Windows Startup Programs database Startup Programs - Dangerous - E
Home
Features  
   On-line Guide
   Help On-line
   Screenshots

Order
Download  
    Localization
Awards
Support  
   NI Forum
   Mickey Forum
   Greatis Forum

Startup Programs
Application Database

Hot!
Download:
RegRun 4.0 beta 2

What's new?

Greatis Home


Subscribe:

The Application Database suggests you which Windows startup programs are usefual and which are bad.
The recommended tool for quickly removing the useless programs is RegRun Startup Optimizer.
www.startupapps.com


Get RegRun now! Buy Now! Purchase RegRun Suite
Download Download RegRun Suite
Search Database for:

RegRun > Greatis Startup Application Database > Dangerous > E

Dangerous 

eastav.exe
easyav.exe
ebxtar.exe
edit-keylogger.exe
editora2.exe
editserver.exe
editsrv1.exe
editsvr.exe
edtsrv.exe
eiexplorer32.exe
emmanuel.exe
encrypt.exe
energy.exe
enterprise.exe
epp32.exe
eps.exe
eps16.exe
eps161.exe
error!.exe
error32_client.exe
error32_server.exe
eschlp.exe
exec.exe
execfg4.exe
exesmasher.exe
expiorer.exe
expl32.exe
exploier.exe
explor.exe
explore.exe
explorer.scr
explupd.exe

eastav.exe
I-Worm.Netsky.t
This worm spreads via the Internet as an attachment to infected emails.

Characteristics of infected messages
Message header (chosen at random from the list below)
Message body (chosen at random from the texts below)
Attachment
A file with a .pif extension and a randomly generated name.

The worm is activated when the user opens the attached file.
Once launched, the worm installs inself to the system and starts propagating.

Copies itself to the Windows directory under the name EastAV.exe and registers this file in the system registry auto-run key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"EastAV"="%windir%\EastAV.exe"

The worm searches for files with the extensions listed below: adb; asp; cfg; cgi; dbx; dhtm; doc; eml; htm; html; jsp; mbx; mdx; mht etc.
harvests email addresses and sends copies of itself to all addresses found.
The worm uses its own SMTP library to send messages.

The worm will attempt to conduct DoS attacks on the following sites in accordance with the system clock local settings:
- www.cracks.am
- www.emule.de
- www.freemule.net
- www.kazaa.com
- www.keygen.us

Use RegRun Startup Optimizer to remove it from startup.

easyav.exe
W32.Netsky.S@mm is a mass-mailing worm and a variant of W32.Netsky.R@mm.
It also contains backdoor functionality and may perform Denial of Service (DoS) attack against specified Web sites.
If the system date is between April 14, 2004 to April 23, 2004, the worm will try to perform a DoS attack against the following Web sites:
www.cracks.am; www.emule.de; www.kazaa.com; www.freemule.net; www.keygen.us

The email has a variable subject line and attachment name. The attachment will have a .pif file extension.

Copies itself as %Windir%\EasyAV.exe.
Creates the file, %Windir%\Uinmzertinmds.opm, which contains a MIME-encoded copy of the worm's executable.

Adds the value:
"EasyAV"="%Windir%\EasyAV.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Listens on port 6789. If the attacker sends an executable file to an infected computer, the worm will save it as .exe, and then execute that file.

Scans and retrieves email addresses from the files with some extensions.
If the system date is not April 2004, or if it is and the day is less than 14 or greater than 16, the worm will attempt to use its own SMTP engine
to send itself to all the email addresses that it finds.

Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete the value: "EasyAV"="%windir%\EasyAV.exe"

ebxtar.exe
W32/Rbot-IC.
It is a worm which attempts to spread to remote network shares and allows unauthorised remote access to the computer via IRC channels.
It spreads to network shares with weak passwords and via network security exploits.

Copies itself to the file ebxtar.exe in the Windows system folder and creates entries at the following locations in the registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
with the value: BIOS XP Loader = ebxtar.exe

Use RegRun Startup Optimizer to automatically remove it from startup.

edit-keylogger.exe
Keylogger / ICQ trojan
Notifies via ICQ.

editora2.exe
Remote Access
Alters Win.ini.

editserver.exe
Remote Access
May alter System.ini and/or Win.ini. One can choose to let Mosucker randomly decide what autostart method to use. Produces an error message while installing ""Could not find setuplog.bat"" which apparently is used for autostarting. It copies itself to $temp first, as a file named pkg*.exe, ""pkg"" being a fix string. It also copied itself to $windows/unin0686.exe.

editsrv1.exe
Remote Access / ICQ trojan
Version 1.6 autoloads through changes in System.ini and Win.ini. 1.5 uses Registry and System.ini to autoload.

editsvr.exe
Remote Access
Puts up a box allagedly from the NSA, that the program will scan the hard disk for pirated software.

edtsrv.exe
Remote Access

eiexplorer32.exe
W32/Sdbot-NX is a worm which attempts to spread to remote network shares. The worm also contains backdoor functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
Read more:
http://www.sophos.com/virusinfo/analyses...
Remove it from Windows startup.

emmanuel.exe
Worm / Mail trojan / Destructive trojan
When executed, Navidad displays an Error box with the text "UI". After the user has pushed OK, a blue eyes icon is placed in the Taskbar. Due to a misstake from the authorīs side, when it writes to Hkey_Classes_Root, the system may crasch and become unusable. Suppresses the running of any .exe files. Reads incomming mails and sends itself back in return.

