Windows Startup Programs database
Startup Programs - Dangerous - L
Home
Features
On-line Guide
Help On-line
Screenshots
Order
Download
Localization
Awards
Support
NI Forum
Mickey Forum
Greatis Forum
Startup Programs
Application Database
Hot!
Download:
RegRun 4.0 beta 2
What's new?
Greatis Home
Subscribe:
The Application Database
suggests you which Windows startup programs are usefual and which are bad.
The recommended tool for quickly removing the useless programs is
RegRun Startup Optimizer
.
www.startupapps.com
Purchase RegRun Suite
Download RegRun Suite
Search Database for:
RegRun
>
Greatis Startup Application Database
> Dangerous >
L
l32x.exe
lannsvc.exe
latinus.exe
lcoder.exe
lcv_sys.exe
libupdate.exe
loa.exe
load32.exe
locater.exe
logcfg.exe
logged client.exe
logged.exe
logger.exe
lorraine.exe
lovers.exe
lrbz32.exe
lsas.exe
lsasse.exe
lsasss.exe
lunetic!.exe
l32x.exe
I-Worm.Dumaru.j
This worm is a part of the Dumaru family, which spreads via the Internet as files attached to infected messages.
The worm includes a backdoor function and a Trojan program which enables it to steal information.
When installing, the worm copies itself to the Windows system directory under the names l32.exe and vxd32.exe, and to the startup directory under the name dllxw.exe.
It registers itself in the system register:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"load32" = "%windir%\%system%\l32x.exe"
The worm searches all directories on accessible local disks for files with the extensions htm, wab, html, dbx, tbb, abd, highlights lines which are email addresses and then sends infected messages to these address.
Infected messages have the following characteristics:
Sender's address:
Elene F*****SUICIDE@HOTMAIL.COM
Message header:
Important information for you. Read it immediately !
Message body:
Hi !
Here is my photo, that you asked for yesterday.
Attachment:
myphoto.zip
In order to send messages, the worm uses its own SMTP engine, giving the return address as address@dyandex.ru. All notifications sent by mail scanners about the fact that the worm has been detected in messages will therefore be sent to this address.
The worm opens port 10000 to receive hacker's commands.
The worm also has a keyboard logging function, and is able to save all information entered via the keyboard to a separate file.
Remove this worm by RegRun Startup Optimizer.
lannsvc.exe
W32.Randex.AAS is a network-aware worm, which copies itself to, as the following,
to the computers that have weak administrator passwords: \Admin$\system32\GT.exe; \c$\winnt\system32\GT.exe
The worm receives instructions from an IRC channel on a predetermined IRC server.
Copies itself as %System%\LanNSvc.exe.
Calculates a random IP address for a computer that it will try to infect.
Attempts to authenticate itself to the randomly generated IP addresses.
The worm will try connecting as everyone in the list of users who exist on the remote computer, until it successfully connects or runs out of accounts.
This action results in accounts being locked out due to unsuccessful log-on attempts.
Remotely schedules a task to run the worm on a newly infected computer.
Adds the following value:
"TCP Monitoring"="LanNSvc.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Connects to a specific IRC channel on a specific IRC server to receive remote instructions.
Steals the CD key of some games.
Automatic removal:
Use RegRun Startup Optimizer.
latinus.exe
Remote Access
lcoder.exe
Remote Access / ActiveX trojan / Downloading trojan / Worm / Mail trojan / IRC trojan / Virus / Network trojan
By just viewing a HTML file or reading a mail a trojan can be downloaded to the users computer. As of now it installs The Thing 1.6 server. Spreads through MS Outlook, shared drives and IRC.
lcv_sys.exe
Remote Access / ICQ trojan
Sockets des Troie is French for Trojan Sockets and was one of the very first Remote Access trojans being published.
libupdate.exe
Remote Access / Keylogger / Steals passwords / ICQ trojan / AOL trojan / DoS tool
It alters Wininit.ini and replaces explorer.exe with explorer.e. It may also infect Awadrp32.exe, Mkcompat.exe and Rnaap.exe. You usually notice your infected because you no longer can reboot or shutdown the computer as the trojan will not shutdown. BioNet also makes it impossible to reboot to DOS mode to delete the trojan. It evaids antivirus and firewall programs. Every server sent out is possible to be unique with combinations of more than 50 different features using the server builder. Using CGI scripts the trojan can do almost anything. Because of this may manual removal instruction not be totally reliable. The server is distributed in an uncompressed version, to allow anyone to use a compressor is his choice. Using a scheduler, the hacker can activate the server to make contact on a certain a specific day. BioNet is able to attack other servers using a large numbers IGMP packets using all available bandwidth. From v3.09 it supports plug-ins from other coders.
loa.exe
IRC-Worm.Loa
This is an IRC worm spreading via mIRC channels. The worm code itself is a randomly named DOS EXE file.
load32.exe
Worm W32/Dumaru.j@MM.
