Greatis Startup Application Database - Dangerous

The Application Database suggests you which Windows startup programs are usefual and which are bad.
The recommended tool for quickly removing the useless programs is RegRun Startup Optimizer.
www.startupapps.com

Purchase RegRun Suite

Download RegRun Suite

RegRun > Greatis Startup Application Database > Dangerous > A

a.exe
a_s.exe
acid setup.exe
acid.exe
acidkor.exe
acidshivers.exe
a-client2.exe
acpi89.sys
activeds.exe
activex.exe
ad12_cli.exe
ad12_srv.exe
addcls.exe
adidas.worm.exe
admintool.exe
adobes.exe
advapi32.exe
agseyapp.exe
aim reminder.exe
anacon.exe
angel.exe
anoafpan.exe
ante browse trust.exe
anti_cih.exe
antidote[1.2].exe
antidote[1.3].exe
antigen.exe
antinuke.exe
antivirus.exe
apuliaiv.exe
archiver.exe
ariel.exe
arupdate.exe
asian trojan.exe
asmphoto1.exe
asmphoto2.exe
aspam.exe
atira.exe
atomic2.exe
au.exe
au1g.exe
autopoll.exe
av.exe
avguard.exe
avp_updates.exe
avpmonitor.exe
avprotect.exe
avprotect9x.exe
avserve.exe
avserve2.exe
avupdate.exe
awindll.exe
axdist.exe

a.exe

Remote Access
Alters Win.ini.

a_s.exe

Remote Access
Alters Win.ini.

acid setup.exe

Remote Access

acid.exe

Remote Access / FTP server

acidkor.exe

Remote Access
A very basic RAT.

acidshivers.exe

Remote Access

a-client2.exe

Remote Access
Alters Win.ini.

acpi89.sys

Trojan.Win32.KillDisk.f

This Trojan is extremely dangerous.
It installs itself on the system as a driver, and starting from 27th April 2004 it will delete data from the hard disk.

In systems running Windows 9x, the Trojan installs itself as the driver
MSGBS1.VXD

In systems running Windows NT/2000/XP and all subsequent versions, it installs itself as the driver
ACPI89.SYS

The Trojan also creates the following two files:

C:\Program Files\Internet Explorer\fileproc.txt
C:\Program Files\Internet Explorer\filepath.txt

activeds.exe

WORM_OPASERV.T
This memory-resident worm a member of the OPASERV family of worms, spreads via shared network drives.
Its destructive payloads are executed when the system date is between December 24 to 31 or when the year is greater than 2002.
This worm deletes files, overwrites the boot sector and destroys the CMOS.
It also modifies the registry and the configuration file, WIN.INI, so that it automatically executes every Windows startup.
It uses a known exploit that enables malicious users to access shared drives, as discussed in a security bulletin from Microsoft.

Removing autostart entries from the registry prevents the malware from executing during startup:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run
IASHLPR="%Windows%\IASHLPR.EXE"
FONTVIEW="%Windows%\FONTVIEW.EXE"
MPREXE="%Windows%\MPREXE.EXE"
Scr="%System\scr.scr"
BIOS1="%Windows%\BIOS1.EXE"

HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Run,
Winsrv=%Windows%\winsrv.exe
CLICONFG="%Windows%\CLICONFG.EXE"

HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>RunServices
LoadManager="%Windows%\msload.exe"
ACTIVEDS="%Windows%\ACTIVEDS.EXE"

Use RegRun to automatically remove these registry items.

activex.exe

I-Worm.Calposa.
Stop this process and remove from startup.

This is adware component and IE homepage hijacker.
What it does?
(this program works with Windows NT/2000/XP only)
1. It registers the dp.dll or dpr.dll.
This file is located in your Windows folder.
2. Changes Internet Explorer homepage.
3. Adds the "AddClass" or "Class Start" values to the Registry Run
key:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
4. Connects to the Internet to get own updates.
Removal?
Kill "ADDCLASS.EXE" by RegRun Process Manager or by Task Manager.
Unregister "dp.dll" or "dpr.dll" if they exists.
Use this command:
regsvr32 /u dp.dll
Delete all related files.

adidas.worm.exe

W32.Shoes@mm
It is a mass-mailing worm that sends itself to contacts in the Microsoft Outlook address book.
Changes the Internet Explorer Start page to a predetermined Web page, which may be located at one of the following domains:
www.porn-cam.com
www.sleazepit.com

Adds the value: "Adidas.Worm.exe"="%System%\Adidas.Worm.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Sends an email to each entry in the Microsoft Outlook address book.
The email has the following characteristics:

Subject: Re: Here is your FREE porn web site username and password, I got it especially for you. Enjoy..!! ;-)

Body:
User Name : Anonymous Addict
PassWord : PoRnStAr2004
Go to this web site http:/ /18eighteen.com/pt=scrg6606/ then click on
MEMBERS CLICK HERE! and use this free username and password to log on,
Well i think This is the best FREE porn web site i`ve seen in a very long time..!!

