Spyware, Viruses, & Security forum

General discussion

Is pspv.exe a false positive?

by John Robie / April 29, 2006 4:23 AM PDT

Yesterday morning when I fired up my WinXP SP2 a new icon 'pspv' appeared on the desktop. I didn't install pspv. My 2005 Norton AntiVirus usually gives me a pop-up 'Security Alert' every few days:
''Norton Internet Worm Protection has detected and blocked an intrusion attempt''. Then gives the name of a Trojan Horse, date, time, and path.

A popup didn't appear for pspv.exe, but later that afternoon after running a complete Norton check on my computer (494,000 files takes a little over 2 hrs), it came up with "pspv.exe - Hacktool. Pass Remi",as a security risk and suggested I delete/quarantine. Other than the auto blocking that normaly Norton does, this is the 1st time in several years that Norton came up with a security risk when I ran a complete check.

I did delete pspv.exe as suggested, but do not find it specifically with Nortons list of viruses/worms/trojans.

Doing a Google, I notice:
''McAfee Virus Scan Enterprise 7.1.0 reports that pspv.exe is infected with Generic PWS.f' Trojan''.

I'm thinking pspv.exe can be useful when forgetting passwords. Is pspv.exe OK, or a false positive?

Discussion is locked
You are posting a reply to: Is pspv.exe a false positive?
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Is pspv.exe a false positive?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Re: pspv.exe
by Kees Bakker / April 29, 2006 4:32 AM PDT

If it's the program from http://www.nirsoft.net/utils/pspv.html (but, of course, every malware-writer may call his program pspv, so we're not 100% sure) it's not malware, per se, but it can be considered a security risk, because everybody with access to your computer can run it and use it to extract your passwords. So if you don't need it, it seems safer to remove it. And that is what Norton advised, if I read the message correctly.

The curious thing is where it came from. If you didn't install it, somebody else did, and it wouldn't be Windows Update. I don't have a clue. Do you?


Collapse -
It depends on where is came from John
by roddy32 / April 29, 2006 4:38 AM PDT

A few months ago, Wayne posted a news article about a pspv.exe tool that many of us downloaded and installed made by a company named Nirsoft. Norton flagged it on me but I knew what it was so I have it excluded in my scans now. If I remember correctly you were also involved in that thread BUT WHY it would show up NOW all of a sudden if that is what it is I don't know. I still have the tool and run it occasionally but, as I said, Norton excludes it in the scans because I told it to do that. If you did not purposely install it, it could be a problem.

Collapse -
Thanks Kees and Roddy for the replys.....No
by John Robie / April 29, 2006 5:15 AM PDT

I don't have any idea where it came from. I never open email attachments so it didn't come from that source.
I did keep the pspv.chm that is the only thing that came with it, and it is a long explaination text from the web site you indicated.

No Roddy, I don't recall me posting in Wayne's post concerning pspv.exe
After doing a CNet search, perhaps this is the post you are talking about:

This is a rather long, long extract of the pspv.chm

Protected Storage PassView v1.62
Copyright (c) 2002 - 2004 Nir Sofer

Protected Storage PassView is a small utility that reveals the passwords stored on your computer by Internet Explorer, Outlook Express and MSN Explorer. The passwords are revealed by reading the information from the Protected Storage.
Starting from version 1.60, this utility reveals all AutoComplete strings stored in Internet Explorer, not only the AutoComplete password, as in the previous versions.
This utility can show 4 types of passwords:

Outlook passwords: When you create a mail account in Outlook Express or a POP3 account in Microsoft Outlook, and you choose the "Remember password" option in the account properties, the password is saved in the Protected Storage, and this utility can instantly reveal it.
Be aware that if delete an existing Outlook Express account, the password won't be removed from the Protected Storage. In such a case, the utility won't be able to obtain the user-name of the deleted account, and only the password will be shown.
Starting from version 1.50, the passwords of Outlook Express identities are also displayed.
AutoComplete passwords in Internet Explorer: Many Web sites provides you a logon screen with user-name and password fields. When you log into the Web site, Internet Explorer may ask you if you want to remember the password for the next time that you log into this Web site. If choose to remember the password, the user-name and the password are saved in the Protected Storage, and thus they can be revealed by Protected Storage PassView.
In some circumstances, multiple pairs of user-name and passwords are stored for the same logon window. In such case, the additional passwords will be displayed as sub-items of the first user-password pair. In sub-items, the resource name is displayed as 3 dots ('...')
Password-protected sites in Internet Explorer: Some Web sites allows you to log on by using "basic authentication" or "challenge/response" authentication. When you enter the Web site, Internet Explorer displays a special logon dialog-box and asks you to enter your user-name and password. Internet Explorer also gives you the option to save the user-name/password pair for the next time you log-on. If you choose to save the logon data, the user-name and the password are saved in the Protected Storage, and thus they can be revealed by Protected Storage PassView.
In this category, you can also find the passwords of FTP servers.
MSN Explorer Passwords:
The MSN Explorer browser stores 2 types of passwords in the Protected Storage:
Sign-up passwords
AutoComplete passwords
By default, this utility shows all 4 types of passwords. You can select to show or hide a specific type of password, by choosing the right password type from the View menu.

