What's "mspmspv.exe"?

[milt]

Archived from groups: microsoft.public.windowsxp.basics (More info?)

Can you tell me what "mspmspv.exe" is/does? It is in
C:\Windows\System32. It's listed twice in msconfig\System
Configuration Utility\Startup. Once under
HKCU\Microsoft\Windows\Current Version\Run and once under
HKLM\Microsoft\Windows\Current Version\Run. There's also
an entry in C:\Documents and Settings\All Users\Start
Menu|Programs\Startup\Microsoft Office.hta. which
generates this page at every bootup:
TG!¶'ò?²Ï#ª_þXgÒ­cöëÏ°ãª?Á<Z¶ëmЍöª_þX
|¾"µÈó\έ
åªDw=ÿÿ?ÿÿ"IÁ<Z¶ëmЍöª_þX 2'?Item1¸
ÿÿ ?#aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?_

It seems to generate a request for internet access in my
Zone Alarm firewall. It doesn't show up in SpyBot, AdAware
or NAV.

I'd like to get rid of the page but don't know if I should
delete the Registry entries, disable one or both entries
in msconfig\Startup or just delete the entry in
C:\Documents and Settings\All Users\Start
Menu\Programs\Startup. I'd like to know why it recently
appeared too.

Thanks,
Milt

 

[Guest]

Archived from groups: microsoft.public.windowsxp.basics (More info?)

Milt
The service allows WMDM (Windows Media Device Manager) to copy audio
content from a computer to a portable audio player.

http://www.neuber.com/taskmanager/process/mspmspsv.exe.html




"Milt" <anonymous@discussions.microsoft.com> wrote in message
news:0a7901c4ee8a$7f838600$a601280a@phx.gbl...
Can you tell me what "mspmspv.exe" is/does? It is in
C:\Windows\System32. It's listed twice in msconfig\System
Configuration Utility\Startup. Once under
HKCU\Microsoft\Windows\Current Version\Run and once under
HKLM\Microsoft\Windows\Current Version\Run. There's also
an entry in C:\Documents and Settings\All Users\Start
Menu|Programs\Startup\Microsoft Office.hta. which
generates this page at every bootup:
TG!¶'ò?²Ï?#ª_þXgÒ­cöëÏ°ãª?Á<Z¶ëmÐ?öª_þX
|¾"µÈó\έ
åªDw=ÿÿ?ÿÿ"IÁ<Z¶ëmÐ?öª_þX 2'?Item1?¸
ÿÿ ?#aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?_

It seems to generate a request for internet access in my
Zone Alarm firewall. It doesn't show up in SpyBot, AdAware
or NAV.

I'd like to get rid of the page but don't know if I should
delete the Registry entries, disable one or both entries
in msconfig\Startup or just delete the entry in
C:\Documents and Settings\All Users\Start
Menu\Programs\Startup. I'd like to know why it recently
appeared too.

Thanks,
Milt

 

[Guest]

Archived from groups: microsoft.public.windowsxp.basics (More info?)

Milt wrote:
> Can you tell me what "mspmspv.exe" is/does? It is in
> C:\Windows\System32. It's listed twice in msconfig\System
> Configuration Utility\Startup. Once under
> HKCU\Microsoft\Windows\Current Version\Run and once under
> HKLM\Microsoft\Windows\Current Version\Run. There's also
> an entry in C:\Documents and Settings\All Users\Start
> Menu|Programs\Startup\Microsoft Office.hta. which
> generates this page at every bootup:
> TG!¶'ò?²Ï?#ª_þXgÒ­cöëÏ°ãª?Á<Z¶ëmÐ?öª_þX
> |¾"µÈó\έ
> åªDw=ÿÿ?ÿÿ"IÁ<Z¶ëmÐ?öª_þX 2'?Item1?¸
> ÿÿ ?#aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?_
>
> It seems to generate a request for internet access in my
> Zone Alarm firewall. It doesn't show up in SpyBot, AdAware
> or NAV.
>
> I'd like to get rid of the page but don't know if I should
> delete the Registry entries, disable one or both entries
> in msconfig\Startup or just delete the entry in
> C:\Documents and Settings\All Users\Start
> Menu\Programs\Startup. I'd like to know why it recently
> appeared too.
>
> Thanks,
> Milt

Are you sure about the spelling of that file?

There is a legitimate XP file spelled "MsPMSPSv.exe" (extra S) that is
associated with the Windows Media Player DRM service. This is a service that
runs in XP, but I don't believe that it needs to be in the Start Up of
msconfig? You should remove this item from both "Run" locations in the
Registry. It can also be disabled in the Services, where it is shown as WMDM
PMSP Service.

If your spelling is correct, I would immediately remove all instances of
this file from the system.

