The Application Database suggests you which Windows startup programs are usefual and which are bad. The recommended tool for quickly removing the useless programs is RegRun Startup Optimizer. www.startupapps.com

---

Purchase RegRun Suite Download RegRun Suite

Search Database for:

RegRun > Greatis Startup Application Database > Dangerous > R

 

rasmin.exe
rat10.exe
rat11.exe
rat20.exe
rat21.exe
rb.exe
rb32.exe
rch.exe
rchubo.exe
readme.exe
recycle-bin.exe
redire32.exe
reg32.exe
reg33.exe
reg66.exe
reg666.exe
regcheck.exe
regcle32.exe
regclean.exe
registry.exe
registry32.exe
registryreminder.exe
regloadr.exe
regserver.exe
regsvs.exe
release.exe
remote.exe
remotecontrol.exe
reporter.exe
rfkampig.exe
rlid.exe
rmaapp.exe
rnaapp32.exe
rpcmon.exe
rpcsrv.exe
rqkukiwc.exe
rsrcload.exe
rsrcnrs.exe
ruler1-3.exe
rund11.exe
rundli32.exe
rundll16.exe
rundll32.exe c:\program files\commonname\toolbar\cnbabe.dll
rundll32.exe reg.dll ondll_reg
rundll32.vbs
rundll64.exe
rundll95.exe
rundllw.exe
runme.exe
runsvc32.exe
runvxd32.exe

rasmin.exe

Destructive trojan
Rasmin uses up all the memory and the infected computer crashes regularly.

rat10.exe

Remote Access / AOL trojan
Can register under 40 different HKEYs.

rat11.exe

Remote Access / AOL trojan
Can register under 40 different HKEYs.

rat20.exe

Remote Access / AOL trojan
Can register under 40 different HKEYs.

rat21.exe

Remote Access / AOL trojan
Can register under 40 different HKEYs.

rb.exe

Backdoor.Akak
This is a backdoor server that also creates a SOCKS proxy on the compromised system.
Opens an unauthorized backdoor to the compromised system.
May be installed when you visit a malicious Web site using Internet Explorer. These pages may contain code that exploits the Microsoft Internet Explorer Drag And Drop File Installation Vulnerability.
Creates a SOCKS proxy on TCP port 5555.
This allows the compromised computer to be used to proxy protocols such as HTTP.
Listens on TCP port 4321 for commands from the remote attacker.
The attacker can do any of the following:
- Obtain system information
- Download and execute files on the compromised computer
- Uninstall the back door
- Update the address of the master server

Use RegRun Startup Optimizer to automatically remove it from startup.

rb32.exe

Rapidblaster IE homepage hijacker (adult content).
Remove it from startup.
You should choose Optimize Startup and also Advanced Optimizer.

rch.exe

HTTP server / Remote Access

rchubo.exe

HTTP server / Remote Access

readme.exe

BackDoor Trojan.

recycle-bin.exe

Name: Shit Heep
Remote Access

redire32.exe

Remote Access
Alters Win.ini.

reg32.exe

Troj/Regldr-A
It is a simple Trojan that copies itself to the windows folder as the file Reg32.exe and sets the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Reg32 = C:\Windows\Reg32.exe

This trojan will also set the registry entries listed below to point to the page secure.html located in the default Windows folder.
This HTML page claims that the system has been compromised by spyware and prompts the user to visit the URL http://www.privacyoutpost.com/enter.html...
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Local Page
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKLM\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKLM\Software\Microdoft\Internet Explorer\Main\Local Page
HKLM\Software\Microsoft\Internet explorer\Main\Start Page

Manual removal:
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
and delete this value: Reg32= C:\Windows\Reg32.exe

reg33.exe

Trojan program.
Remove it from startup by Start Control.
Reset Internet Explorer settings to default.
Open Start menu, Settings, Control Panel, Internet Settings.
Go to the "Programs" tab.
Click on the "Reset Web parameters" button.

reg66.exe

Remote Access / Keylogger
Alters Win.ini. Is been disguised as a Y2K system updater.

reg666.exe

Millenium trojan

regcheck.exe

Remote Access / Steals passwords / EXE Binder
May alter Win.ini and/or System.ini. Based on SubSeven. Some of the files are packed with the UPX 1.01. It comes with several different skins and supports plug-ins, so features may change. With Undetected, the hacker is able to write and execute different types of scripts, such as .bat and .vbs files, on the infected machine.

regcle32.exe

Remote Access / Destructive trojan / Virus dropper
It copies itself to c:\recycled to avoid detection by some antivirus programs.

regclean.exe

Remote Access / Destructive trojan / Virus dropper
It copies itself to c:\recycled to avoid detection by some antivirus programs.

registry.exe

Troj/Zasil-A creates and executes the file registry.exe in the Windows folder and then displays a pornographic JPG image.
Create the following key in the system registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Registry Services
with the value: registry.exe
Each time registry.exe is executed the Trojan will attempt to download a text file from the internet that contains links to scripts that access pages from lists of website addresses contained in the scripts.
The Trojan may also access a spyware script that reports the IP address being used by the active Trojan.

