Results 1 to 10 of 10

Thread: Problem with PSPS.exe

  1. #1
    Junior Member
    Join Date
    Jul 2003
    Posts
    4

    Problem with PSPS.exe

    I'm a newbie so treat me gently! Hello to everyone here. I am just a basic learner about security at this stage.

    I don't know if this is is a common problem. I have searched here and a few other sites and can find no mention of this file. So here goes.

    I am running WIN98, a broadband connection, Sygate Personal Firewall, VET Antivirus and IE6. Sygate shows that when I startup, the program PSPS.exe creates a major incoming attack - so I've blocked it. This file is located at c:\windows\all users\start menu\programs\startup. It can't be deleted in Windows. I can no longer access the DOS command line by shutting down windows and restarting in DOS - the machine just locks up. The only way to get there is to use an emergency boot disk. When I do it seems impossible to delete this file - I finally worked out how and found that it reinstalls when you reboot into windows.

    I don't know what this file is or actually does, or if it is something bad - but is does seem supicious. But some other things have been happening recently on my machine which may or may not be related. The machine seems to stall regularly and just sit waiting for up to 10 or more seconds before it executes a command. I can't run defragmenter as the disk keeps getting accessed by something every 30 seconds or so - yet I've turned off the obvious things and it used to run without problems.

    I've tried tracing the attack via Sygate and get this info from "whois" -

    Performance Systems International Inc. (NET-PSINETA)
    510 Huntmar Park Drive
    Herndon, VA 22070
    US

    Netname: PSINETA
    Netblock: 38.0.0.0 - 38.255.255.255
    Maintainer: PSI

    Coordinator:
    PSINet, Inc. (PSI-NISC-ARIN) hostinfo@psi.com
    (518) 283-8860

    Domain System inverse mapping provided by:

    NS.PSI.NET 38.8.48.2
    NS2.PSI.NET 38.8.50.2
    NS5.PSI.NET 38.8.5.2

    Record last updated on 08-Aug-2002.
    Database last updated on 23-Aug-2002 16:56:03 EDT.

    but the web addresses seem to be a deadend.

    Can anyone help?

    Yours in secure anticipation!

    powerd

  2. #2
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    I would suggest using msconfig, and checking your startup folder

    start-->run-->type in "msconfig" Click the tab on the far left that says startup. You can try looking to see if that program might be in there.

    I tried a google search, but google only gives me 4 websites for it. From these websites you can download it, but it seems like its some type of MS-DOS utility. Thats all I could find on it.

    Heres some info about it from a website. I'm not sure if this is it but heres what I found.

    PSPS v3.0 --- PostScript PrintScreen Utility
    ----- Copyright 1993 A.N.D. Technologies -----
    ----------------------------------------------

    --------
    OVERVIEW
    --------

    PSPS is a versatile screen dump tool for PostScript printers. PSPS allows
    you to use the PrintScreen key (or Shift-PrintScreen) and capture screens
    into PostScript format.

    Feature list:

    Output - to LPT port using BIOS or fast hardware port mode
    - Encapsulated PostScript file or regular PostScript file
    - Novell print queue

    Text mode screens (any size)

    Graphics adapters supported - MDA, CGA, Hercules, EGA, MCGA, VGA,
    VESA Super VGA, or any graphics adapter which
    supports Int 10 BIOS functions.

    Printing modes - monochrome, reverse monochrome, grayscale,
    reverse grayscale, color, reverse color

    PostScript Level 2 support.

    This version is much faster than previous versions of PSPS.

    PSPS will not work with the extended graphics modes of 8514/A or XGA.

    PostScript is a trademark of Adobe, Inc.
    Windows and DOS are trademarks of Microsoft, Corp.
    And of course Novell and IBM.
    Source http://www.pma.caltech.edu/~dons/ph3-7/psps.txt
    Hope I helped you some.
    =

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Powerd: Silly question...... How can a program on your machine create an _incoming_ attack? Can you show us the details of what Sygate is showing you?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    I'll take a guess and say that you opened an e-mail with the virus bugbear attached.

    Check to see if your antivirus is still running when you boot.
    If it still runs, scan your computer. Make sure that your engine and virus definition is up to date.


    Hope this helps

  5. #5
    Junior Member
    Join Date
    Jul 2003
    Posts
    4
    Thanks for replies

    Cheyenne1212 - yes it is in startup, but whatever I try doesn't delte it. I've just discovered that Sygate can terminate it but then I can't connect to my broadband. So maybe it is related to the broadband connection - I've just emailed them for ideas. I don't think its Postscript related - firstly, it would probably identify itself as that, secondly I don'r run a postscript printer, thirdly wouldn't that stuff be in a printer driver area?

    Deadcrow - I run VET antivirus with recent update, it loads at boot and I've checked this file with it and it doesn't find anything suspicious.

    Tiger Sark - not so silly, I thought of it too. Sygate says - PSPS.EXE - TCP - Listen - Location 1080 - IP is 0.0.0.0 - then the file location on my C:. Security log show it as - Incoming - Major - Destination host 0.0.0.0 - Source (varies each logon, not traceable).

    I don't even know if this file is a goodie or a baddie, but Sygate has raised my concern and some of its behaviour makes me suspicious.


    powerd

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    is it an HP box?
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  7. #7
    Junior Member
    Join Date
    Jul 2003
    Posts
    4
    Tedob1

    No, its not - its a "bitza"

    powerd

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Powerd: "Listen - Location 1080"....... "Source (varies each logon)"

    Dunno about you but that sounds a lot like a proxy server to me. Seems like you were made into a "bounce station" to hide someone else's IP while they do the dirty deed. PSPS = * Proxy Server????

    Look Here
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Junior Member
    Join Date
    Feb 2003
    Posts
    12
    powerd - I think you missed cheyenne1212's point. Click Start->Run->Type "msconfig"->Hit OK. This will bring up a list of everything that starts up on your computer, not just what's in the Startup folder. The best way to remove the program is to click on the far right tab, and uncheck anything that looks suspisious (most likely SPSP.exe will not appear there, the reinstalling program will, though). After you remove it from there, reboot your computer with a DOS disk (click start->settings->Control Panel->Add/Remove Programs->Windows Components->Make Boot Disk (I forget the exact wording of the last two buttons.). Then browse out to the place where the files you removed from startup are located and RENAME them (in case you accidentally unchecked a good program). Then go to your startup folder and delete SPSP.exe. By removing it from startup, and anything else that may be replacing it on boot, you can get rid of the program completely.

    Good Luck, Hope this helped.
    Intelligent people talk about ideas.
    Average people talk about things.
    Small people talk about other people.

  10. #10
    Junior Member
    Join Date
    Jul 2003
    Posts
    4
    Scittish

    Thanks for the pointers. I have actually done this - PSPS.exe actually shows up there, but there is nothing else that suggests it is related to it there. If you turn it off, then it turns itself on on reboot. If you turn it off and remove it from the directory using a boot disk, it reinstalls itself and loads - but I cannot find from where.

    Has me absolutely confused

    powerd

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •