Windows Startup Programs database Startup Programs - Dangerous - C
Home
Features  
   On-line Guide
   Help On-line
   Screenshots

Order
Download  
    Localization
Awards
Support  
   NI Forum
   Mickey Forum
   Greatis Forum

Startup Programs
Application Database

Hot!
Download:
RegRun 4.0 beta 2

What's new?

Greatis Home


Subscribe:

The Application Database suggests you which Windows startup programs are usefual and which are bad.
The recommended tool for quickly removing the useless programs is RegRun Startup Optimizer.
www.startupapps.com


Get RegRun now! Buy Now! Purchase RegRun Suite
Download Download RegRun Suite
Search Database for:

RegRun > Greatis Startup Application Database > Dangerous > C

Dangerous 

cabchk32.exe
cafe08pl.exe
cafeclnt.exe
cafeini.exe
cafeiniclient.exe
cafeiniconfig.exe
cafeiniserver.exe
calc.exe
californ.exe
card.exe
cari.scr
casper.exe
cavapsvc.exe
caznovas.exe
cc invader.exe
cc invader2.exe
ccapp32.exe
ccc.exe
cdeztks.exe
cenik.exe
cfg95.exe
cfgwiz32.exe
cgtask.exe
chainsaw.exe
chart.vbs
cheatle.exe
chestburst.exe
chupacabra.exe
cih.exe
cihost.exe
clhost.exe
click_me!.exe
clie.exe
client _1_3.exe
client(beta).exe
client_12_pw.exe
cliente.exe
clienttrinno.exe
cmctl32.exe
comaclient.exe
command.exe
command32.exe.vbs
commdlg.vbs
compiled.exe
compiler.exe
comserv.exe
confgldr.exe
configuration.exe
configurator.exe
conftroj.exe
connection.exe
cooler1.exe
cooler3.exe
copier.exe
cowclient.exe
cowserver.exe
crazzynet375.exe
crazzynet50.exe
creadisk.exe
cryptuue.exe
csass.exe
cserver.exe
csmctrl32.exe
csrrs.exe
csrss.exe
cssrs.exe
csystime.exe
ctels.exe
cthonic.vbs
cupid2.exe
cure.exe
cvhost.exe

cabchk32.exe
This is Trojan program Trojan.Gema.
Read more:
http://securityresponse.symantec.com/avc...
Remove it from startup by RegRun Startup Optimizer.

cafe08pl.exe
Remote Access
It kills more than 20 antivirus programs in memory and also four dedicated antitrojan softwares. The trojan can redirect ports and connect to several servers at the same time. It can also be used as a port scanner. Cafeini can also take another programīs place in the Registry. The server will automatically be updated using HTTP.

cafeclnt.exe
Remote Access
It kills more than 20 antivirus programs in memory and also four dedicated antitrojan softwares. The trojan can redirect ports and connect to several servers at the same time. It can also be used as a port scanner. Cafeini can also take another programīs place in the Registry. The server will automatically be updated using HTTP.

cafeini.exe
Remote Access
It kills more than 20 antivirus programs in memory and also four dedicated antitrojan softwares. The trojan can redirect ports and connect to several servers at the same time. It can also be used as a port scanner. Cafeini can also take another programīs place in the Registry. The server will automatically be updated using HTTP.

cafeiniclient.exe
Remote Access
It kills more than 20 antivirus programs in memory and also four dedicated antitrojan softwares. The trojan can redirect ports and connect to several servers at the same time. It can also be used as a port scanner. Cafeini can also take another programīs place in the Registry. The server will automatically be updated using HTTP.

cafeiniconfig.exe
Remote Access
It kills more than 20 antivirus programs in memory and also four dedicated antitrojan softwares. The trojan can redirect ports and connect to several servers at the same time. It can also be used as a port scanner. Cafeini can also take another programīs place in the Registry. The server will automatically be updated using HTTP.

