Comments for Malware Analysis and Removal

Comment on Removed: REGSRV.EXE, STDRT.EXE by bill

bill — Sat, 04 Feb 2012 19:16:49 +0000

THIS SOLUTION DOES NOT WORK ON WINDOWS 7 x64

Comment on SIAPORT.EXE is Trojan Kazy by NightWatcher

NightWatcher — Mon, 23 Jan 2012 11:45:09 +0000

http://greatis.com/blog/how-to-remove-malware/mvscavap-exe.htm

Comment on SIAPORT.EXE is Trojan Kazy by NightWatcher

NightWatcher — Sun, 22 Jan 2012 13:07:35 +0000

The easiest way to remove these trojans:)
http://youtu.be/sDU4_Jgydbs

Comment on SIAPORT.EXE is Trojan Kazy by Blake

Blake — Fri, 20 Jan 2012 17:17:33 +0000

just to clear things up at the beginning of my last post you only type in “%temp%” then you simply navigate in the window. “Organize” being found in the top left corner

Comment on SIAPORT.EXE is Trojan Kazy by Blake

Blake — Fri, 20 Jan 2012 17:15:54 +0000

i just got this figured out thanks for the great help guys!:D
anyone still struggling type in
-> %temp% -> “Organize” -> “Folder and Search Options” -> “View” (Middle Tab)

from there you are going to change two thing…
1). under the folder “Hidden files and folders” simply change the bubble from “Don’t show hidden files, folders, or drives” to “Show hidden files, folders, and drives”

2).under the same folder there will be about 11 boxes, some being checked some unchecked. It should be the 3rd box from the top of that list of 11. its called “Hide protected operating system files(Recommended)” Un-check that box. it will give you a warning message, just hit yes.

After doing the following click “Apply” -> then “Ok”

you should be back in the temp folder. now look for the folder titled “System”
(if you cannot locate system simply go to the navigation bar at the top of the window and re-click on temp to refresh it)

go into system and you will see siaport. Delete that bastard!

Any questions feel free to ask! Email me at dadiggin@live.com i will answer on that faster than this!

Comment on SIAPORT.EXE is Trojan Kazy by Cannot find SiaPort.exe

Cannot find SiaPort.exe — Fri, 20 Jan 2012 15:58:59 +0000

I found the system folder but I CANT FIND THE SiaPort.exe. If i organise it and pressing “Hide all folders,files” It wont show. Plz Help me………….

Comment on SIAPORT.EXE is Trojan Kazy by Hazza

Hazza — Fri, 20 Jan 2012 08:49:58 +0000

never mind, found it…

PEOPLE WHO CANT FIND THE “SYSTEM” FOLDER

When you go to the organise thing, there should be a little circle filled with blue with text next to it saying “Hide all Folders, files etc.” Click the one below it that says”Show” as well as the boxes below. Might help…

Comment on SIAPORT.EXE is Trojan Kazy by Hazza

Hazza — Fri, 20 Jan 2012 08:42:43 +0000

I tried the “Unhide Folders” thing and i still cant find the System Folder, I think the Trojan might have let in a virus… HELP!!!

Comment on SIAPORT.EXE is Trojan Kazy by Milo

Milo — Thu, 19 Jan 2012 10:54:25 +0000

For those of us who dosn’t know how to fix this: press windows button (Windows 7 here) and type in “%TEMP%\SYSTEM\” then there should be no files, click on organize (top left corner) then press Folder and search options from the drop down menu. Choose View and then you must uncheck the box that says “Hide operating system files” even though it’s recommended not to. Then delete siaport.exe (click it once and press delete) then yes and it’s outta the world

Comment on SIAPORT.EXE is Trojan Kazy by Rostov

Rostov — Sun, 15 Jan 2012 13:26:17 +0000

Can’t find the System subfolder after the Temp subfolder. I get into the Temp folder and there are hundreds of my other folders but no System folder. Siaport.exe says it’s in the System but I can see it, even with all hidden files made to appear.

Comment on SIAPORT.EXE is Trojan Kazy by Johnny D

Johnny D — Sat, 14 Jan 2012 05:39:48 +0000

This is simple.