Attachment: Adidas.Worm.exe

Use RegRun Startup Optimizer to remove this worm.

admintool.exe

Steals passwords / ICQ trojan

adobes.exe

IRC Trojan.
Stop process and remove it from startup.

advapi32.exe

Y3k trojan

agseyapp.exe

Spyware.GoldenEye is spyware that can:
- Log all keystrokes
- List the names of all running programs
- Take periodic screenshots

Manual removal:

Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: " AGSeyApp" = "\AGSeyApp.exe"

Navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs
and delete the values:
C:\\OLEAUT32.DLL = 0x1
C:\\MSCOMCTL..OCX = 0x1
C:\\TabCtl32.ocx = 0x1
C:\\PICCLP32.OCX = 0x1
C:\\GEHP.dll = 0x1

aim reminder.exe

"Trojan.Aol.Buddy"
http://www.viruslist.com/eng/viruslist.h...

anacon.exe

I-Worm.Nocana.a
Nocana is a worm virus spreading via the Internet as an e-mail file attachment via P2P file sharing networks.
The worm contains a backdoor routine.
- opens full access to disk files and system registry keys
- sends information about infected computer
- sends cached passwords
- sends keyboard log
- downloads and executes files from Web
- changes display resolution
- runs DoS attack on several servers

Note that the real attached .EXE file name is hidden by a false .JPG extension(an "extra functionality" of MS Outlook is used to accomplish this deception).
As a result the infected .EXE file is displayed as a .JPG image file, but upon opening the attachment it is executed as a true EXE file.

The worm then installs itself to the system, runs its spreading routine and payload.
While installing the worm copies itself to the Windows directory using the name "ANACON.EXE" and registers this file in the system registry auto-run keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run AHU= %SystemDir%\ANACON.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices Hvewsveqmg = %SystemDir%\ANACON.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Cvfjx = %SystemDir%\ANACON.EXE

The Nocana worm also terminates several anti-virus and active firewall processes.
To send infected messages the worm uses MS Outlook and sends messages to all the addresses found in the Outlook address book.

It also formats the D: drive.
Deletes all files in the current directory (in most cases - Windows system directory).
On 1st, 4th, 8th, 12th, 16th, 20th, 24th and 28th of each month the worm deletes all *.DLL, *.NLS, *.OCX files in the current directory (in most cases - Windows directory).

Automatic Removal: Use RegRun Startup Optimizer to remove it from startup.

angel.exe

Remote Access

anoafpan.exe

Worm / Virus / Mail trojan
The worm patches Wsock32.dll. Hybris spreads to every address in Outlook. It always check the language version on the computer and is able to use messages in English, French, Spanish and Portuguese. When spread, the worm changes the name of the .exe file to another 8 characters. It exists at least 32 different plug-ins giving the worm various functions. The plug-ins are encrypted using an asymmetric 128-bit key algarythm and are downloaded fr�n the newsgroup alt.comp.virus together with new encrypted instructions. One of the plug-ins makes Hybris to search for SubSeven infected computers on the Internet and infect them. The worm also probes into .zip and .rar archives, names .exe files to .ex$ and copies itself into the archive using the altered file�s name.

ante browse trust.exe

IE toolbar hijacking you to www.Lop.com - Search The Web site.
This is global searching site with many popup and advertising windows.

Manual removal:
If this .exe is running, end it and remove the "Stupidmore" directory from C:/Program Files

anti_cih.exe

Remote Access / Worm / Virus / Trojan dropper / Mail trojan / Downloading trojan
It tries to destroy up to eight different antivirus programs and makes it impossible to mail the AV company or visit its Web-site. Wsock32.dll is patched by the trojan. Whenever the user sends a mail, the trojan will mail another one to the same recipient with an attachment only. May be updated from the Internet.

antidote[1.2].exe

Remote Access / FTP Server

antidote[1.3].exe

Remote Access / FTP Server

antigen.exe

Steals passwords
Itsends the stolen information to these three mail addresses: jcrowl@usa.net, uragan@msn.com, and anarch666@iname.com.

antinuke.exe

Remote Access / ICQ trojan
Alters Win.ini.

antivirus.exe

W32/Rbot-IF is a worm which attempts to spread to remote network shares.
The worm also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background.
It may modify the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = 1
Also, may attempt to delete the network shares on the host computer.

Manual removal:
Navigate to the keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
and delete the value: AntiVirus Update = antivirus.exe

apuliaiv.exe

Worm / Mail trojan
If the victim�s copy of WinZip is not registred, the worm tries to do it. Apulia 4 uses all addresses in Outlook and sends a mail with the subject "Crack for ICQ".