cafeiniserver.exe
Remote Access
It kills more than 20 antivirus programs in memory and also four dedicated antitrojan softwares. The trojan can redirect ports and connect to several servers at the same time. It can also be used as a port scanner. Cafeini can also take another programīs place in the Registry. The server will automatically be updated using HTTP.

calc.exe
Remote Access
May alter System.ini and/or Win.ini. One can choose to let Mosucker randomly decide what autostart method to use. Produces an error message while installing ""Could not find setuplog.bat"" which apparently is used for autostarting. It copies itself to $temp first, as a file named pkg*.exe, ""pkg"" being a fix string. It also copied itself to $windows/unin0686.exe.

californ.exe
Remote Access / Exe-infector
The whole package comes with a server, an exe infector, a remover and two jokes. The first joke program, Californ.exe makes all the windows on the screen shake and move around. The second program, gravedad.exe displays a picture of the screen flipped.

card.exe
Worm / File virus
Alters Win.ini. "Between midnight and 2.00am on Wednesdays the worm attempts to display an animated graphic of Adolf Hitler shooting himself in the head." (Sophos)

cari.scr
I-Worm.MyLife.b
It is a worm virus being spread via the Internet as an e-mail attachment.
When the worm is launched for the first time it shows a window with a picture.
While installing the worm copies itself to the Windows system directory with the name "cari.scr" and registers this file in the system registry auto-run key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run win=%SYSTEM%\cari.scr
To send infected messages the worm uses Microsoft Outlook, it sends messages to all addresses found in the Microsoft Outlook Address Book.
The worm also gets victim e-mail addresses from MSN Messenger e-mail base.
Also, the worm checks the current date, if the current hour value is 8, the worm executes its payload routine, deleting the following files: c:\*.*; d:\*.*; e:\*.*; f:\*.*
Also deleted are: *.sys files in the Windows directory and *.vxd, *.sys, *.ocx, and *.nls files in the Windows system directory

Remove it from startup by RegRun Startup Optimizer.

casper.exe
Worm / Mail trojan
Uses several different names to name the attachement, which can be mailed by either Netscape Mail, MS Outlook or MSOutlook Express.

cavapsvc.exe
Gaobot Trojan.
Spreads in local network via open shares.
Also it uses DCOM RPC vulnerability (135,445 ports) and WebDav vulnerability (port 80).
Allows to control the victim computer by IRC.
Terminates well known antiviral software.
Removal:
install the patches from Microsoft:
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
Set the strong passwords for network shares.
Use RegRun "Terminate" feature to erase the virus body files.
They are located in Windows\System32 folder.
Cavapsvc.exe
Csrrs.exe
Cvhost.exe
DIIhost.exe (with capital letter 'i')
Dosrun32.exe
Dos32.exe
Lsas.exe
Regloadr.exe
Schost.exe
Scvhost.exe
Service.exe
Servicess.exe
Sochost.exe
Swchost.exe
System.exe
Update.exe
Wdrun32.exe
Winhlpp32.exe
Winreg.exe
Winupdsdgm.exe

Free removal tool:
http://securityresponse.symantec.com/avc...

caznovas.exe
Backdoor.Cazno is a Trojan horse that allows an attacker to control a compromised system.

Copies itself as %System%\CAZNOVAS.exe.

Listens on a configurable port, waiting for the commands from an attacker.
Uses ICQ or IRC to send the attacker information on a compromised system.
The ICQ contact and IRC server are configurable.

Allows the attacker to control the computer and do any of the following:
- Obtain system information
- List/start/stop processes
- Control window functions (show/hide windows)
- Log keystrokes, steal passwords
- Shut down and restart the computer
- Control the Web camera
- Control file system (list, delete, rename, and create files)

Automatic removal:
Use RegRun Startup Optimizer to remove it from startup.

For manual removal, please delete any value that looks like:
"CAZNOVAS" = %system%\CAZNOVAS.exe"
in the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

cc invader.exe
Remote Access / FTP server

cc invader2.exe
Remote Access / FTP server

ccapp32.exe
W32.HLLW.Gaobot.gen is a family of worms that infects computers through various exploits.
It also opens backdoors to infected computers through IRC.