The Microsoft Office.hta file is a mystery. An .hta file can execute code. I
would remove this file from the Start Up folder and place it in another
folder for the time being until you can determine where it came from.

Make sure that your anti-virus programs have the latest definition files and
run a complete scan from Safe Mode.

--

Ronnie Vernon
Microsoft MVP
Windows Shell/User

 

[milt]

Archived from groups: microsoft.public.windowsxp.basics (More info?)

Thanks for the comments Ronnie. And yes, I spelled it
correctly. They're both in the System 32 file. I didn't
think that it needed to be in Start-up either. I searched
Google before posting this and couldn't find anything. But
I thought I'd see if anyone has had experience with it
before barging ahead. (I did recently install WMP 10. That
may be where it came from.) And my NAV, SpyBot and AdAware
are all kept up to date at all times.

Milt


>-----Original Message-----
>Milt wrote:
>> Can you tell me what "mspmspv.exe" is/does? It is in
>> C:\Windows\System32. It's listed twice in
msconfig\System
>> Configuration Utility\Startup. Once under
>> HKCU\Microsoft\Windows\Current Version\Run and once
under
>> HKLM\Microsoft\Windows\Current Version\Run. There's also
>> an entry in C:\Documents and Settings\All Users\Start
>> Menu|Programs\Startup\Microsoft Office.hta. which
>> generates this page at every bootup:
>> TG!¶'ò?²Ï#ª_þXgÒ­cöëÏ°ãª?Á<Z¶ëmЍöª_þX
>> |¾"µÈó\έ
>> åªDw=ÿÿ?ÿÿ"IÁ<Z¶ëmЍöª_þX 2'?Item1¸
>> ÿÿ ?#aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?_
>>
>> It seems to generate a request for internet access in my
>> Zone Alarm firewall. It doesn't show up in SpyBot,
AdAware
>> or NAV.
>>
>> I'd like to get rid of the page but don't know if I
should
>> delete the Registry entries, disable one or both entries
>> in msconfig\Startup or just delete the entry in
>> C:\Documents and Settings\All Users\Start
>> Menu\Programs\Startup. I'd like to know why it recently
>> appeared too.
>>
>> Thanks,
>> Milt
>
>Are you sure about the spelling of that file?
>
>There is a legitimate XP file spelled "MsPMSPSv.exe"
(extra S) that is
>associated with the Windows Media Player DRM service.
This is a service that
>runs in XP, but I don't believe that it needs to be in
the Start Up of
>msconfig? You should remove this item from both "Run"
locations in the
>Registry. It can also be disabled in the Services, where
it is shown as WMDM
>PMSP Service.
>
>If your spelling is correct, I would immediately remove
all instances of
>this file from the system.
>
>The Microsoft Office.hta file is a mystery. An .hta file
can execute code. I
>would remove this file from the Start Up folder and place
it in another
>folder for the time being until you can determine where
it came from.
>
>Make sure that your anti-virus programs have the latest
definition files and
>run a complete scan from Safe Mode.
>
>--
>
>Ronnie Vernon
>Microsoft MVP
>Windows Shell/User
>
>.
>

 

[Don]

Archived from groups: microsoft.public.windowsxp.basics (More info?)

Take a look at this link:
http://sophos.com/virusinfo/analyses/trojchuma.html
According to Sophos it's a new backdoor Trojan virus. I
found it on my machine exactly the same way you did - and
it didn't show up on my AdAware,Spybot or NAV either. My
Zonealarm also alerted me to it. Seems to propagate
through the IRC route, but I don't know which service.
I've manually removed it from the registry, the start
programs list in MSConfig and also removed the executable
and all is well with my PC. Looks like maybe Norton
haven't got around to protecting us users from it yet -
their website doesn't even mention it
Don


>-----Original Message-----
>Can you tell me what "mspmspv.exe" is/does? It is in
>C:\Windows\System32. It's listed twice in
msconfig\System
>Configuration Utility\Startup. Once under
>HKCU\Microsoft\Windows\Current Version\Run and once
under
>HKLM\Microsoft\Windows\Current Version\Run. There's also
>an entry in C:\Documents and Settings\All Users\Start
>Menu|Programs\Startup\Microsoft Office.hta. which
>generates this page at every bootup:
> TG!¶'ò?²Ï#ª_þXgÒ­cöëÏ°ãª?
Á<Z¶ëmЍöª_þX
> |¾"µÈó\έ
>åªDw=ÿÿ?ÿÿ"IÁ<Z¶ëmЍöª_þX 2'?Item1¸
>ÿÿ ?#aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?_
>
>It seems to generate a request for internet access in my
>Zone Alarm firewall. It doesn't show up in SpyBot,
AdAware
>or NAV.
>
>I'd like to get rid of the page but don't know if I
should
>delete the Registry entries, disable one or both entries
>in msconfig\Startup or just delete the entry in
>C:\Documents and Settings\All Users\Start
>Menu\Programs\Startup. I'd like to know why it recently
>appeared too.
>
>Thanks,
>Milt
>
>.
>

 

[Don]

Archived from groups: microsoft.public.windowsxp.basics (More info?)

