The Application Database suggests you which Windows startup programs are usefual and which are bad. The recommended tool for quickly removing the useless programs is RegRun Startup Optimizer. www.startupapps.com

---

Purchase RegRun Suite Download RegRun Suite

Search Database for:

RegRun > Greatis Startup Application Database > Dangerous > I

 

i1ru54n4.exe
i1ru74n4.exe
ickill.exe
ickiller.exe
ickrack.exe
icon_1.exe
icon_2.exe
icqfuckerextensions.exe
icqhijaak.exe
icqnuke.exe
icqupdate.exe
icsniffq.exe
id8525.exe
ie_ex.exe
ie_pack.exe
ie0199.exe
ie080898.exe
iecookie.exe
iedriver.exe
iestub32.exe
iexpand.exe
iexpiore.exe
iexplore32.exe
iexplorer.exe
iexplorer0.exe
ik.exe
ik97v12s.exe
illusion client.exe
inet20.exe
inet20n.exe
inetb00st.exe
inetd.exe
inetman.exe
infect1.exe
infect2.exe
info32.exe
inikill.exe
inikiller.exe
insane network.exe
insane network4.exe
inst321.exe
instalar.exe
install2.exe
instliex.exe
intcp32.exe
interactive.exe
internetfeatures.exe
intrenat.exe
intruder.exe
intruseclient.exe
intruseserver.exe
invasor.exe
ipager.exe
ipconfigs.exe
irbme.exe
irngiant.exe
irun4.exe
irwftp.exe
isass.exe
isdel.exe
iservc.exe
istsvc.exe
its.exe

i1ru54n4.exe

I-Worm.Bagle.f
This worm spreads via the Internet as a file attached to infected messages. It also spreads via file-sharing networks.
Attempts to connect to several remote sites, and saves information about the infected computer on these sites.
Searches for files with predefined extensions and sends itself to all email addresses which it finds in these files.
Opens port 2475 and tracks port activity. The backdoor function makes it possible for commands to be executed and files to be downloaded on the victim machine.
Attempts to counteract the updating of antivirus programs. It also terminates some system processes.
The worm is programmed to cease propagation after 25th March 2004.

Use RegRun Startup Optimizer to automatically remove this worm.

i1ru74n4.exe

I-Worm.Bagle.e
It spreads via the Internet as a file attached to infected emails.
Attempts to connect to several sites and save information about the infected victim computer on these sites.
Searches for files with some extentions, harvests email addresses, and then sends itself to all addresses found. To send messages, the worm uses its own SMTP server.
Opens port 2745 and tracks port activity. The backdoor function makes it possible to remotely execute commands and download files to the victim machine.
The worm attempts to counteract antivirus programs by terminating their processes.
The worm is programmed to cease propagation after 25th March 2004.

Use RegRun Startup Optimizer to automatically remove this worm.

ickill.exe

DoS tool / ICQ trojan / Steals passwords (?)
Can be used to flood a chanel with thousands of messages.

ickiller.exe

DoS tool / ICQ trojan / Steals passwords (?)
Can be used to flood a chanel with thousands of messages.

ickrack.exe

Worm / Mail trojan
If the victimīs copy of WinZip is not registred, the worm tries to do it. Apulia 4 uses all addresses in Outlook and sends a mail with the subject "Crack for ICQ".

icon_1.exe

Mail trojan / Autodialer / ICQ trojan / Steals passwords
It deletes the two system files Regedit.exe and Msconfig.exe.

icon_2.exe

Mail trojan / Autodialer / ICQ trojan / Steals passwords
It deletes the two system files Regedit.exe and Msconfig.exe.

icqfuckerextensions.exe

Remote Access / Steals passwords
Alters Win.ini (v 2.0)

icqhijaak.exe

DoS tool / ICQ trojan / Steals passwords (?)
Can be used to flood a chanel with thousands of messages.

icqnuke.exe

Remote Access / ICQ trojan

icqupdate.exe

Remote Access / Keylogger
Alters Win.ini. Is been disguised as a Y2K system updater.