The worm does the following:
Copies itself to the %System% folder.
The file names vary, and are often chosen to resemble the names of legitimate Windows system files.
Some examples include Csrrs.exe, Scvhost.exe, and System.exe.

Adds a value in the form
"" = ""
for example:
"Configuration Loader" = "Service.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

May create a registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
and add a value in the form:
= "%System%\" -service
For example:
"Configuration Loader" = "%System%\Service.exe" -service

Connects to an IRC server, using its own IRC client, and then listens for commands to do any of the following:
Download and execute files
Steal system information
Send the worm to other IRC users
Add new accounts
Perform Denial of Service (DoS) attacks

Terminates antivirus and firewall software, as well as the process names associated with other worms.

Remove it with RegRun Startup Optimizer.

ccc.exe
FakeVirii trojan

cdeztks.exe
Remote Access / Keylogger / Steals passwords / ICQ trojan / AOL trojan / DoS tool
It alters Wininit.ini and replaces explorer.exe with explorer.e. It may also infect Awadrp32.exe, Mkcompat.exe and Rnaap.exe. You usually notice your infected because you no longer can reboot or shutdown the computer as the trojan will not shutdown. BioNet also makes it impossible to reboot to DOS mode to delete the trojan. It evaids antivirus and firewall programs. Every server sent out is possible to be unique with combinations of more than 50 different features using the server builder. Using CGI scripts the trojan can do almost anything. Because of this may manual removal instruction not be totally reliable. The server is distributed in an uncompressed version, to allow anyone to use a compressor is his choice. Using a scheduler, the hacker can activate the server to make contact on a certain a specific day. BioNet is able to attack other servers using a large numbers IGMP packets using all available bandwidth. From v3.09 it supports plug-ins from other coders.

cenik.exe
Worm / Mail trojan
The wormīs .exe file is distributed in a compressed format and is using one of twenty names randomly. Hermes contacts "
http://www.seznam.cz", but there is nothing there. It also tris to register, but fails to do so beacause of a bug. It propagates twice to all addresses in Outlook. In several versions th code is packed using UPX.

cfg95.exe
Remote Access / Steals passwords
Alters Win.ini (v 2.0).

cfgwiz32.exe
Remote Access / Hidden IP-Scanner
The trojan is able to decrypt cached passwords.

cgtask.exe
This is SOBIG worm.
Read full information at:
http://www.lurhq.com/sobig-e.html
Remove it from startup by RegRun Startup Optimizer.

chainsaw.exe
Worm / Network trojan / DoS tool / Destructive trojan
Alters Win.ini. The worm propagates using shared drives. After completing an installation it sends a message to the newsgroup ""alt.horror"". Also tries to connect to computers with SubSeven or NetBus installed. Kills ZoneAlarm firewall.

chart.vbs
I-Worm.Gigger
JS.Gigger.A@mm is a worm written in JavaScript. It uses Microsoft Outlook and mIRC to spread.
It infects .html files.
Attempts to delete all files on the computer and to format drive C if the computer is successfully restarted.

JS.Gigger.A@mm arrives as an email message that has the following characteristics:

Subject: Outlook Express Update
Message: MSNSofware Co.
Attachement: Mmsn_offline.htm

If the worm is executed, it does the following:
It drops the following files:
C:\Bla.hta
C:\B.htm
C:\Windows\Samples\Wsh\Charts.js
C:\Windows\Help\Mmsn_offline.htm

Next, it drops a Script.ini file to spread itself by mIRC. Norton AntiVirus (NAV) detects the infected Script.ini as IRC.Worm.gen.

The worm then creates the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout
HKEY_CURRENT_USER\Software\TheGrave\badUsers\v2.0
and adds the value:
NAV DefAlert %Windows%\SAMPLES\WSH\Chart.vbs.
to the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Next, the worm searches network drives and copies itself as \Windows\Start Menu\Programs\StartUp\Msoe.hta

Manual removal:
In a file c:\autoexec.bat look for the formatting line.
If it exists, delete the entire line.