Use RegRun to automatically remove this registry item.

registry32.exe

Remote Access / Steals passwords
Alters Win.ini and System.ini. Comes with a NetScanner to help finfing infected PCs.

registryreminder.exe

Steals passwords / AOL trojan
Alters Win.ini and System.ini. Steals passwords from AOL accounts and sends them one of several hotmail addresses.

regloadr.exe

Gaobot Trojan.
Spreads in local network via open shares.
Also it uses DCOM RPC vulnerability (135,445 ports) and WebDav vulnerability (port 80).
Allows to control the victim computer by IRC.
Terminates well known antiviral software.
Removal:
install the patches from Microsoft:
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
Set the strong passwords for network shares.
Use RegRun "Terminate" feature to erase the virus body files.
They are located in Windows\System32 folder.
Cavapsvc.exe
Csrrs.exe
Cvhost.exe
DIIhost.exe (with capital letter 'i')
Dosrun32.exe
Dos32.exe
Lsas.exe
Regloadr.exe
Schost.exe
Scvhost.exe
Service.exe
Servicess.exe
Sochost.exe
Swchost.exe
System.exe
Update.exe
Wdrun32.exe
Winhlpp32.exe
Winreg.exe
Winupdsdgm.exe

Free removal tool:
http://securityresponse.symantec.com/avc...

regserver.exe

Remote Access / Destructive trojan (?)

regsvs.exe

W32.Gaobot.YN is a variant of W32.HLLW.Gaobot.gen that attempts to spread to network shares and allows access to an infected computer through an IRC channel.

The worm uses multiple vulnerabilities to spread, including:
The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026), using TCP port 135
The RPC locator vulnerability (described in Microsoft Security Bulletin MS03-001), using TCP port 445
The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007), using TCP port 80

Allows unauthorized remote access.
Steals CD keys of several popular computer games.
Ends processes belonging to antivirus and firewall software.
Accounts with weak passwords; systems not patched against the DCOM RPC vulnerability or the RPC locator vulnerability.

Copies itself as %System%\regsvs.exe.

Adds the value: "Compatibility Service Process" = "regsvs.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Opens a randomly selected TCP port to connect to an attacker.
Connects to a predefined IRC channel, using its own IRC client, and listens for the commands from an attacker.
Allows an attacker to remotely control a compromised computer, allowing him/her to perform any of the following actions:
- Manage the installation of the worm
- Dynamically update the installed worm
- Download and execute files
- Steal system information
- Send the worm to other IRC users
- Add new accounts

Automatic removal:
Use RegRun Startup Optimizer to remove it from startup.

release.exe

Name: SkyDance
Remote Access
Among the information this trojans steals is a copy of all registrysettings.

remote.exe

Prank trojan
Reboots a computer remotely

remotecontrol.exe

Remote Access / FTP server / Steals passwords

reporter.exe

Remote Access

rfkampig.exe

Trojan.Gipma is a Trojan horse program that displays obscene messages and makes the desktop and task bar invisible.
Displays the %Windows%\pig.htm file in Internet Explorer. This page contains an obscene, anti-American message.

Moves itself to %System%\fkampig.exe.
Copies itself as %windows%\retime.exe.
Creates a file named %windows%\pig.htm.

Sets the value: "retime" = "%windows%\retime.exe"
in the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Sets the value: "Windows-TCP-IP" = "%system%\rfkampig.exe"
in the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Sets the value: "StartPage" = "%windows%\pig.htm"
in the registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_USERS\.Default\SOFTWARE\Microsoft\Internet Explorer\Main
so that the obscene message is the default start page for Internet Explorer.

May leave behind a file in the root of the C: drive, named killme.bat.

Use RegRun Startup Optimizer to remove it from startup.

rlid.exe

Added as a result of the LIXY virus.

Backdoor.Lixy is a Backdoor Trojan Horse that opens a proxy server on TCP port 1080.
Backdoor.Lixy consists of one .dll file and two .exe files.

The file names are usually the following:
- Rlid.exe: For setting up and running other Trojan files.
- Lid.exe: Contains the main routine of the backdoor.
- Lid.dll: A malicious Browser Helper Object that runs Lid.exe.

Backdoor.Lixy performs the following actions:
Adds the value:
"Key1"=""
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the Trojan starts when you start Windows.