icsniffq.exe

Remote Access

id8525.exe

Trojan Program and IE homepage hijacker.
Remove it from startup.

ie_ex.exe

Remote Access / HTTP server
Basically the trojan converts the infected computer into a Web server, which in turn is controlled by the intruders browser.

ie_pack.exe

Remote Access / Worm / Virus / Trojan dropper / Mail trojan / Downloading trojan
It tries to destroy up to eight different antivirus programs and makes it impossible to mail the AV company or visit its Web-site. Wsock32.dll is patched by the trojan. Whenever the user sends a mail, the trojan will mail another one to the same recipient with an attachment only. May be updated from the Internet.

ie0199.exe

Autodialing trojan
It randomly connects to three Bulgarian Web- sites: http://www.btc.bg/, http://www.infotel.bg/, and http://ns.infotel.bg/.

ie080898.exe

Mailsending trojan
Uses Windows Sockets API to randomly send mails to 12 different email addresses in Bulgaria. Variations of file names have been reported.

iecookie.exe

Remote Access / Keylogger / IRC trojan
Doly is hidden in several different programs: in Memory Manager, in an Interactive Game, and in a Downloading program. The trojan also starts using Windows Startup Directory.

iedriver.exe

Advertising spyware (Cydoor).
Installed with sharing software called URLBlaze.
Suggest to uninstall URLBlaze and stop iedriver.exe.

iestub32.exe

Remote Access / Downloading trojan

iexpand.exe

Mail trojan / Autodialer / ICQ trojan / Steals passwords
It deletes the two system files Regedit.exe and Msconfig.exe.
This is trojan virus, therefore we strongly recommend to delete this file from startup.
See more details on:
http://www.cai.com/virusinfo/encyclopedi...

iexpiore.exe

Troj/Oblivion-B - trojan that adds remote access to your computer.
It uses ICQ and IRC channels to notify the sender of activation.
Stop process IEXPIORE process and remove from startup. Suggest to use RegRun Startup Optimizer and Advanced Optimizer.

iexplore32.exe

W32/Specx. Worm.
This is an internet worm that propagates via KaZaA and iMesh peer-to-peer network.
Read more:
http://vil.mcafee.com/dispVirus.asp?viru...
Remove it from startup.

iexplorer.exe

RapidBlaster is a task run on Windows startup.
When an internet connection is present it periodically connects to its servers to fetch advertising.
Typically pop-ups for porn sites.
Can download and execute arbitrary unsigned code pointed to by its controlling servers.

RapidBlaster/Rnd is an update which uses pseudo-random filenames.
If it fails to contact its server it will just use 'RapidBlaster\rb32.exe' as with older variants.
If you remove it, it will reinstall itself using a new name.

Installed with ActiveX drive-by download on affiliate pages, including misleading download links (eg. 'megamovieblaster') and pop-ups.
Also can installed by the ISTBar parasite.

Manual removal
Open the Task Manager and end the RapidBlaster process (rb32.exe, or, in the Rnd variant)

Find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete the 'Something lptt01' entry.
'Something' will be the same as the filename of the RapidBlaster program - you can now delete the folder containing this.

Or remove it from startup by RegRun Startup Optimizer.

iexplorer0.exe

Backdoor.Threadsys is a backdoor Trojan horse that connects to a predefined server and sends confidential information, including system information and captured keystrokes. The Trojan can receive information, allowing unauthorized remote access.

Attempts to copy itself to %Windir%\System\Iexplorer0.exe.
Creates the following plain text configuration files:
%Windir%\System\IO32.dll
%Windir%\System\para.dll
%Windir%\System\Routing.cfg

It adds the value:
"Name"="%Windir%\System\Iexplorer0.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Remove it from startup by RegRun Startup Optimizer.

ik.exe

Keylogger

ik97v12s.exe

Keylogger

illusion client.exe

Anonymous mailer, mail proxy
Sets up a mail relay, or mail proxy, so that anyone can send mails and make them look like they came from the victim.

inet20.exe

Steals passwords / Keylogger

inet20n.exe

Steals passwords / Keylogger

inetb00st.exe

Remote Access / Downloading trojan

inetd.exe

Worm / File virus
Alters Win.ini. "Between midnight and 2.00am on Wednesdays the worm attempts to display an animated graphic of Adolf Hitler shooting himself in the head." (Sophos)

inetman.exe

W32.HLLW.Donk.O is a worm that spreads through open network shares and attempts to exploit the Microsoft DCOM RPC vulnerability.