Then navigate to the following key in the system registry
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete the following value:
NAV DefAlert
Navigate to and delete the following keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout
HKEY_CURRENT_USER\Software\TheGrave\badUsers\v2.0

Automatic removal:
Use RegRun Startup Optimizer to remove it from startup.

cheatle.exe
W32.HLLP.Shodi.B is a virus that prepends itself to the files that have a .exe extension.
The backdoor is configured to listen on TCP ports 6351 and 6352.
Searches for the files that have the .exe extensions on all the hard drives, starting with drive C.
The worm searches all the folders on the hard drive, except those with the following names: Windows; System; System32
It does not infect the files that have the following names: IEXPLORE.EXE; ccApp.exe; ccRegVfy.exe
Prepends itself to some of the files that it finds.

See also GigaByte.exe in RegRun database.
Please, remove this worm with RegRun Startuip Optimizer.

chestburst.exe
Worm / Mail trojan
Uses several different names to name the attachement, which can be mailed by either Netscape Mail, MS Outlook or MSOutlook Express.

chupacabra.exe
Remote Access / Destructive trojan
Alters Win.ini.

cih.exe
Worm / Mail trojan
The wormīs .exe file is distributed in a compressed format and is using one of twenty names randomly. Hermes contacts "
http://www.seznam.cz", but there is nothing there. It also tris to register, but fails to do so beacause of a bug. It propagates twice to all addresses in Outlook. In several versions th code is packed using UPX.

cihost.exe
Trojan.Linst attaches itself to Internet Explorer and sends information to a Web server.

When Trojan.Linst is executed, it does the following:
Creates the following files in the current folder, %Windir% and %System32%:
Zlib.dll: A legitimate library file
Groups.txt: A configuration file
Links.txt: A configuration file
HttpReq.dll: A legitimate library file
Dlinsth.dll: Detected as Trojan.Linst
Dlinst0.dll: Detected as Trojan.Linst
Bho.dll: An adware detected as Adware.IEHelperPage

Adds the value:
"cihost.exe"="%windir%\cihost.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the Trojan runs when you start Windows.

Loads the adware - Bho.dll.
Loads Dlinsth.dll that passes information back to http:/ /x-fuck.net, including:
- Software installed
- Environment variables
- System settings
Depending on the results returned by the Web server, advertisements may be displayed.

Use RegRun Startup Optimizer to remove it from startup.

clhost.exe
Asylium.0.1.3 Trojan

click_me!.exe
Worm / Mail trojan
The wormīs .exe file is distributed in a compressed format and is using one of twenty names randomly. Hermes contacts "
http://www.seznam.cz", but there is nothing there. It also tris to register, but fails to do so beacause of a bug. It propagates twice to all addresses in Outlook. In several versions th code is packed using UPX.

clie.exe
Distributed DoS tool
Is able to connect to three computers and send 65000 bytes ICMP floods.

client _1_3.exe
Remote Access / FTP server / CQ trojan
InCommand can bind (join or wrap) its server to any other .exe file, and can also add extra legth to it to avoid searches on specific file length. It uses selfinstalling plug-ins to add features to the trojan and can thousands of icons stored inside the EditServer file.

client(beta).exe
Remote Access / Steals passwords
Also has a function called ""Burn Monitor"". This option constantly resets the Screenresolution.

client_12_pw.exe
Remote Access / FTP server / CQ trojan
InCommand can bind (join or wrap) its server to any other .exe file, and can also add extra legth to it to avoid searches on specific file length. It uses selfinstalling plug-ins to add features to the trojan and can thousands of icons stored inside the EditServer file.

cliente.exe
Remote Access

clienttrinno.exe
Distributed DoS tool
Is able to connect to three computers and send 65000 bytes ICMP floods.

