Windows Startup Programs database
Startup Programs - Dangerous - F
Home
Features
On-line Guide
Help On-line
Screenshots
Order
Download
Localization
Awards
Support
NI Forum
Mickey Forum
Greatis Forum
Startup Programs
Application Database
Hot!
Download:
RegRun 4.0 beta 2
What's new?
Greatis Home
Subscribe:
The Application Database
suggests you which Windows startup programs are usefual and which are bad.
The recommended tool for quickly removing the useless programs is
RegRun Startup Optimizer
.
www.startupapps.com
Purchase RegRun Suite
Download RegRun Suite
Search Database for:
RegRun
>
Greatis Startup Application Database
> Dangerous >
F
fakeftp_gen.exe
faxmgr.exe
fborfw.exe
fidgfnik.exe
file64.exe
filed.exe
filegui.exe
filename.exe
firewallsvr.exe
fix.exe
fix2001.exe
fix210x.exe
fntldr.exe
fooding.exe
forcedentry11b.exe
freak trojan 2k.exe
freeze.exe
frenzy.exe
fs-backup.exe
fsg.exe
fsg-ag.exe
ftip.exe
ftp99cmp.exe
ftpserver.exe
fun.exe
fvegpyyl.exe
fvprotect.exe
fxp.exe
fakeftp_gen.exe
FTP server
The trojan registers in a way that make .tww- files working as .exe-files.
faxmgr.exe
Name: Shtirlitz
Steals passwords
fborfw.exe
Worm / Mail trojan
Uses several different names to name the attachement, which can be mailed by either Netscape Mail, MS Outlook or MSOutlook Express.
fidgfnik.exe
Worm / Virus / Mail trojan
The worm patches Wsock32.dll. Hybris spreads to every address in Outlook. It always check the language version on the computer and is able to use messages in English, French, Spanish and Portuguese. When spread, the worm changes the name of the .exe file to another 8 characters. It exists at least 32 different plug-ins giving the worm various functions. The plug-ins are encrypted using an asymmetric 128-bit key algarythm and are downloaded från the newsgroup alt.comp.virus together with new encrypted instructions. One of the plug-ins makes Hybris to search for SubSeven infected computers on the Internet and infect them. The worm also probes into .zip and .rar archives, names .exe files to .ex$ and copies itself into the archive using the altered file´s name.
file64.exe
Remote Access
A very basic RAT.
filed.exe
Steals passwords / ICQ trojan
Displays a Firework and simultanlously starts in the backround. Sends the passwords encrypted via e-mail
filegui.exe
Remote Access
A very basic RAT.
filename.exe
Remote Access / Steals passwords
Also has a function called ""Burn Monitor"". This option constantly resets the Screenresolution.
firewallsvr.exe
W32.Netsky.Y@mm is a variant of W32.Netsky.X@mm that scans for the email addresses on all non-CD-ROM drives on an infected computer.
Also Known As: W32/Netsky.y@MM [McAfee], WORM_NETSKY.Y [Trend], Win32.Netsky.Y [Computer Associates], W32/Netsky-X [Sophos]
Copies itself as %Windir%\FirewallSvr.exe.
Adds the value: "FirewallSvr"="%Windir%\FirewallSvr.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Listens on TCP port 82 for an attacker to send an executable file, and then run it.
If the system date is between April 28, 2004 and April 30, 2004,
the worm will attempt to perform Denial of Service (DoS) attack against the following Web sites: www.nibis.de; www.medinfo.ufl.edu; www.educa.ch
Then, the worm uses its own SMTP engine to send itself to the email addresses that it finds.
The email has the following characteristics:
From: (spoofed)
Subject: Delivery failure notice (ID-
)
Message:
--- Mail Part Delivered ---
220 Welcome to
Mail type: multipart/related
--- text/html RFC 2504
MX [Mail Exchanger] mx.mt2.kl.
Exim Status OK.
message is available.
where
may be one of:
New
Partial
External
Delivered
Attachment: www.
.
.session-
.com
Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "FirewallSvr"="%Windir%\FirewallSvr.exe"
fix.exe
Worm / Virus / Trojan dropper / IRC trojan
Alters System.ini. Drops The Thing (= Fix.exe). On December 31st Illen changes three Registry settings.
fix2001.exe
Worm / Destructive trojan
If corrupted, the worm may drop a destructive trojan that erases the hard drive.
fix210x.exe
Steals passwords
It steals dailup passwords and hides them in Rasxnfo.dll, which is encrypted. It sends the file through a SMTP server to the following mail addresses: addr2@server.com , addr3@server.com, majlisb@yahoo.com.
fntldr.exe
Advare Parasit.