Creates copies of itself as:
%System%\inetman.exe
%System%\cool.exe

Adds the value:
"Microsoft System Checkup"="inetman.exe"
"NT Logging Service"= "syslog32.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Adds the value: "Microsoft System Checkup"="inetman.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

Generates a random IP address.
Attempts to exploit the DCOM RPC vulnerability (as described in Microsoft Security Bulletin MS03-026) by sending data on TCP port 135 to the generated IP address.
Creates a hidden, remote shell process that listens on TCP port 4444, allowing an attacker to issue remote commands on an infected system.
Ends the processes of many firewall and antivirus programs.

Attempts to copy itself to the administrative shares using different user names and passwords.
If successful, the worm will copy itself to the remote systems.

Attempts to download and execute the following files from a series of predetermined Web servers:
- %Temp%\upd32a.exe
- %Temp%\lpd32b.exe
- %System%\navinst.exe
- %Temp%\file.my3

Connects to the predetermined IRC servers and awaits commands from an attacker.
The backdoor provides the attacker with the following functions:
- Flood a specified host
- Download files from the attacker
- Execute files

Use RegRun Startup Optimizer to automatically remove it from startup.

infect1.exe

Remote Access / Keylogger

infect2.exe

Remote Access / Keylogger

info32.exe

This is trojan program.
Read more:
http://www.dark-e.com/archive/trojans/in...

Remove it from Windows startup by RegRun Startup Optimizer.

inikill.exe

Remote Access
The main golaf for this trojan is so sabotage the work for the person infected by the trojan server and MooSoft sees Ini-Killer as a destructive trojan.

inikiller.exe

Remote Access
The main golaf for this trojan is so sabotage the work for the person infected by the trojan server and MooSoft sees Ini-Killer as a destructive trojan.

insane network.exe

Remote Access

insane network4.exe

Remote Access

inst321.exe

FTP server (?) / Remote Access

instalar.exe

Worm / Macro trojan / Virus dropper
Can load plug-ins from the Internet. From the start it used "Source of Chaos" in Japan.

install2.exe

Remote Access

instliex.exe

Remote Access / HTTP server
Basically the trojan converts the infected computer into a Web server, which in turn is controlled by the intruders browser.

intcp32.exe

W32.Randex.UG is a worm that may be remotely controlled via IRC.
The worm includes Distributed Denial of Service (DDoS) capabilities and also tries to steal the CD keys of a number of games.
Also Known As: Backdoor.IRC.Bot.gen, Backdoor.IRC/SdBot, W32/Sdbot.worm.gen

Copies itself as %System%\intcp32.exe.
Calculates a random IP address.
Attempts to authenticate as an administrator to the calculated IP address. If this worm is successfully authenticated, it will copy itself as:
\\Admin$\intcp32.exe
\\Admin$\system32\intcp32.exe
\\C$\winnt\system32\intcp32.exe
\\C$\windows\system32\intcp32.exe

Remotely schedules a task to run the worm on a newly infected computer.
Connects to an IRC channel on a predetermined IRC server to receive remote instructions, such as:
Ntscan: Scans for computers with weak administrator passwords, and then copies itself to these machines.
Syn: Performs a SYN flood attack with a data size of 55808 bytes.
Sysinfo: Retrieves the infected machine's information, such as CPU speed and the amount of memory.