cmctl32.exe
Remote Access / FTP server

comaclient.exe
Remote Access

command.exe
Steals passwords / AOL trojan
Alters Win.ini and System.ini. Steals passwords from AOL accounts and sends them one of several hotmail addresses.

command32.exe.vbs
VBS.Nevesc virus
It spreads via IRC channels.
Executes
C:windows\shell32.vbs
or
C:\Program Files\Internet Explorer\Plugins\command32.exe.vbs
Kill it.

commdlg.vbs
Moridin
This is a multi-platform virus infecting Win32 systems.
The virus infects Win32 executable files, MS Word documents, and spreads via e-mail through IRC channels as well as infecting the local network.
The virus also has Backdoor ability:
- opens and closes CD door
- downloads and spawns a file
- terminates itself (backdoor routine)
- displays a message, the message box headline contains some text

The virus can be found in several forms:
- infected PE EXE file
- EXE helper
- infected Word documents
- VBS script
- IRC sctiprs
While spreading via e-mail through the network and IRC channels, the worm names its copies as: CRACK.EXE, PACKED.EXE, SETUP.EXE, NETX.EXE, and INIT.EXE.

The COMMDLG.VBS file contains VBScript that spreads the virus on the Internet via e-mail messages by connecting to MS Outlook, obtains all addresses from the Address Book and sends its copy (the PACKED.EXE file) here attached to the message.
The virus then modifies the system registry keys.
The virus deletes the following anti-virus data files:
CHKLIST.MS CHKLIST.DAT CHKLIST.CPS CHKLIST.TAV AGUARD.DAT AVGQT.DAT ANTI-VIR.DAT SMARTCHK.MS SMARTCHK.CPS IVP.NTZ AVP.CRC
The virus also disables the macro-virus protection in the system registry, as well as looks for anti-virus memory resident programs and terminates them:
AVP Monitor
Amon Antivirus Monitor
Norton AntiVirus Auto-Protect Trial Version
Norton AntiVirus Auto-Protect

Use RegRun Startup Optimizer to remove it from startup.

compiled.exe
Remote Access

compiler.exe
Remote Access

comserv.exe
Remote Access

confgldr.exe
W32.Gaobot.gen!poly is a worm that attempts to spread through network shares with weak passwords and allows attackers to access
an infected computer using a specific IRC channel.
Allows an attacker to remotely control a compromised computer and perform any of the following actions:
- Download and execute files
- Steal system information
- Harvest email addresses
- Steal CD keys for various games

Also Known As: W32.HLLW.Polybot, Phatbot, W32/Polybot.l!irc [McAfee], WORM_AGOBOT.HM [Trend], Backdoor.Agobot.hm [Kaspersky]

Copies itself as one of the following files:
%System%\soundman.exe
%System%\confgldr.exe
%System%\spoolsvc.exe

Adds one of the following values:
"^`d}qZxu" = "~`d}qzxu3zYF"
"Configuration Loader"="confgldr.exe"
"Video Process"="sysconf.exe"
"Service Host Process"="spoolsvc.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

Creates a service for the worm with one of the following names and sets it to automatically run on startup:
Configuration Loader, SoundMan, Service Host Process

Hides all the files that contain the word "soun."

May change the %System%\drivers\etc\hosts file with some lines.
Attempt to spread to other systems by exploiting vulnerabilities.
Ends processes associated with antivirus and firewall software.
Attempts to delete the files and registry values associated with other worms.

Use RegRun Startup Optimizer to remove it from startup.
For more information to locate and remove this worm, see on
http://securityresponse.symantec.com/avc...

configuration.exe
Remote Access / Downloading trojan
The default file downloaded by the trojan is The Infector (they are written by the same person). This could easily be changed to any file anywhere on the Web. The perpetrator just enter the URL where the wanted trojan is, and his ICQ UIN to receive notification when the infected user is online. The sender is able to destroy WebDownloader after it has downloaded itīs trojan file.

configurator.exe
Mail trojan / Autodialer / ICQ trojan / Steals passwords
It deletes the two system files Regedit.exe and Msconfig.exe.

conftroj.exe
Remote Access

connection.exe
Remote Access / Virus dropper / Virus
Virusserver actually binds to other .exe files by infecting them.

cooler1.exe
Worm / Mail trojan
Uses several different names to name the attachement, which can be mailed by either Netscape Mail, MS Outlook or MSOutlook Express.

cooler3.exe
Worm / Mail trojan
Uses several different names to name the attachement, which can be mailed by either Netscape Mail, MS Outlook or MSOutlook Express.

copier.exe
Worm / Mail trojan
Uses several different names to name the attachement, which can be mailed by either Netscape Mail, MS Outlook or MSOutlook Express.

cowclient.exe
Remote Access

cowserver.exe
Remote Access

crazzynet375.exe
Remote Access / Steals passwords
Alters Win.ini and System.ini. Comes with a NetScanner to help finfing infected PCs.

crazzynet50.exe
Remote Access / Steals passwords
Alters Win.ini and System.ini. Comes with a NetScanner to help finfing infected PCs.

creadisk.exe
Remote Access

cryptuue.exe
Steals passwords / ICQ trojan
Displays a Firework and simultanlously starts in the backround. Sends the passwords encrypted via e-mail

csass.exe
W32/Rbot-DS is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels.
W32/Rbot-DS spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

Copies itself to the Windows System32 folder as CSASS.EXE and creates the following entries at these locations in the registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
LanGuard Auto Updater = csass.exe

May also set the following registry keys:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = N
HKLM\SYSTEM\ControlSet001\Control\Lsa\restrictanonymous = 1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = 1

It will allow a remote user to issue various remote commands such as launching DOS attacks, deleting remote shares and keylogging information.

Remove it with RegRun.

cserver.exe
Remote Access
Includes the LookItUp-tool to test a server host for infection.

csmctrl32.exe
Remote Access / ICQ trojan
Sockets des Troie is French for Trojan Sockets and was one of the very first Remote Access trojans being published.

csrrs.exe
Gaobot Trojan.
Spreads in local network via open shares.
Also it uses DCOM RPC vulnerability (135,445 ports) and WebDav vulnerability (port 80).
Allows to control the victim computer by IRC.
Terminates well known antiviral software.
Removal:
install the patches from Microsoft:
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
Set the strong passwords for network shares.
Use RegRun "Terminate" feature to erase the virus body files.
They are located in Windows\System32 folder.
Cavapsvc.exe
Csrrs.exe
Cvhost.exe
DIIhost.exe (with capital letter 'i')
Dosrun32.exe
Dos32.exe
Lsas.exe
Regloadr.exe
Schost.exe
Scvhost.exe
Service.exe
Servicess.exe
Sochost.exe
Swchost.exe
System.exe
Update.exe
Wdrun32.exe
Winhlpp32.exe
Winreg.exe
Winupdsdgm.exe

Free removal tool:
http://securityresponse.symantec.com/avc...

csrss.exe
I-Worm.Netsky.ac
This worm spreads via the Internet as an attachment to infected messages, and via shared network resources.

Characteristics of infected messages:
Message header, body and attachment name (with .pif extension) are chosen at random from predefined list.
The worm uses a direct connection to the SMTP-server to send messages.

The wom copies itself to the Windows directory under the name csrss.exe
and registers this file in the system registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BagleAV
thus attempting to disguise itself as an antivirus working against Bagle.

Also, the worm attempts to delete registry keys created by I-Worm.Bagle.y

Automatic removal:
Use RegRun Startup Optimizer to delete this worm from your machine.

cssrs.exe
WORM_AGOBOT.FX
This is memory-resident worm. It drops and executes a copy of itself as the file CSSRS.EXE.
It takes advantage of the following system vulnerabilities:
DCOM RPC vulnerability using TCP port 135
RPC Locator vulnerability using TCP port 445
WebDav vulnerability using TCP port 80

Attempt to gain access to specific shared folders on the network using a predefined list of user names and passwords.
Connect to an IRC channel and listens for commands from a remote user.
Allow the malicious user to perform several tasks on a damage system.
Terminate antivirus processes, firewall programs, and system tools. It runs on Windows NT, 2000, and XP.