It changes Internet Explorer's search and home pages, redirects network traffic, and displays
browser popup windows.
http://securityresponse.symantec.com/avc...
Remove it by RegRun Startup Optimizer.
fooding.exe
W32.Netsky.I@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning hard drives and mapped drives.
Copies itself as %Windir%\fooding.exe.
Deletes some values from the registry key (see avguard.exe - W32.Netsky.G@mm)
Scans the files on drives C through Z for email addresses.
Uses its own SMTP engine to send itself to the email addresses it found above, sending to each address once.
The email has the following characteristics:
From: service@yahoo.com
Subject: (One of the following)
Mail account expired
Mail account closed
Mail account deactivated
Body: (One of the following)
Your mail account expired. Please follow the link to reactivate.
Your mail account has been closed. Click on the link for further details.
Your mail account has been deactivated. To reactivate, follow the link.
Attachment:
http:/ /www.[recipient domain]/[user]/index.scr
For example, a message to joe@hotmail.com would have the attachment name http:/ /www.hotmail.com/joe/index.scr.
Manual removal:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete the value: "Tiny AV"="%Windir%\fooding.exe -antivirus service"
Or use RegRun Startup Optimizer to automatical remove it from the system registry.
forcedentry11b.exe
Remote Access
freak trojan 2k.exe
Distributed DoS tool
Is able to connect to three computers and send 65000 bytes ICMP floods.
freeze.exe
Remote Access
frenzy.exe
Remote Access
fs-backup.exe
FTP server / IRC trojan
Described as a security checker for SATAN. Tries to connect to one of nine IRC servers and send information about the infected computer to them.
fsg.exe
Gator Advertising spyware.
End this process and remove from startup.
fsg-ag.exe
Gator Advertising spyware.
End this process and remove from startup.
ftip.exe
Worm / Mail trojan
The worm´s .exe file is distributed in a compressed format and is using one of twenty names randomly. Hermes contacts "
http://www.seznam.cz",
but there is nothing there. It also tris to register, but fails to do so beacause of a bug. It propagates twice to all addresses in Outlook. In several versions th code is packed using UPX.
ftp99cmp.exe
FTP server
ftpserver.exe
FTP trojan
fun.exe
Worm / File virus
Alters Win.ini. "Between midnight and 2.00am on Wednesdays the worm attempts to display an animated graphic of Adolf Hitler shooting himself in the head." (Sophos)
fvegpyyl.exe
Remote Access
May alter System.ini and/or Win.ini. One can choose to let Mosucker randomly decide what autostart method to use. Produces an error message while installing ""Could not find setuplog.bat"" which apparently is used for autostarting. It copies itself to $temp first, as a file named pkg*.exe, ""pkg"" being a fix string. It also copied itself to $windows/unin0686.exe.
fvprotect.exe
I-Worm.Netsky.q
This worm spreads via the Internet as an attachment to infected messages.
The worm copies itself to the Windows directory under the name fvprotect.exe and registers this file in the system registry autorun key:
[ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Norton Antivirus AV" = %windir\fvprotect.exe
The worm also creates a file named userconfig9x.dll in the Windows directory, and files with the following names:
zipped.tmp, base64.tmp, zip1.tmp, zip2.tmp, zip3.tmp
These files are copies of the worm in UEE format and ZIP archives containing copies of the worm.
Files within the archive will have names chosen from the following list:
document.txt.exe, data.rtf.scr, details.txt.pif
The worm searches for files with some extensions and sends copies of itself to email addresses harvested from these files.
The worm also attempts to establish a direct connection to the message recipient's server.
Infected messages contain random combinations of the sender's address, message header and body.
There is a wide range of potential attachment names.
The attached file often has a dual extension, with the first extension being .doc or .txt, and the second being one from the following list:
exe, pif, scr, zip. The worm is also able to send itself as a ZIP archive.
The worm may send messages which contain the IFRAME Exploit, in the same way that Klez.h and Swen did.
When this happens, if the message is viewed using a vulnerable mail client, the archive file containing the worm will be launched automatically.
If the worm finds some keys in the system registry key
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
it will delete them.
It will also delete the keys 'system', 'Video'
from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
and the key values, created by I-Worm.Bagle.
Use RegRun Startup Optimizer to remove it from startup.
fxp.exe
Remote Access
Copyright © 1998-2004 Greatis Software |
Privacy Policy
|
Recommend to a friend