Manual removal:
Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
and delete the value: "Threaded"="intcp32.exe"

interactive.exe

Remote Access / Keylogger / IRC trojan
Doly is hidden in several different programs: in Memory Manager, in an Interactive Game, and in a Downloading program. The trojan also starts using Windows Startup Directory.

internetfeatures.exe

Added as a result of the
http://www.trendmicro.com/vinfo/virusenc...
POPMON.AVIRUS! - also known as PopMonster adware.
Remove it from startup by RegRun Startup Optimizer.

intrenat.exe

W32.HLLW.Doomjuice uses the computers, which W32.Mydoom.A@mm infects, to spread.
This worm also launches a Denial of Service (DoS) attack on the Microsoft Web site if the current system date is after February 11th, but before the end of this month.
Copies the W32.Mydoom.A@mm source code archive file sync-src-1.00.tbz to the root folder of all the fixed and remote drives.
Sends itself to the machines infected with W32.Mydoom.A@mm.

Copies itself as %System%\intrenat.exe.
Adds the value:
"Gremlin" = "%System%\intrenat.exe"
to one of the following the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Randomly generates IP addresses and attempts to connect to those IP addresses on TCP port 3127.
If the connection is established, the worm first sends five bytes to the remote computer.
Then, it sends a copy of itself to the remote computer.
The backdoor component of W32.Mydoom.A@mm will accept the file and execute it.

Remove it from startup with RegRun Startup Optimizer or manually delete it's registry keys.

intruder.exe

Remote Access
Pretends to be an ICQ hack.

intruseclient.exe

Remote Access

intruseserver.exe

Remote Access

invasor.exe

Remote Access

ipager.exe

Remote Access / ICQ trojan
Sends a message to an ICQ user every 30 minutes. It extends tha capability of other trojans without ICQ notification.

ipconfigs.exe

Backdoor.Hacarmy.C is a Backdoor Trojan horse that gives an attacker control over a compromised computer.
Attempts to connect to an IRC server at port 6667.
If successful, it allows the remote attacker to perform some of the following actions:
- Download and execute files
- Terminate processes
- Steal system information, such as operating system information, system uptime, current user name, IP address, and host name

Manual removal:
Navigate to the keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
and delete the value: "IPConfig"="ipconfigs.exe"

irbme.exe

W32.Randex.RH
This is a network-aware worm that spreads through IRC channels.
Then, it schedules itself to execute remotely created files.
Allows unauthorized remote use of an infected computer.

Deletes the following files if they are found:
%System%\winnt32.dat
%System%\netstat.exe

Manual removal:
Navigate to the keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
and delete the value: "Randex virus built for IRBMe"="irbme.exe"

irngiant.exe

Worm / Mail trojan
Uses several different names to name the attachement, which can be mailed by either Netscape Mail, MS Outlook or MSOutlook Express.

irun4.exe

Bagle.i worm.
Bagle.i sometimes sends copies of itself in password protected ZIP format.
In this case, the password is included in the body of the message. The zipped file is about 12KB in size.

Infected messages have the following characteristics:
Message header: different, such as: E-mail account disabling warning; E-mail account security warning.

Message body: (chosen from predefined list) for example:
Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software.

Attachment extensions (chosen from the list below): exe, pif, zip.

The worm copies itself to the Windows system directory under the name irun4.exe and registers this file in the system registry auto-run key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ssate.exe" = "%system%\irun4.exe
It also creates a key in the registry:
[HKCU\SOFTWARE\DateTime]
""="1"

The worm attempts to connect to a number of remote sites and to save information about the infected computer on these sites.
The worm searches for files with some extensions harvests email addresses, and then sends itself to all addresses found.
The worm attempts to counteract the updating of antivirus programs by terminating their processes.

Use RegRun Startup Optimizer to remove it from startup.

irwftp.exe

PWSteal.Bancos.H is a Trojan horse that mimics the online interfaces of certain Brazilian banks to try to steal account information.
It is a minor variant of PWSteal.Bancos.F.

Extracts itself to %System%\Irwftp.exe.
Adds the value: "ir_ftp"="%System%\irwftp.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Monitors the active Internet Explorer windows, waiting for you to open a Web page that matches the characteristics of certain banking sites.
When such a site is opened, the Trojan displays one of several login screens, which are selected according to the URL or HTML page title.
The entered information is emailed to the attacker.