This utility can only show the passwords of the current logged-on user. it cannot reveal the passwords of other users.

About The Protected Storage
The Protected Storage information is saved in a special location in the Registry. The base key of the Protected Storage is located under the following key:
"HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider"
You can browse the above key in the Registry Editor (RegEdit), but you won't be able to watch the passwords, because they are encrypted. Also, some passwords data are hidden by the operating system.

System Requirements
Windows operating system: Windows 95/98/ME, Windows NT, Windows 2000 or Windows XP.
Internet Explorer, Versions 4.0 - 6.0

Know Problems
In some computers, the Protected Storage system doesn't save any password, and when you run the pspv utility, you get an empty window without any password or other data. You might also receive 'Cannot connect to the protected storage' error message.
If your system has this kind of problem, you can try to resolve it by using the following articles in Microsoft Web site:
AutoComplete Does Not Save Username and Password
Delayed Response When Editing Internet Explorer Forms and Outlook Express May Take a Long Time to Start

Versions History
Date Version Description
22/08/04 1.62 Fixed bug: On computers with very large AutoComplete list, some items were not displayed.

01/06/04 1.61 Ability to translate to other languages.
Copy to clipboard in tab-delimited format.

15/10/03 1.60 Display all types of AutoComplete strings, not only the passwords. It also allows you to export AutoComplete strings, and then import them to another computer or to another OS.
Find Dialog-Box

20/07/03 1.52 View raw data in HTML format.

22/06/03 1.51 Added the ability to change the location of a column by dragging it to the desired location.
All your settings (window size, columns and more) are automatically saved, and loaded in the next time that you run the utility.

10/06/03 1.50 Save Protected Storage passwords in HTML file.
Added support for directory service accounts and news accounts of Outlook Express.
Added support for multiple identities in Outlook Express.
Added support for user names and passwords of Outlook Express identities.

23/05/03 1.40 Added support for MSN Explorer passwords.
Added support for the account passwords of Outlook 2002 (POP3, IMAP, HTTP and SMTP accounts).
Added support for SMTP passwords in Outlook 2000.
Save raw data from the Protected Storage.

30/04/03 1.32 Added support for MS Outlook passwords. (POP3 accounts only)
Save as tabular text-files.

18/04/03 1.31 Fixed bug: Problem with FTP passwords in Windows XP.
Significant decrease in size of the executable.

05/03/03 1.30 Added command-line support.
Added popup menus.
Added the option to open the Web site related to the password item.

15/02/03 1.21 Fixed bug with IMAP and HTTP items of Outlook Express.
16/12/02 1.20 Added the ability to save the passwords information in tab-delimited format.
Export / Import: allows you to easily move your passwords from one computer to another.
Refresh (F5)
Fixed bug: The previous version was unable to properly decrypt the passwords of FTP servers.
Fixed problem: in previous versions, only one pair of user name and password was shown for each Web site (AutoComplete passwords), even if there was more than one password.

09/09/02 1.10 Added support for password deletion.
16/07/02 1.00 First release.

This utility is released as freeware for personal use. Do not use this utility for illegal activity, and do not use it for getting passwords of a computer that is not yours. If you distribute this utility, you must include the executable file and the readme file in the distribution package, without any modification !

The software is provided "AS IS" without any warranty, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The author will not be liable for any special, incidental, consequential or indirect damages due to loss of data or any other reason.

Using Protected Storage PassView
This utility is a standalone executable, and it doesn't require any installation process or additional DLL files. In order to use it, extract the executable file (pspv.exe) to any folder your want, and run it.
After you run this utility, you'll get a window with 4 columns containing the list of the Protected Storage passwords. You can easily select the desired passwords, and then save them into a readable or tab-limited text file , or copy them into the clipboard.
If you want to delete one or more passwords, select the desired items in the list, and choose the "Delete Selected Items" from the File menu. You can also delete the items by clicking the "Delete" key.
Notice: When a Web page has more than one pair of user and password, you cannot delete a single password and keep that others. You can only delete all passwords together by selecting the first major password of the Web page.