You are infected by e-mail when you clicked on the attached file.
This worm constructs messages using its own SMTP engine.
Target e-mail addresses are extracted from files on your computer.
A password-stealing trojan is also dropped by the worm:
%WinDir%\GUID32.DLL (4096 bytes)
WinDir is the "c:\windows" on default.
Removal:
Delete the next files:
%WinDir%\DLLREG.EXE
%SysDir%\LOAD32.EXE
%SysDir%\VXDMGR32.EXE
%WinDir%\Start Menu\Programs\Startup\RUNDLLW.EXE
Sysdir is the Windows\System or Windows\System32 folder.
Remove these files from startup.
Read more:
http://vil.nai.com/vil/content/Print1006...
locater.exe
Remote Access / FTP server
It installes a hidden FTP server on the victim´s computer.
logcfg.exe
Keylogger
logged client.exe
Keylogger
"Logs keys and and system information." (MooSoft)
logged.exe
Keylogger
"Logs keys and and system information." (MooSoft)
logger.exe
Keylogger
lorraine.exe
I-Worm.Mapson virus.
To send infected messages the worm uses a built-in SMTP engine. The virus takes e-mails addresses from Messemger contact list.
Remove it from startup by RegRun Start Control.
lovers.exe
Remote Access / Downloading trojan / Worm / Mail trojan
Self-updating worm. Downloads two trojan files from a hacker site. The "Nn.zip" file being created gets its numbers from the numbers in the file ""Lastversion.txt"".
lrbz32.exe
W32.Gaobot.AOL
It is a worm that spreads through open network shares and several Windows vulnerabilities.
The worm can act as a backdoor and attack other computers.
It also attempts to kill the processes of many antivirus and security programs.
Attempts to delete files associated with other worms, delete the registry key entries referring to these worms, and terminate processes with the following names:
winhlpp32.exe; tftpd.exe; dllhost.exe; winppr32.exe; mspatch.exe; penis32.exe; msblast.exe
Steals CD-keys from a large number of games.
Gives the creator backdoor access to the system via IRC.
Will attempt to copy itself to systems with weak passwords.
Manual removal:
Navigate to the keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Delete the value: "MS Config v13"="lrbz32.exe"
lsas.exe
Gaobot Trojan.
Spreads in local network via open shares.
Also it uses DCOM RPC vulnerability (135,445 ports) and WebDav vulnerability (port 80).
Allows to control the victim computer by IRC.
Terminates well known antiviral software.
Removal:
install the patches from Microsoft:
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
Set the strong passwords for network shares.
Use RegRun "Terminate" feature to erase the virus body files.
They are located in Windows\System32 folder.
Cavapsvc.exe
Csrrs.exe
Cvhost.exe
DIIhost.exe (with capital letter 'i')
Dosrun32.exe
Dos32.exe
Lsas.exe
Regloadr.exe
Schost.exe
Scvhost.exe
Service.exe
Servicess.exe
Sochost.exe
Swchost.exe
System.exe
Update.exe
Wdrun32.exe
Winhlpp32.exe
Winreg.exe
Winupdsdgm.exe
Free removal tool:
http://securityresponse.symantec.com/avc...
lsasse.exe
W32/Rbot-DI
Aliases: Backdoor.Rbot.gen, W32/Sdbot.worm.gen.o virus
It is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels.
It spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
Copies itself to the Windows system folder as LSASSE.EXE and creates registry entries called MICROSOFT UPDATE Machine under the following keys so as to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Use RegRun Startup Optimizer to remove it from your system.
lsasss.exe
I-Worm/Sasser.E.
You should install Microsoft patches to fix your Windows.
After that remove it from startup by RegRun Start Control.
lunetic!.exe
Worm / Mail trojan
The worm´s .exe file is distributed in a compressed format and is using one of twenty names randomly. Hermes contacts "
http://www.seznam.cz",
but there is nothing there. It also tris to register, but fails to do so beacause of a bug. It propagates twice to all addresses in Outlook. In several versions th code is packed using UPX.
Copyright © 1998-2004 Greatis Software |
Privacy Policy
|
Recommend to a friend