Adware.AdRoar is a Browser Helper Object that is used to display pop-up advertisements.
In some circumstances, you may see the message:
This module was compiled with a trial version of Delphi. The trial period has expired.

If the file Cpr.dll is found in the System folder this mean you are infected.
This adware must be manually installed or installed as a component of another program.

Creates the following registry keys:
HKEY_CLASSES_ROOT\cpr.IEHelperOP
HKEY_CLASSES_ROOT\CLSID\{FAC6E0E1-5D45-4907-BC00-302D702DCC73}
HKEY_CURRENT_USER\Software\Cpr
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\CPR

Periodically contacts iads.adroar.com to download advertisements.
May download and install updated versions of itself.

This threat can be detected only by Symantec products that support expanded threats.
Use RegRun Start Control to remove arupdate.exe and cpr.dll.

asian trojan.exe

Remote Access / Steals passwords
The client also drops a server! The hacker could choose to log passwords only or all text written. One of the functions is to kill antivirus software.

asmphoto1.exe

Mail trojan / Autodialer / ICQ trojan / Steals passwords
It deletes the two system files Regedit.exe and Msconfig.exe.

asmphoto2.exe

Mail trojan / Autodialer / ICQ trojan / Steals passwords
It deletes the two system files Regedit.exe and Msconfig.exe.

aspam.exe

Remote Access
Disguised as an Microsoft Anti-Spam tool, that comes attached to a spoofed mail from the company.

atira.exe

W32.Kotira is a virus that overwrites executable files.
May display the following message:
Your Computer already infected by Atira Worm+virus.

Copies itself as the following:
%System%\Arita.exe
%Windir%\Arita.exe
C:\Program Files\Atira.exe

Adds the value: "System"="C:\Progra~1\Atira.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Run

Attempts to create the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\arita by Lasiaf

Automatic removal:
Use RegRun Startup Optimizer to remove it from startup.

atomic2.exe

Steals passwords
It steals dailup passwords and hides them in Rasxnfo.dll, which is encrypted. It sends the file through a SMTP server to the following mail addresses: addr2@server.com , addr3@server.com, majlisb@yahoo.com.

au.exe

I-Worm.Bagle.b
This worm spreads via the Internet as attachments to infected emails.

The infected messages have the following characteristics:

Header:
ID x... thanks
with x being a string of random characters.

Body:
Yours ID x
--
Thank
with x being a string of random characters.

Attachment:
The attachment has a random name, with a file size of 11KB.

The worm copies itself to the Windows system directory under the name 'au.exe'.
Adds the value: "au.exe" = "%system%\au.exe"
to registry key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Also creates the following registry key:
[HKCU\SOFTWARE\Windows2000] and saves its variables there.
The worm attempts to connect to remote sites, all of which are in some way connected with the Trojan proxy server TrojanProxy.Win32.Mitglieder
Send itself to all email addresses found in files on disks.

au1g.exe

Troj/Bancos-N is a Trojan for the Windows platform.
It may come in an self-extracting archive which will drop au1g.exe into the directory.

Then activated, the Trojan displays a Internet Explorer dialog box with title ' Internet Banking - Microsoft Internet Explorer'.
The content of the dialog box is in spanish which is similar to an online banking form related to the bank.
Any details entered into this form is emailed out.

Manual removal:
Locate the HKEY_LOCAL_MACHINE entry: HKLM\Software\Microsoft\WindowsCurrentVersion\Run\
and delete the value = \au1g.exe

autopoll.exe

Remote Access

av.exe

Added as a result of the Trojan.Sinkin.

Trojan.Sinkin is a Trojan Horse that changes the Internet Explorer start and search pages, and sends AOL Instant Messenger information to a remote host.
This Trojan may also display advertisements when you are browsing the Web.

Trojan.Sinkin performs the following actions:
Create the C:\Av.exe file.

Adds the value:
"Antivirus"="av.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Changes the Internet Explorer search and start pages to realphx.com.

Reads AOL Instant Messenger user data, including the login name and password, from
HKEY_LOCAL_MACHINE\Software\America Online\AOL Instant Messenger TM)\CurrentVersion\
and forwards it to realphx.com.

Executes JavaScripts located on the realphx.com servers to display advertisements while browsing in Internet Explorer.

Automatic removal: Use RegRun Startup Optimizer to remove it from startup.

avguard.exe

W32.Netsky.G@mm
It copies itself to %Windir%\Avguard.exe.

Deletes the values: Taskmon, Explorer, Windows Services Host, KasperskyAV, from the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Some of these registry key values are typically associated with the worms W32.Mydoom.A@mm and W32.Mydoom.B@mm.
The W32.Mimail.T@mm worm may add the registry key value "KasperskyAV."