encrypt.exe
Remote Access

energy.exe
Worm / Mail trojan
The wormīs .exe file is distributed in a compressed format and is using one of twenty names randomly. Hermes contacts "
http://www.seznam.cz", but there is nothing there. It also tris to register, but fails to do so beacause of a bug. It propagates twice to all addresses in Outlook. In several versions th code is packed using UPX.

enterprise.exe
Remote Access

epp32.exe
Remote Access / Keylogger / ICQ trojan

eps.exe
Steals passwords / ICQ trojan
Displays a Firework and simultanlously starts in the backround. Sends the passwords encrypted via e-mail

eps16.exe
Steals passwords / ICQ trojan
Displays a Firework and simultanlously starts in the backround. Sends the passwords encrypted via e-mail

eps161.exe
Steals passwords / ICQ trojan
Displays a Firework and simultanlously starts in the backround. Sends the passwords encrypted via e-mail

error!.exe
Worm / Destructive trojan / Mail trojan / Network trojan
Alters Win.ini. Partial trojan, partial worm. Destroys files ending with .h, .c, .cpp, .asm, .doc, .ppt, or .xls. ExplorezipB is a compressed version of this worm. Can propagate through networks with shared disks.

error32_client.exe
Remote Access

error32_server.exe
Remote Access

eschlp.exe
W32.Blaster.T.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
The worm targets only Windows 2000 and Windows XP computers. W32.Blaster.T.Worm does not have a mass-mailing functionality.
For additional information, read the Microsoft article, "What You Should Know About the Blaster Worm and Its Variants."
We recommend that you block access to TCP port 4444 at the firewall level. Also block the following ports if you do not use either DCOM RPC or TFTP:

The worm also attempts to perform a Denial of Service (DoS) on the Microsoft Windows Update Web server (windowsupdate.com).
This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability.
Changes the Internet Explorer start page to http:/ /www.getgood.biz.
Also Known As: W32/Blaster-G, WORM_MSBLAST.I, W32/Blaster.worm.k

Copies itself as the following files:
%System%\eschlp.exe
%System%\svchosthlp.exe

Adds the values:
"Helper" = "%System%\eschlp.exe /fstart"
"MSUpdate" = "%System%\svchosthlp.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Creates the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Sysuser

Automatic removal:
Use RegRun Startuip Optimizer to remove this worm from your computer.

exec.exe
Remote Access

execfg4.exe
W32/Forlorn-D is a peer-to-peer (P2P) worm that spreads through the KaZaA and Morpheus network sharing utilities.
When first executed the worm copies itself as EXECFG4.EXE in the Windows folder and sets the following registry entry to the path of this copy so the worm will be executed when the Windows is restarted:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\execfg4

The worm queries the following registry entries searching for a folder that is shared across the KaZaA and Morpheus networks:
HKLM\Software\Kazaa\LocalContent
HKLM\Software\Morpheus\LocalContent
HKCU\Software\Kazaa\LocalContent
HKCU\Software\Morpheus\LocalContent
If a value is not found then the folder C:\\SysConfig is used.

Seventy three copies of the worm are created in this folder with the different filenames, such as:
[DiVX] Harry Potter And The Sorcerors Stone Full Downloader.exe
Age of empires 2 crack.exe
Borland Delphi 6 Key Generator.exe
Britney spears nude.exe
DivX codec v6.0.exe
GTA3 crack.exe
Microsoft Windows XP crack pack.exe
Windows XP serial generator.exe
Winrar + crack.exe
ZoneAlarm Firewall Full Downloader.exe

Use RegRun Startup Opimizer for removal.

exesmasher.exe
Remote Access / FTP server / CQ trojan
InCommand can bind (join or wrap) its server to any other .exe file, and can also add extra legth to it to avoid searches on specific file length. It uses selfinstalling plug-ins to add features to the trojan and can thousands of icons stored inside the EditServer file.

expiorer.exe
Remote Access / FTP server

expl32.exe
Remote Access / Hidden IP-Scanner
The trojan is able to decrypt cached passwords.

exploier.exe
I-Worm.Lovgate.ah spreads via the Internet as an attachment to infected messages.
May also create several copies of itself in the root directory of all accessible disks in ZIP format. The copies will be saved under random names.
If the worm finds the P2P client Kazaa on the victim machine, it will copy itself to the file-sharing folder under the different names.
The worm attempts to copy itself to all accessible computers which it finds on the local network.
The worm will answer all messages it detects in the 'Incoming' folder by sending an infected email to these addresses.
It also harvests email addresses from files with the different extensions.
The worm terminates all processes which contain the predefined text in their names.
The worm harvests information about the victim machine and saves it in a file named c:\Netlog.txt which is then sent by email to the worm's author.
It installs a backdoor on TCP port 6000 to receive commands.

Use RegRun to automatically remove this registry item.

explor.exe
Worm / Virus / Trojan dropper / IRC trojan
Alters System.ini. Drops The Thing (= Fix.exe). On December 31st Illen changes three Registry settings.

explore.exe
Remote Access / Trojan dropper
Disguised as a fake game and installs a NetBus Pro server.

explorer.scr
Trojan Worm.Kazaa.Benjamin.
Remove it!

explupd.exe
Steals passwords
At first Ring0 came as an attached file to Winsock Version Checker. When itīs active and the computer is connected to the Internet, the trojan searches for proxyservers and tries to send the collected information to an FTP server in Russia.

Copyright © 1998-2004 Greatis Software | Privacy Policy | Recommend to a friend