Removal of MAILPV.exe from XP

klxdrt · 09-10-2008, 12:28 PM

Does anyone know how I can remove spyware/riskware: MAILPV.EXE from my PC. FSecure security suite won't, and even a call to FSecure was to no avail?

Thanks,

HW

**Digerati** · 09-10-2008, 12:37 PM

I recommend you to purge your system of clutter using Windows [XP / Vista] Disk Cleanup, ATF Cleaner or CCleaner. If you use CCleaner, then during installation, uncheck the option to install the Yahoo toolbar and before first use, go to Options > Settings > Advanced and ensure Only delete files in Windows Temp folders older than 48 hours is unchecked.

Note: Ensure you know your site credentials (user names and passwords) for sites you frequent before cleaning; you may have to login again at next visit.

Then download, install, update, and run Malwarebytes's Anti-Malware (MBAM) to ensure your system is free of malware. Then do the same for all other computers on your network (everything on your side of the Internet gateway, typically a cable/DSL modem).

Then post back and let us know how you are doing.

klxdrt · 09-10-2008, 02:49 PM

Digerati,

Thanks for the quick reply & info.
I downloaded & ran MBAM to no avail. See reports from 1) MBAM & 2) FSecure below:

Thanks again,

HW

1) Recd this MBAM report:

Malwarebytes' Anti-Malware 1.28
Database version: 1246
Windows 5.1.2600 Service Pack 2

10/9/2008 9:22:49 AM
mbam-log-2008-10-09 (09-22-49).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|M:\|N:\|)
Objects scanned: 167825
Time elapsed: 1 hour(s), 8 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--------------------------------------------

2) Then FSecure produced this report:

F-Secure Malware Information Pages: Trojan-Spy:W32/Small.BSL
[Summary] | [Detailed Description]

Name : Trojan-Spy:W32/Small.BSL
Alias: Trojan-Spy.Win32.Small.bsl, Trojan-Spy:W32/DlRhifrem.A
Type: Trojan-Spy
Category: Malware
Platform: W32

Radar

Summary
Trojan-Spy applications are usually standalone programs that allow malicious individuals to monitor activity on infected computers.

Trojan-Spy:Win32.Small.BSL installs a component designed to steal installed certificates.

Back to the Top

Detailed Description
Creates the following registry entries:

* HKEY_CLASSES_ROOT\CLSID\{BD942DA7-96C8-4342-84C6-E2BCFE69FE11}\InprocServer32
(Default) = "C:\WINDOWS\system32\acrobat.dll"
ThreadingModel = "Apartment"
(Using the name, Adobe Acrobat ActiveX Control)
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion
\Explorer\Browser Helper Objects\{BD942DA7-96C8-4342-84C6-E2BCFE69FE11}
NoExplorer = 0x00000001 (1)
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
Adobe Acrobat ActiveX Control = "Rundll32 acrobat.dll,AInit"

It attempts to create the following registry entry:

* HKEY_LOCAL_MACHINE\Software\Acrobat\
"1" = "124.217.x.x" [IP edited by Digerati]
"2" = 0x00000050 (80)
"3" = /NNN/parse.php

It then drops a file into the following folder:

* %windir%\system32\

The dropped file is called acrobat.dll and is 51712 bytes in size.

The malware sets acrobat.dll with a hidden file attribute and changes its date properties to the current system time.

Small.BSL then displays the following fake/decoy dialog message:

When the dialog box is closed the malware will search for and terminate all running Internet Explorer processes. After this, it will launch Internet Explorer as a hidden process which has the malicious component attached.

This malicious component acts like a Browser Helper Object (BHO).

After the user has started Internet Explorer the malware will attempt to communicate with a server located at the following URL:

* http://124.217.[REMOVED]/NNN/parse.php

The BHO has the following functionality:

* Steals installed certificates
* Deletes user cookie files
* Updates itself
* Deletes files from C:\Documents and Settings
\%username%\Application Data\Macromedia\Flash Player\
* Updates registry information

**Digerati** · 09-10-2008, 04:20 PM

Then I would suggest you submit a HijackThis log for analysis by one of our Malware Removal experts. Follow these instructions carefully to post your log for analysis.

Download the latest version of HiJackThis,

Install HijackThis to the folder C:\Program Files\HijackThis,

Click "Do a system scan and save a logfile" - When complete, Notepad will open the logfile,

Save the file to a convenient location,

Open HijackThis (if not still open), if still open, click on "Main Menu",

Click "Open the Misc Tools section",

Click the "Open Uninstall Manager",

Click the "Save list",

Save it to the same convenient location.

Start a new thread in Spyware, Adware, Viruses and HijackThis Logs Forum - NOTE: This is the ONLY forum where HJT logs are allowed.

Include a description of your problem, list your version of Windows and a brief description of your hardware, and the steps taken thus far to clean your system of malware, and steps taken to fix the problem. Add a link back to this thread for reference.

Copy and paste the your HJT log and the Uninstall Manager List into your post.

Log analysis takes time. A qualified expert will get with you as soon as possible. Please post a status update back here when log analysis is complete.