Moving your passwords and AutoComplete strings to another computer
Starting from version 1.20, you can easily move your passwords and AutoComplete strings to another computer, or to another operating system in the same computer, by using the Export/Import feature. Be aware that the passwords of Outlook and MSN Explorer cannot be moved to another computer due to a technical limitation.
In order to move your passwords, follow strictly the instructions below:

In the operating system that contains the items you want to copy:
Run the 'Protected Storage PassView' utility.
Select the passwords and AutoComplete strings that you want to move. If you want to move all your items, press Ctrl+A ('Select All').
From the "Import / Export" menu, select "Export Selected Items".
Select or type the filename for saving all selected items into a file.
In the destination operating system:
Run the 'Protected Storage PassView' utility.
From the "Import / Export" menu, select "Import Items".
Select the exported file that you saved in the previous stage.
If nothing goes wrong, you should now be able to use your passwords and AutoComplete strings in the destination computer.
You can also move all your passwords and AutoComplete fields from one computer to another by using the '/exp' and '/imp' command-line options (See below)

Saving the raw data of the Protected Storage
This utility automatically reads the data from the Protected Storage, analyzes it, and displays the passwords categorized by the software that created them. However, if you want the watch the data of the Protected Storage without any additional processing, you can save all Protected Storage data to a text file by using the "Save raw data" option. The text file created by this option contains all data stored in the Protected Storage, even if it's not recognized by this utility.

Command-line options
/shtml <Filename> Save all Protected Storage items into HTML file.
/stext <Filename> Save all Protected Storage items into a text file.
/stab <Filename> Save all Protected Storage items into a tab-delimited text file.
/stabular <Filename> Save all Protected Storage items into a tabular text file.
/exp <Filename> Export all Protected Storage items into a file.
/imp <Filename> Import all items from a file into the Protected Storage.
/raw <Filename> Save raw data: Save all Protected Storage data into a text file.
/rawhtml <Filename> Save raw data: Save all Protected Storage data into HTML file.

Remark: If the filename contains one or more space characters, you must enclose it with quotes ("").
pspv.exe /stext c:\MyFolder\pass.txt
pspv.exe /exp "c:\My Documents\exp1.txt"
pspv.exe /imp "c:\My Documents\exp1.txt"

Translating to other languages
In order to translate this utility to another language, follow the instructions below:
Run pspv with /savelangfile parameter:
pspv.exe /savelangfile
A file named pspv_lng.ini will be created in the folder of pspv utility.
Open the created language file in Notepad or in any other text editor.
Translate all menus and string entries to the desired language.
After you finish the translation, Run pspv, and all translated strings will be loaded from the language file.
If you want to run pspv without the translation, simply rename the language file, or move it to another folder.

If you have any problem, suggestion, comment, or you found a bug in my utility, you can send a message to nirsofer@yahoo.com

Collapse -
If you did not download it John then I
by roddy32 / April 29, 2006 5:26 AM PDT

don't know where it came from either. Norton does not list it, as you said in the virus/trojan list because it is a hacktool and not a virus or a trojan.

Yes, that was the thread I was referring to.

Collapse -
It does put a little scare in me
by John Robie / April 29, 2006 6:15 AM PDT

since McAfee indicates it is infected with a Trojan, and besides I didn't download it.
Guess I'll download it whenever I need to find a missing password, and then immediately delete.


Collapse -
It could have been a drive-by John but
by roddy32 / April 29, 2006 6:51 AM PDT

as long as it is deleted you should be OK. I can understand why it would put a scare into you for sure though.

Collapse -
Bad deal..
by mrfixit1 / May 15, 2006 10:27 AM PDT

My question is who has access to you computer when you are not there? Your wife?,, Your Roommate? The gardener? You get the point right? Someone installed that password hack on your unit intentionally and now very well could have any and all passwords that windows has saved for you on this unit.. I would bet Norton did catch it but, was told to allow the script to run by whomever hacked your unit..

Popular Forums
Computer Help 51,912 discussions
Computer Newbies 10,498 discussions
Laptops 20,411 discussions
Security 30,882 discussions
TVs & Home Theaters 21,253 discussions
Windows 10 1,672 discussions
Phones 16,494 discussions
Windows 7 7,855 discussions
Networking & Wireless 15,504 discussions


Meet the drop-resistant Moto Z2 Force

The Moto Z2 Force is really thin, with a fast processor and great battery life. It can survive drops without shattering.