Adds the following keys in the registry:
HKEY_CLASSES_ROOT\CLSID\{1E1B2879-88FF-11D2-8D96-D7ACAC95951A}
HKEY_CLASSES_ROOT\HTMLEdit.SSocks5
HKEY_CLASSES_ROOT\HTMLEdit.SSocks5.1
HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{1E1B2879-88FF-11D2-8D96-D7ACAC95951A}HKEY_LOCAL_MACHINE\Software\CLASSES\HTMLEdit.SSocks5
HKEY_LOCAL_MACHINE\Software\CLASSES\HTMLEdit.SSocks5.1
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1E1B2879-88FF-11D2-8D96-D7ACAC95951A}
which adds Lid.dll as a Browser Helper Object.

Manual removal:
Delete the unneeded registry keys (see above).

Automatic removal:
Use RegRun Startup Optimizer to remove it from startup.

rmaapp.exe

Remote Access

rnaapp32.exe

Backdoor.Leon allows a hacker to have full remote access to the infected computer.

When it runs, it installs the following files on the computer:
%system%\Msvbvm60.dll
%system%\Mswinsck.ocx
%system%\Rnaapp32.exe

Backdoor.Leon creates the value: Gxbviwvtl %system%\Rnaapp32.exe
under the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and the value: Aqc %system%\RNAAPP32.EXE
under the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

Please, remove these values by RegRun Startup Optimizer.

rpcmon.exe

W32.Randex.ATX is a network-aware worm that may be remotely controlled using IRC.

Deletes the C$, D$, IPC$, and ADMIN$ shares.
Releases system information and CD keys from the compromised computer via IRC.
Installs an IRC backdoor on the computer.

Drops and executes the file, %Temp%\secure.bat, which deletes the C$, D$, IPC$ and ADMIN$ shares.
Starts a keylogger and logs keystrokes to the file, %System%\Ntfsvi.txt.
The worm will then connect to an IRC server, batwing.gotdns.com, and then listen for commands.

Some of the actions the worm can perform include:

Scanning for computers that have weak administrator passwords and copying itself to those computers.
Collecting the CD keys of many computer games and sending them back to the attacker, using the IRC channel.
Displaying information about the computer, such as the CPU speed and amount of memory.
Performing ping, SYN, and UDP flooding.
Downloading files, which may include updated versions of the worm, and then executing them.
Connecting to Trojan horses on other computers, based on a predetermined list of names. The names to which the Trojan attempts to connect are Kuang, NetDevil, MyDoom, Sub7, and Optix.
Acting as a proxy for SOCKS, HTTP, and TCP connections.

You may use RegRun Startup Optimizer to automatic remove it from startup.

rpcsrv.exe

Lovgate worm (also known as Supnot)
Worm copies have the following names:
rpcsrv.exe, syshelp.exe, winrpc.exe, WinGate.exe, WinRpcsrv.exe
Installs backdoor program to your computer for remote control.
Remove it from startup.

rqkukiwc.exe

Remote Access
May alter System.ini and/or Win.ini. One can choose to let Mosucker randomly decide what autostart method to use. Produces an error message while installing ""Could not find setuplog.bat"" which apparently is used for autostarting. It copies itself to $temp first, as a file named pkg*.exe, ""pkg"" being a fix string. It also copied itself to $windows/unin0686.exe.

rsrcload.exe

Remote Access / ICQ trojan
Sockets des Troie is French for Trojan Sockets and was one of the very first Remote Access trojans being published.

rsrcnrs.exe

Remote Access

ruler1-3.exe

Remote Access / IP scanner
The trojan displays a fake message stating ""This file was corrupted"".

rund11.exe

Troj/Domwis-L
Also known as Win32/Wisdoor.L trojan, Backdoor.Wisdoor.h, Backdoor.Domwis
It is an IRC backdoor Trojan that allows a malicious user remote access to an infected computer.

When first run, the Trojan copies itself to the Windows folder as a hidden file named RUND11.EXE.
Sets the following registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Kaspersky Antivirus = \RUND11.EXE

This trojan can delete, download and execute remote files on the infected computer.
Also, it can be used to send files to other IRC users.
The Trojan can be used to flood other computers with internet traffic.
To evade detection, the Trojan can spoof the IP address of the infected computer.
Can steal system information, log keystrokes, create screen and webcam captures and send them to a malicious user.
The Trojan can be used to scan other computers for open ports and for vulnerabilities in web and database servers.

Remove it with RegRun.

rundli32.exe

It appears when you infected with the LADE VIRUS.