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete the value: "ir_ftp"="%System%\irwftp.exe"

isass.exe

It is a result of a variant of the OPTIX PRO series of viruses.

Optix.Pro (Bck/Optix.Pro.13) is the trojan that opens TCP port 3410, allows a hacker to control an infected computer.
Also, it installs and executes the trojan Bck/Sub7.22 which disables antiviral programms and system processes with network displays.

Optix.Pro copyes itseft through floppy disks, CD's, e-mail with infected attachments, files from FTP etc.

Use RegRun Startup Optimizer to remove it automatically.

isdel.exe

FTP server (?) / Remote Access

iservc.exe

Worm Fizzer.
Fizzer is an Internet worm that spreads via e-mail messages and KaZaa shared directories. It also contains "backdoor" remote access features.

The worm captures all keystrokes and writes them to the file named "iservc.klg" in the Windows directory. It also tries to download and install its updated version from a geocities user page.
Remove it from startup.

istsvc.exe

ISTbar is an IE toolbar with some variants:

1. ISTbar/AUpdate installs a TinyBar variant to implement its toolbar, and will be detected by the script at this site as TinyBar/B. The hijacker is aimed at my-internet.info and blazefind.com; distribution is managed by searchbarcash.com, its controlling server. Updates are loaded by an 'AUpdate' process.

2. ISTbar/MSCache also uses TinyBar, along with a Browser Helper Object called mscache.dll used to load updates. The controlling server is www2.skoobidoo.com.
ISTbar/MSCache was widely distributed to victims clicking on links to the 'OutWar' online game.

3. ISTbar/XXXToolbar is an update based around porn. It uses its own toolbar based on the Pugi toolbar. The hijacker is aimed at its controlling server xxxtoolbar.com, and slotch.com; distribution is controlled by toolbarcash.com. Opens pop-ups as directed by its controlling server.

All versions also install other third-party software which includes advertising.
ISTbar also installs other parasites: AUpdate and XXXToolbar install porn pop-up producer RapidBlaster/lp; the AUpdate variant is also known to install DownloadPlus; the MSCache variant installs nCase and the Wink/EasyDates dialler.

Automatic removal:
Use RegRun Startup Optimizer to remove it.

Manual removal:

AUpdate variant
Find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
Delete the 'AutoUpdater' entry pointing to aupdate.exe.
Find the key HKEY_CLASSES_ROOT\CLSID, and delete the subkey '{69550BE2-9A78-11D2-BA91-00600827878D}'.
Delete the subkey of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars,
and the entry of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar.
Restart the computer and delete the files 'aupdate.exe', 'aupdate.conf', 'aupdate.trk' and (if it is there) 'aupdate_uninstall.exe' from the System folder.

MSCache variant
In the DOS command prompt window enter the following commands:
cd "%WinDir%\System"
regsvr32 /u ../mscache.dll
Then find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
Delete the 'MS Updates' entry pointing to mscache.exe.
Find the key HKEY_CLASSES_ROOT\CLSID, and delete the subkey '{69550BE2-9A78-11D2-BA91-00600827878D}'.
Delete the subkey of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars,
and the entry of the same name from HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar.
Restart the computer and delete the files 'mscache.exe', and 'mscache.dll' from the Windows folder.

XXXToolbar variant
Find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
Delete the 'IST Service' entry, if it is there.
Open a DOS command prompt window and enter the following commands:
cd "%WinDir%\System"
regsvr32 /u "\Program Files\ISTbar\istbar.dll"
Restart the computer and delete the 'ISTbar' folder inside Program Files, and the 'istsvc.exe' file inside the Windows folder.
You can also delete the registry keys HKEY_CURRENT_USER\Software\ISTbar and HKEY_CLASSES_ROOT\Pugi.PugiObj .

its.exe

Steals passwords
At first Ring0 came as an attached file to Winsock Version Checker. When itīs active and the computer is connected to the Internet, the trojan searches for proxyservers and tries to send the collected information to an FTP server in Russia.