No it's not that - it merely is a close spelling of it -
it actually seems to be a Trojan whose names' formed to
look similar (dropping the final s)
Don

>-----Original Message-----
>Milt
> The service allows WMDM (Windows Media Device Manager)
to copy audio
>content from a computer to a portable audio player.
>
>http://www.neuber.com/taskmanager/process/mspmspsv.exe.ht
ml
>
>
>
>
>"Milt" <anonymous@discussions.microsoft.com> wrote in
message
>news:0a7901c4ee8a$7f838600$a601280a@phx.gbl...
>Can you tell me what "mspmspv.exe" is/does? It is in
>C:\Windows\System32. It's listed twice in msconfig\System
>Configuration Utility\Startup. Once under
>HKCU\Microsoft\Windows\Current Version\Run and once under
>HKLM\Microsoft\Windows\Current Version\Run. There's also
>an entry in C:\Documents and Settings\All Users\Start
>Menu|Programs\Startup\Microsoft Office.hta. which
>generates this page at every bootup:
>TG!¶'ò?²Ï#ª_þXgÒ­cöëÏ°ãª?Á<Z¶ëmЍöª_þX
> |¾"µÈó\έ
>åªDw=ÿÿ?ÿÿ"IÁ<Z¶ëmЍöª_þX 2'?Item1¸
>ÿÿ ?#aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?_
>
>It seems to generate a request for internet access in my
>Zone Alarm firewall. It doesn't show up in SpyBot,
AdAware
>or NAV.
>
>I'd like to get rid of the page but don't know if I
should
>delete the Registry entries, disable one or both entries
>in msconfig\Startup or just delete the entry in
>C:\Documents and Settings\All Users\Start
>Menu\Programs\Startup. I'd like to know why it recently
>appeared too.
>
>Thanks,
>Milt
>
>
>.
>

 

[milt]

Archived from groups: microsoft.public.windowsxp.basics (More info?)

Thanks for the comments Don. I did disable it in Startup
and removed and "hid" the files in Startup Programs and
disabled the entries in System Config. Startup. I haven't
seen any problems. If all is O.K. for a week or so, I'll
completely delete them. I think I should probably
leave "mspmspv.exe" in the Windows\System 32 though.

Milt
>-----Original Message-----
>Take a look at this link:
>http://sophos.com/virusinfo/analyses/trojchuma.html
>According to Sophos it's a new backdoor Trojan virus. I
>found it on my machine exactly the same way you did - and
>it didn't show up on my AdAware,Spybot or NAV either. My
>Zonealarm also alerted me to it. Seems to propagate
>through the IRC route, but I don't know which service.
>I've manually removed it from the registry, the start
>programs list in MSConfig and also removed the executable
>and all is well with my PC. Looks like maybe Norton
>haven't got around to protecting us users from it yet -
>their website doesn't even mention it
>Don
>
>
>>-----Original Message-----
>>Can you tell me what "mspmspv.exe" is/does? It is in
>>C:\Windows\System32. It's listed twice in
>msconfig\System
>>Configuration Utility\Startup. Once under
>>HKCU\Microsoft\Windows\Current Version\Run and once
>under
>>HKLM\Microsoft\Windows\Current Version\Run. There's also
>>an entry in C:\Documents and Settings\All Users\Start
>>Menu|Programs\Startup\Microsoft Office.hta. which
>>generates this page at every bootup:
>> TG!¶'ò?²Ï#ª_þXgÒ­cöëÏ°ãª?
>Á<Z¶ëmЍöª_þX
>> |¾"µÈó\έ
>>åªDw=ÿÿ?ÿÿ"IÁ<Z¶ëmЍöª_þX 2'?Item1¸
>>ÿÿ ?#aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?_
>>
>>It seems to generate a request for internet access in my
>>Zone Alarm firewall. It doesn't show up in SpyBot,
>AdAware
>>or NAV.
>>
>>I'd like to get rid of the page but don't know if I
>should
>>delete the Registry entries, disable one or both entries
>>in msconfig\Startup or just delete the entry in
>>C:\Documents and Settings\All Users\Start
>>Menu\Programs\Startup. I'd like to know why it recently
>>appeared too.
>>
>>Thanks,
>>Milt
>>
>>.
>>
>.
>