W32.Lade is a worm that spread itself through IRC.
It attempts to remove antivirus software installed on the PC and may attempt to format the hard drive partitions C, D, E, F, and G at system restart.
Also Known as Backdoor.IRC.Lade

W32.Lade performs the following actions:
1. Drops a copy of itself to %Windir%\System\rundli32.exe.
NOTE: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

2. Checks whether mIRC is installed, and if found, drops its own version of Script.ini, which contains code to spread itself by mIRC, to the mIRC folder.

3. Drops the batch file, %Windir%\Winstart.bat, which contains code to remove antivirus software when you restart the computer.

4. Adds values for "w32.BeanLadean.B.worm" to the following registry keys:
HKEY_LOCAL_MACHINE\
HKEY_LOCAL_MACHINE\Software\
HKEY_LOCAL_MACHINE\Software\Microsoft\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion

5. Adds the value:
"rundli32"="%Windir%\System\rundli32.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

6. May edit the C:\Autoexec.bat to attempt to format hard drive partitions C, D, E, F, and G at system restart, depending on circumstances.

Removal instruction:
1. Run a full system scan with your antiviral programm.
If any files are detected as infected with W32.Lade, click Delete.

2. Deleting the values from the registry
Find the keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Delete the value:
"rundli32"="%Windir%\System\rundli32.exe"

Then go to the keys:
HKEY_LOCAL_MACHINE\
HKEY_LOCAL_MACHINE\Software\
HKEY_LOCAL_MACHINE\Software\Microsoft\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
and delete any values that refer to:
"w32.BeanLadean.B.worm"

rundll16.exe

This is a SubSeven 1.9 trojan:
http://www.norman.com/virus_info/subseve...
or another trojan
http://www.avp.ch/avpve/newexe/win95/zmo...

Recommendation: Suspend its running and check your computer by antiviral software.

rundll32.exe c:\program files\commonname\toolbar\cnbabe.dll

Advertising spyware. Remove it.

rundll32.exe reg.dll ondll_reg

Lovegate worm.
Worm.Lovgate (aka Supnot ) is a worm virus spreading via the Internet as an attachment to infected emails. The worm also spreads through local area networks and has a "backdoor" routine. There are several worm variants known which are very similar to each other.
Remove it from startup.

rundll32.vbs

I-Worm.FireBurn
This is an Internet worm that spreads as a VBS file attached to e-mail messages.
To send infected messages, the worm uses MS Outlook. The worm also is able to send its copies to IRC channels by infecting an mIRC client.

To spread to IRC channels, the worm creates a SCRIPT.INI mIRC system file in the mIRC directory (if it is installed).
This file contains a set of instructions that sends the worm file to everybody who enters an infected channel.

The payload routine is activated on June 20th. It disables the keyboard and mouse by modifying the following two system-registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Shut_Up = "rundll32 mouse,disable"
Shut_Up2 = "rundll32 keyboard,disable"

Use RegRun Startup Opimizer for removal.

rundll64.exe

Worm / Mail trojan / Destructive trojan
When executed, the worm it pretends to hving problems with unpacking itself. On the 31st of everymonth the trojan tries to delete the C:\ drive.

rundll95.exe

Remote Access / FTP server
It installes a hidden FTP server on the victim´s computer.

rundllw.exe

Worm W32/Dumaru.j@MM.
You are infected by e-mail when you clicked on the attached file.
This worm constructs messages using its own SMTP engine.
Target e-mail addresses are extracted from files on your computer.
A password-stealing trojan is also dropped by the worm:
%WinDir%\GUID32.DLL (4096 bytes)
WinDir is the "c:\windows" on default.
Removal:
Delete the next files:
%WinDir%\DLLREG.EXE
%SysDir%\LOAD32.EXE
%SysDir%\VXDMGR32.EXE
%WinDir%\Start Menu\Programs\Startup\RUNDLLW.EXE

Sysdir is the Windows\System or Windows\System32 folder.

Remove these files from startup.

Read more:
http://vil.nai.com/vil/content/Print1006...

runme.exe

FTP server / Downloading trojan
Downloads a second trojan and then deletes itself.

runsvc32.exe

W32/Agobot-MP is a network worm and an IRC backdoor Trojan.
It establishes an IRC channel to a remote server to give an unauthorised access to the compromised computer.
It moves itself into the Windows system folder as RUNSVC32.EXE and creates the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RunServices = runsvc32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\RunServices = runsvc32.exe

It may attempt to terminate anti-virus and other security-related processes, in addition to other viruses, worms or Trojans.
Also, may search for shared folders on a network with weak passwords and copy itself into them.
A text file named HOSTS in C:\ Most of them are antivirus sites.

Please, remove it from startup with RegRun Startup Optimizer.

runvxd32.exe

Remote Access / Downloading trojan
Alters System.ini.