Manual removal:
Delete this keys:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run
WinFX = "cssrs.exe"
Display Drivers = "cssrs.exe"

HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>RunServices
In the right panel, locate and delete the entry:
WinFX = "cssrs.exe"
Display Drivers = "cssrs.exe"

HKEY_LOCAL_MACHINE>System>CurrentControlSet>Services>Driver

Also download and install the critical patches from the Microsoft site:
Microsoft Security Bulletin MS03-026
Microsoft Security Bulletin MS03-001
Microsoft Security Bulletin MS03-007

Automatic removal: Use RegRun Startup Optimizer to remove it from startup.

csystime.exe
Added as a result of the following virus:
W32.Randex.S is a network-aware worm that attempts to connect to a predetermined IRC server to receive instructions from its author.

It does the following:
Copies itself as the file, %System%\CSysTime.exe.
Calculates a random IP address for a computer that it will try to infect.
Attempts to authenticate itself to the aforementioned, randomly generated IP addresses.
Copies itself to shares that have weak passwords.

Adds the value:
"System time updator"="CSysTime.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

Connects to a specific IRC channel on a specific IRC server to receive remote instructions, such as:
ntscan: Performs the scan of a specific computer with weak administrator passwords and copies itself to these machines.
cdkey: Collects CD keys of many popular games and sends them to the IRC channel.
sysinfo: Retrieves the infected machine's information, such as CPU speed, memory, and so on.

Use RegRun Startup Optimizer to remove it from startup.

ctels.exe
Steals passwords
Gets the Dial Up Networking passwords via e-mail.

cthonic.vbs
I-Worm.Thonic.b
This worm spreads via the Internet as an attachment to infected files.
The worm searches for files with the extensions .exe, .cpl, and .scr.
When infecting these files it writes itself to the end of the files in a section named .DCUbLmd
The worm's code contains errors. It is unable to propagate independently.
A VBS script controls propagation via email.
The executable file infects notepad.exe, and copies itself to the C: root directory as C:\snowboard_accident.avi.[75 spaces]exe

Infected messages:
Subject: Hey check out this funny video my friend sent me !
Message body: Mail Body
Attachment name: C:\snowboard_accident.avi.[75 spaces]exe
The worm uses Windows MAPI function to send messages.
When sending infected messages, the worm accesses MS Outlook and sends itself to all addresses harvested from the address book.
It also propagates via mIRC.

Use RegRun Startup Optimizer to automatically remove this worm.

cupid2.exe
Worm / Mail trojan
Uses several different names to name the attachement, which can be mailed by either Netscape Mail, MS Outlook or MSOutlook Express.

cure.exe
Remote Access

cvhost.exe
Gaobot Trojan.
Spreads in local network via open shares.
Also it uses DCOM RPC vulnerability (135,445 ports) and WebDav vulnerability (port 80).
Allows to control the victim computer by IRC.
Terminates well known antiviral software.
Removal:
install the patches from Microsoft:
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
http://www.microsoft.com/technet/securit...
Set the strong passwords for network shares.
Use RegRun "Terminate" feature to erase the virus body files.
They are located in Windows\System32 folder.
Cavapsvc.exe
Csrrs.exe
Cvhost.exe
DIIhost.exe (with capital letter 'i')
Dosrun32.exe
Dos32.exe
Lsas.exe
Regloadr.exe
Schost.exe
Scvhost.exe
Service.exe
Servicess.exe
Sochost.exe
Swchost.exe
System.exe
Update.exe
Wdrun32.exe
Winhlpp32.exe
Winreg.exe
Winupdsdgm.exe

Free removal tool:
http://securityresponse.symantec.com/avc...

Copyright © 1998-2004 Greatis Software | Privacy Policy | Recommend to a friend