For Windows 7, Go to the directory of the file… AppData\Local\Temp\System
If you don’t see any files it means they’re hidden, so what you’ll need to do is
simply unhide them. Near the Top Left, click on (Organize). A drop down menu
should appear. Now go to (Folder and search options). A window will appear. At the top you’ll see 3 tabs/pages. Click on (View). Now, in the list, you want to look for (Hide protected operating system files Recommended). Now uncheck that. A warning may pop up but that’s ok. Click (Yes). Now click (Apply) then (OK).
If you did all that correctly you should see 2 files…. Delete them and you’re Done!
Now you might want to go back and make sure you Hide the system files. Just Check the box for (Hide protected operating system files Recommended) then click Apply and OK! Easy!

Comment on REGSRV64.EXE is trojan Offend by NightWatcher

NightWatcher — Thu, 12 Jan 2012 03:17:06 +0000

Please visit our support center:
http://greatis.com/support
Attach your regrunlog.txt and we will help you.

Comment on REGSRV64.EXE is trojan Offend by Ket

Ket — Wed, 11 Jan 2012 15:11:43 +0000

I cannot remove the file. It always said this file has been used by another program even though I open only a folder to delete it. How can I delete it? Please help.

Comment on Removed: C:\WINDOWS\system32\system\dll.exe (trojan VBInject) by Mark

Mark — Tue, 10 Jan 2012 01:17:54 +0000

Before deleting suspect malware it is best to create a system restore point first in case the system crashes. I am new to removing malware and it appears it may be easier to block the IP addresses and close the ports. As you can imagine a hacker may not be very happy to find out that the RATs have been cutoff. The hacker will try everything to regain access. Once the user knows who is doing what it is a lot easier to manage the risk. I have only found 1 software package that monitors the traffic. BeeHive is good stuff, and if you want to be a wise guy you can cause the hacker to have many sleepless nights as they watch the user watch the hacker.

Maybe you software guys could creatre some fun software to better monitor the hackers activities.

Comment on Removed: pb.dll, forinout.exe, LiveSS.exe, pb.sys (FakeAV – Live Security Suite) by Reena mathew

Reena mathew — Mon, 09 Jan 2012 08:17:58 +0000

I have searched so many weblogs for a solution, at last I got the complete fix from here, KUDOS to greatis.com technical team. You guys are really rocking!!!

Thanks, please keep on posting on new spyware issues.

Comment on SIAPORT.EXE is Trojan Kazy by NightWatcher

NightWatcher — Thu, 05 Jan 2012 10:26:26 +0000

Please visit our support center:
http://greatis.com/support
Attach your regrunlog.txt and we will help you.

Comment on SIAPORT.EXE is Trojan Kazy by will

will — Wed, 04 Jan 2012 22:09:13 +0000

same problem here… how to solve it???

Comment on SIAPORT.EXE is Trojan Kazy by sam

sam — Wed, 04 Jan 2012 17:56:31 +0000

@cas i have the same problem. siaport.exe cant be stopped. it starts again and again.

Comment on SIAPORT.EXE is Trojan Kazy by cas

cas — Wed, 04 Jan 2012 09:37:30 +0000

im fucked i cant seem to find the file but the pop up keeps coming please help me. thanks

Comment on NavaShield.exe – Fake AntiVirus Nava Shield by joy mathew

joy mathew — Wed, 04 Jan 2012 07:47:08 +0000

Nava shield is a rougue antispyware, which will create unwanted pop ups and mis lead you to buy that application.
Most of the antivirus like Avast, Norton, Mcafee arre able to remove its source file and at the same time they are failed to remove the unwanted registry entries created by the infection. Once its source file is removed by the antivirus, the registry entries started to disable all the executables (applications or softwares) installed on your computer.

In this scenario, we have to remove the registry entries manually.

Comment on 5016.SYS is rootkit Pakes by baba

baba — Sun, 01 Jan 2012 23:30:40 +0000

Thanks, I just found this on my Grandma’s computer. She is 97 and in the hospital with a broken hip. You are code/internet heroes.

