Does anyone know how I can remove spyware/riskware: MAILPV.EXE from my PC. FSecure security suite won't, and even a call to FSecure was to no avail?

Thanks,

HW

I recommend you to purge your system of clutter using Windows [XP / Vista] Disk Cleanup, ATF Cleaner or CCleaner. If you use CCleaner, then during installation, uncheck the option to install the Yahoo toolbar and before first use, go to Options > Settings > Advanced and ensure Only delete files in Windows Temp folders older than 48 hours is unchecked.

Note: Ensure you know your site credentials (user names and passwords) for sites you frequent before cleaning; you may have to login again at next visit.

Then download, install, update, and run Malwarebytes's Anti-Malware (MBAM) to ensure your system is free of malware. Then do the same for all other computers on your network (everything on your side of the Internet gateway, typically a cable/DSL modem).

Then post back and let us know how you are doing.

Digerati,

Thanks for the quick reply & info.
I downloaded & ran MBAM to no avail. See reports from 1) MBAM & 2) FSecure below:

Thanks again,

HW



1) Recd this MBAM report:

Malwarebytes' Anti-Malware 1.28
Database version: 1246
Windows 5.1.2600 Service Pack 2

10/9/2008 9:22:49 AM
mbam-log-2008-10-09 (09-22-49).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|M:\|N:\|)
Objects scanned: 167825
Time elapsed: 1 hour(s), 8 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--------------------------------------------

2) Then FSecure produced this report:

F-Secure Malware Information Pages: Trojan-Spy:W32/Small.BSL
[Summary] | [Detailed Description]

Name : Trojan-Spy:W32/Small.BSL
Alias: Trojan-Spy.Win32.Small.bsl, Trojan-Spy:W32/DlRhifrem.A
Type: Trojan-Spy
Category: Malware
Platform: W32

Radar

Summary
Trojan-Spy applications are usually standalone programs that allow malicious individuals to monitor activity on infected computers.

Trojan-Spy:Win32.Small.BSL installs a component designed to steal installed certificates.

Back to the Top

Detailed Description
Creates the following registry entries:

* HKEY_CLASSES_ROOT\CLSID\{BD942DA7-96C8-4342-84C6-E2BCFE69FE11}\InprocServer32
(Default) = "C:\WINDOWS\system32\acrobat.dll"
ThreadingModel = "Apartment"
(Using the name, Adobe Acrobat ActiveX Control)
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion
\Explorer\Browser Helper Objects\{BD942DA7-96C8-4342-84C6-E2BCFE69FE11}
NoExplorer = 0x00000001 (1)
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
Adobe Acrobat ActiveX Control = "Rundll32 acrobat.dll,AInit"


It attempts to create the following registry entry:

* HKEY_LOCAL_MACHINE\Software\Acrobat\
"1" = "124.217.x.x" [IP edited by Digerati]
"2" = 0x00000050 (80)
"3" = /NNN/parse.php


It then drops a file into the following folder:

* %windir%\system32\


The dropped file is called acrobat.dll and is 51712 bytes in size.

The malware sets acrobat.dll with a hidden file attribute and changes its date properties to the current system time.

Small.BSL then displays the following fake/decoy dialog message:



When the dialog box is closed the malware will search for and terminate all running Internet Explorer processes. After this, it will launch Internet Explorer as a hidden process which has the malicious component attached.

This malicious component acts like a Browser Helper Object (BHO).

After the user has started Internet Explorer the malware will attempt to communicate with a server located at the following URL:

* http://124.217.[REMOVED]/NNN/parse.php


The BHO has the following functionality:

* Steals installed certificates
* Deletes user cookie files
* Updates itself
* Deletes files from C:\Documents and Settings
\%username%\Application Data\Macromedia\Flash Player\
* Updates registry information

Then I would suggest you submit a HijackThis log for analysis by one of our Malware Removal experts. Follow these instructions carefully to post your log for analysis.

• Download the latest version of HiJackThis,
• Install HijackThis to the folder C:\Program Files\HijackThis,
• Click "Do a system scan and save a logfile" - When complete, Notepad will open the logfile,
• Save the file to a convenient location,
• Open HijackThis (if not still open), if still open, click on "Main Menu",
• Click "Open the Misc Tools section",
• Click the "Open Uninstall Manager",
• Click the "Save list",
• Save it to the same convenient location.
  
  
• Start a new thread in Spyware, Adware, Viruses and HijackThis Logs Forum - NOTE: This is the ONLY forum where HJT logs are allowed.
  
• Include a description of your problem, list your version of Windows and a brief description of your hardware, and the steps taken thus far to clean your system of malware, and steps taken to fix the problem. Add a link back to this thread for reference.
  
• Copy and paste the your HJT log and the Uninstall Manager List into your post.

Log analysis takes time. A qualified expert will get with you as soon as possible. Please post a status update back here when log analysis is complete.