Deletes some values from the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Such as: System, msgsvr32, DELETE ME, service, Sentry, d3dupdate.exe, au.exe, OLE, gouday.exe etc.

Deletes the registry keys:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WksPatch

Scans the predefined file types on drives C through Z for email addresses:
Uses its own SMTP engine to send itself to the email addresses it found above, sending to each address once.
The email has the following characteristics:
Subject: One of the predefined list.
For ex: Re: Your website

Body: (One of the following)
Your file is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Here is the file.
Your document is attached.

Attachment: One of the predefined list.
For ex: Re: mp3music.pif

Manual removal:
Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "Special Firewall Service" = %WinDir%\avguard.exe -av service

avp_updates.exe

avpmonitor.exe

Name: Shorm
Worm / Steals passwords / Network trojan
Propagates to all shared discs. Autostarts using Windows Startup directory. Passwords and users names are mailed to two addresses in Russia. The .exe file is compressed using ASPack. It connects to a Web page in Russia, both to receive IP addresses to scan and to update itself.

avprotect.exe

W32.Netsky.L@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning hard drives and mapped drives.

Copies itself as %Windir%\AVprotect.exe.

Adds the value:
"HtProtect"="%Windir%\AVprotect.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.

Retrieves email addresses from the files that have these extensions:
.adb .asp .cgi .dbx .dhtm .doc .eml .htm .html .jsp .msg .oft .php .pl .rtf
.sht .shtm .tbb .txt .uin .vbs .wab .wsh .xml

The email has the following characteristics:
From:

Subject: The subject is one of the following:
Re: Important
Re: Your document
Re: Your details
Re: Approved

Message: The message is one of the following:

Your file is attached.
Please read the document.
Your document is attached.
Please read the attached file.
Please see the attached file for details.

Attachment: The attachment is one of the following:
your_file_%s.pif, details_%s.pif, document_%s.pif, %s.pif
where %s is the portion of the "To" address before the "@".

Manual removal:
Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value:
"HtProtect"="%Windir%\AVprotect.exe"

Automatic Removal:
Use RegRun Startup Optimizer to remove it from startup.

avprotect9x.exe

I-Worm.Netsky.m worm spreads via the Internet as an attachment to infected messages.
�he worm scans all disks for files with the predefined extensions and sends copies of itself to email addresses harvested from these files.
�opies itself to the Windows directory as Avprotect9x.exe.
The worm opens a group of several ports. The port numbers are increased incrementally across the whole group every few seconds.

Manual removal:
Find and delete the key in the system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run:] 9xHtProtect = \AVprotect9x.exe

avserve.exe

Worm.Win32.Sasser.a
Sasser is an Internet worm that exploits the MS Windows LSASS vulnerability described in Microsoft Security Bulletin MS04-011.
Microsoft released a patch for this vulnerability on April 13, 2004, while Sasser.a was first detected on April 30, 2004.
Sasser operates in a very similar manner to Lovesan, except that Lovesan exploited a vulnerability in the PRC DCOM service, not the LSASS service.
Sasser affects computers running Windows 2000, Windows XP, Windows Server 2003.
Sasser functions on all other versions of Windows but is unable to infect them by attacking via the vulnerability.
An error message about the LSASS service failing which usually also causes the system to reboot.
Sasser creates the file 'win.log' in the C drive root directory where the worm records the IP-addresses of all attacked machines.

Copies itself into the Windows root directory under the name avserve.exe
and registers this file in the system registry autorun key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avserve.exe" = "%WINDIR%\avserve.exe"

Use RegRun Startuip Optimizer to remove this worm.

avserve2.exe

Worm.Win32.Sasser.b
This worm spreads via the Internet using a vulnerability in the Microsoft Windows LSASS service.
The vulnerability is described in Microsoft Security Bulletin MS04-011, which can be found at:
http://www.microsoft.com/technet/securit...

When launching, the worm registers itself in the system registry autorun key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avserve2.exe = %WINDIR%\avserve2.exe

The worm scans IP addresses, searching for computers which have the vulnerability described in MS04-011.
A vulnerable computer will launch the command packet "cmd.exe" on TCP port 9996, and will then accept commands to download and launch copies of the worm.

Downloading is carried out via FTP protocol.
In order to do this the worm launches an FTP server on TCP port 5554 and on request from the victim computer loads a copy of itself.
The copy of the worm will be loaded under the name "_up.exe", where "_" is a random number.

To remove this worm you can download free utility from www.kaspersky.com

avupdate.exe

Worm / Destructive trojan
Overwrites all files on the computer, except the running programs. Tricks the user to write a mail address and then propagates using any mail client using MAPI.

awindll.exe

Steals passwords

axdist.exe

Remote Access / Destructive trojan / Virus dropper
It copies itself to c:\recycled to avoid detection by some antivirus programs.