Comment on CLIPVIEW.EXE is Adware Clipview by Baba

Baba — Sun, 01 Jan 2012 23:28:56 +0000

Thanks, Nightwatcher(and unhackme team) your rootkit submission(from 11/16, rloader.1 5016.sys) was just found on my grandma’s computer. She is 97 and in the hospital with a broken hip. Just letting you know that you are helping an old woman out(even though she hates being called that).

Comment on FACEBOOKUPDATE.EXE – not a virus by Felipe Drumond

Felipe Drumond — Wed, 21 Dec 2011 09:21:13 +0000

It´s the Skype plug-in. It’s safe.

Comment on MAHMUD.EXE is trojan LockScreen by loltheripper

loltheripper — Mon, 05 Dec 2011 05:56:11 +0000

U dont need a recovery cd or something u have to start your pc in the protected mod (i dont know if thats right im german) than just delet the mahmud.exe in the roaming folder. And after that put ur cammand prompt on your help button in the login area (this is very help full if you get another trojan or lockscreen). You can find a how to on youtube.

Comment on WINWIRPL.DLL is trojan Sefnit by eric

eric — Tue, 22 Nov 2011 08:56:54 +0000

Hello,

I didn’t find the the registry key you pointed, but found this one:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Sidebar something

deleated it then managed to erease the file in:
%AppData%\DesktopMain32\winWIRpl.dll

Sacnned the temp folder and found jar_cache temp files also infected (might be the actuall intrusion)

regards

Comment on MAHMUD.EXE is trojan LockScreen by NightWatcher

NightWatcher — Fri, 18 Nov 2011 05:07:47 +0000

Use RegRun Warrior CD.
How to make RegRun Warrior CD – http://www.youtube.com/watch?v=l-tuBVOsXns
How to remove mahmud.exe – http://www.youtube.com/watch?v=ueghm5uGHZM

Comment on MAHMUD.EXE is trojan LockScreen by Rym

Rym — Thu, 17 Nov 2011 18:47:13 +0000

mahmud.exe; one nast F***** indeed!
One of my friends who is computer illiterate, recently found himself bugged with mahmud, at first shocked and in despair for the wild acusation the exe was claiming. So after taken a first look, not that i’m a computer genius, but as I did manage to softmod and jailbreak my own gadgets, most my friends come to me for advice. Well now, I’m trying hard to figure any possible methods to bypass this mahmud.exe to be started as it freezes up the screen making it impossible to go to any directory paths to shut down the program.
The situation: windows XP computer (I tempted to tell my friend to “forget it mate, time for an upgrade anyway” but the Macgyver in me wants this solved), 3 user accounts. A) password protected. B) infected account. C) Guest account.
Tried: 1) log into B and tried to shut down the program before it started…FAIL. 2) tried from guest account, which fully works aside from no start-menu visible. but no admin powers… fail. 3) safe mode, got into ‘administrator’ account and WHAM there is mahmud. FAIL. 4) basically tried all other start up possibilities without success. At the moment I’m trying to reel in a free program to hack lost passwords, so I can log into account A and hopefully which has more admin powers so I can get into account B’s directory paths etc.
Now, IF there’s anything easier I can try, please let me know!
any other info/suggestions are most welcome.

Comment on I6G8XS.EXE is trojan Jorik by Crescencio Aragón

Crescencio Aragón — Tue, 15 Nov 2011 18:04:09 +0000

the process is hard to eliminate because in the process task manager it is “moving”, i mean closing and opening that for appears in deferents place on the list and we can´t select… aniway this file es generated by other file because i stop the process in the msdossetup, i kill it booting from a safe disk, i remove with UNHackMe, and its still.. is not “moving” but i apreciate that is another file in the process with aleatory name but extension “.tmp” i found this at the …windows\temp
really i found a lot of files that are opened in the task manager… right now the next step is to format and reinstall all system on the PC

Comment on WKOCFFMPAI.EXE is Fake System Tools by NightWatcher

NightWatcher — Fri, 28 Oct 2011 14:54:59 +0000

How to make files and folders visible again?
Open Command Prompt and type in: “attrib -h c:\*.* /s /d” and press Enter.

Comment on X30811.EXE is trojan BitMiner by NightWatcher

NightWatcher — Tue, 25 Oct 2011 03:47:50 +0000

Please visit our support center:
http://greatis.com/support
Attach your regrunlog.txt and we will help you.