Notifies via ICQ.

editora2.exe

Remote Access
Alters Win.ini.

editserver.exe

Remote Access
May alter System.ini and/or Win.ini. One can choose to let Mosucker randomly decide what autostart method to use. Produces an error message while installing ""Could not find setuplog.bat"" which apparently is used for autostarting. It copies itself to $temp first, as a file named pkg*.exe, ""pkg"" being a fix string. It also copied itself to $windows/unin0686.exe.

editsrv1.exe

Remote Access / ICQ trojan
Version 1.6 autoloads through changes in System.ini and Win.ini. 1.5 uses Registry and System.ini to autoload.

editsvr.exe

Remote Access
Puts up a box allagedly from the NSA, that the program will scan the hard disk for pirated software.

edtsrv.exe

Remote Access

eiexplorer32.exe

W32/Sdbot-NX is a worm which attempts to spread to remote network shares. The worm also contains backdoor functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
Read more:
http://www.sophos.com/virusinfo/analyses...
Remove it from Windows startup.

emmanuel.exe

Worm / Mail trojan / Destructive trojan
When executed, Navidad displays an Error box with the text "UI". After the user has pushed OK, a blue eyes icon is placed in the Taskbar. Due to a misstake from the authorīs side, when it writes to Hkey_Classes_Root, the system may crasch and become unusable. Suppresses the running of any .exe files. Reads incomming mails and sends itself back in return.

encrypt.exe

Remote Access

energy.exe

Worm / Mail trojan
The wormīs .exe file is distributed in a compressed format and is using one of twenty names randomly. Hermes contacts "http://www.seznam.cz", but there is nothing there. It also tris to register, but fails to do so beacause of a bug. It propagates twice to all addresses in Outlook. In several versions th code is packed using UPX.

enterprise.exe

Remote Access

epp32.exe

Remote Access / Keylogger / ICQ trojan

eps.exe

Steals passwords / ICQ trojan
Displays a Firework and simultanlously starts in the backround. Sends the passwords encrypted via e-mail

eps16.exe

Steals passwords / ICQ trojan
Displays a Firework and simultanlously starts in the backround. Sends the passwords encrypted via e-mail

eps161.exe

Steals passwords / ICQ trojan
Displays a Firework and simultanlously starts in the backround. Sends the passwords encrypted via e-mail

error!.exe

Worm / Destructive trojan / Mail trojan / Network trojan
Alters Win.ini. Partial trojan, partial worm. Destroys files ending with .h, .c, .cpp, .asm, .doc, .ppt, or .xls. ExplorezipB is a compressed version of this worm. Can propagate through networks with shared disks.

error32_client.exe

Remote Access

error32_server.exe

Remote Access

eschlp.exe

W32.Blaster.T.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
The worm targets only Windows 2000 and Windows XP computers. W32.Blaster.T.Worm does not have a mass-mailing functionality.
For additional information, read the Microsoft article, "What You Should Know About the Blaster Worm and Its Variants."
We recommend that you block access to TCP port 4444 at the firewall level. Also block the following ports if you do not use either DCOM RPC or TFTP:

The worm also attempts to perform a Denial of Service (DoS) on the Microsoft Windows Update Web server (windowsupdate.com).
This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability.
Changes the Internet Explorer start page to http:/ /www.getgood.biz.
Also Known As: W32/Blaster-G, WORM_MSBLAST.I, W32/Blaster.worm.k

Copies itself as the following files:
%System%\eschlp.exe
%System%\svchosthlp.exe

Adds the values:
"Helper" = "%System%\eschlp.exe /fstart"
"MSUpdate" = "%System%\svchosthlp.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Creates the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Sysuser

Automatic removal:
Use RegRun Startuip Optimizer to remove this worm from your computer.

exec.exe

Remote Access

execfg4.exe

W32/Forlorn-D is a peer-to-peer (P2P) worm that spreads through the KaZaA and Morpheus network sharing utilities.
When first executed the worm copies itself as EXECFG4.EXE in the Windows folder and sets the following registry entry to the path of this copy so the worm will be executed when the Windows is restarted:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\execfg4

The worm queries the following registry entries searching for a folder that is shared across the KaZaA and Morpheus networks:
HKLM\Software\Kazaa\LocalContent
HKLM\Software\Morpheus\LocalContent
HKCU\Software\Kazaa\LocalContent
HKCU\Software\Morpheus\LocalContent
If a value is not found then the folder C:\\SysConfig is used.

Seventy three copies of the worm are created in this folder with the different filenames, such as:
[DiVX] Harry Potter And The Sorcerors Stone Full Downloader.exe
Age of empires 2 crack.exe
Borland Delphi 6 Key Generator.exe
Britney spears nude.exe
DivX codec v6.0.exe
GTA3 crack.exe
Microsoft Windows XP crack pack.exe
Windows XP serial generator.exe
Winrar + crack.exe
ZoneAlarm Firewall Full Downloader.exe

Use RegRun Startup Opimizer for removal.

exesmasher.exe

Remote Access / FTP server / CQ trojan
InCommand can bind (join or wrap) its server to any other .exe file, and can also add extra legth to it to avoid searches on specific file length. It uses selfinstalling plug-ins to add features to the trojan and can thousands of icons stored inside the EditServer file.

expiorer.exe

Remote Access / FTP server

expl32.exe

Remote Access / Hidden IP-Scanner
The trojan is able to decrypt cached passwords.

exploier.exe

I-Worm.Lovgate.ah spreads via the Internet as an attachment to infected messages.
May also create several copies of itself in the root directory of all accessible disks in ZIP format. The copies will be saved under random names.
If the worm finds the P2P client Kazaa on the victim machine, it will copy itself to the file-sharing folder under the different names.
The worm attempts to copy itself to all accessible computers which it finds on the local network.
The worm will answer all messages it detects in the 'Incoming' folder by sending an infected email to these addresses.
It also harvests email addresses from files with the different extensions.
The worm terminates all processes which contain the predefined text in their names.
The worm harvests information about the victim machine and saves it in a file named c:\Netlog.txt which is then sent by email to the worm's author.
It installs a backdoor on TCP port 6000 to receive commands.

Use RegRun to automatically remove this registry item.

explor.exe

Worm / Virus / Trojan dropper / IRC trojan
Alters System.ini. Drops The Thing (= Fix.exe). On December 31st Illen changes three Registry settings.

explore.exe

Remote Access / Trojan dropper
Disguised as a fake game and installs a NetBus Pro server.

explorer.scr

Trojan Worm.Kazaa.Benjamin.
Remove it!

explupd.exe

Steals passwords
At first Ring0 came as an attached file to Winsock Version Checker. When itīs active and the computer is connected to the Internet, the trojan searches for proxyservers and tries to send the collected information to an FTP server in Russia.