-
July 21st, 2003, 03:17 PM
#1
Junior Member
Problem with PSPS.exe
I'm a newbie so treat me gently! Hello to everyone here. I am just a basic learner about security at this stage.
I don't know if this is is a common problem. I have searched here and a few other sites and can find no mention of this file. So here goes.
I am running WIN98, a broadband connection, Sygate Personal Firewall, VET Antivirus and IE6. Sygate shows that when I startup, the program PSPS.exe creates a major incoming attack - so I've blocked it. This file is located at c:\windows\all users\start menu\programs\startup. It can't be deleted in Windows. I can no longer access the DOS command line by shutting down windows and restarting in DOS - the machine just locks up. The only way to get there is to use an emergency boot disk. When I do it seems impossible to delete this file - I finally worked out how and found that it reinstalls when you reboot into windows.
I don't know what this file is or actually does, or if it is something bad - but is does seem supicious. But some other things have been happening recently on my machine which may or may not be related. The machine seems to stall regularly and just sit waiting for up to 10 or more seconds before it executes a command. I can't run defragmenter as the disk keeps getting accessed by something every 30 seconds or so - yet I've turned off the obvious things and it used to run without problems.
I've tried tracing the attack via Sygate and get this info from "whois" -
Performance Systems International Inc. (NET-PSINETA)
510 Huntmar Park Drive
Herndon, VA 22070
US
Netname: PSINETA
Netblock: 38.0.0.0 - 38.255.255.255
Maintainer: PSI
Coordinator:
PSINet, Inc. (PSI-NISC-ARIN) hostinfo@psi.com
(518) 283-8860
Domain System inverse mapping provided by:
NS.PSI.NET 38.8.48.2
NS2.PSI.NET 38.8.50.2
NS5.PSI.NET 38.8.5.2
Record last updated on 08-Aug-2002.
Database last updated on 23-Aug-2002 16:56:03 EDT.
but the web addresses seem to be a deadend.
Can anyone help?
Yours in secure anticipation!
powerd
-
July 21st, 2003, 03:38 PM
#2
I would suggest using msconfig, and checking your startup folder
start-->run-->type in "msconfig" Click the tab on the far left that says startup. You can try looking to see if that program might be in there.
I tried a google search, but google only gives me 4 websites for it. From these websites you can download it, but it seems like its some type of MS-DOS utility. Thats all I could find on it.
Heres some info about it from a website. I'm not sure if this is it but heres what I found.
PSPS v3.0 --- PostScript PrintScreen Utility
----- Copyright 1993 A.N.D. Technologies -----
----------------------------------------------
--------
OVERVIEW
--------
PSPS is a versatile screen dump tool for PostScript printers. PSPS allows
you to use the PrintScreen key (or Shift-PrintScreen) and capture screens
into PostScript format.
Feature list:
Output - to LPT port using BIOS or fast hardware port mode
- Encapsulated PostScript file or regular PostScript file
- Novell print queue
Text mode screens (any size)
Graphics adapters supported - MDA, CGA, Hercules, EGA, MCGA, VGA,
VESA Super VGA, or any graphics adapter which
supports Int 10 BIOS functions.
Printing modes - monochrome, reverse monochrome, grayscale,
reverse grayscale, color, reverse color
PostScript Level 2 support.
This version is much faster than previous versions of PSPS.
PSPS will not work with the extended graphics modes of 8514/A or XGA.
PostScript is a trademark of Adobe, Inc.
Windows and DOS are trademarks of Microsoft, Corp.
And of course Novell and IBM.
Source http://www.pma.caltech.edu/~dons/ph3-7/psps.txt
Hope I helped you some.
-
July 21st, 2003, 03:47 PM
#3
Powerd: Silly question...... How can a program on your machine create an _incoming_ attack? Can you show us the details of what Sygate is showing you?
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
July 21st, 2003, 04:22 PM
#4
I'll take a guess and say that you opened an e-mail with the virus bugbear attached.
Check to see if your antivirus is still running when you boot.
If it still runs, scan your computer. Make sure that your engine and virus definition is up to date.
Hope this helps
-
July 21st, 2003, 11:12 PM
#5
Junior Member
Thanks for replies
Cheyenne1212 - yes it is in startup, but whatever I try doesn't delte it. I've just discovered that Sygate can terminate it but then I can't connect to my broadband. So maybe it is related to the broadband connection - I've just emailed them for ideas. I don't think its Postscript related - firstly, it would probably identify itself as that, secondly I don'r run a postscript printer, thirdly wouldn't that stuff be in a printer driver area?
Deadcrow - I run VET antivirus with recent update, it loads at boot and I've checked this file with it and it doesn't find anything suspicious.
Tiger Sark - not so silly, I thought of it too. Sygate says - PSPS.EXE - TCP - Listen - Location 1080 - IP is 0.0.0.0 - then the file location on my C:. Security log show it as - Incoming - Major - Destination host 0.0.0.0 - Source (varies each logon, not traceable).
I don't even know if this file is a goodie or a baddie, but Sygate has raised my concern and some of its behaviour makes me suspicious.
powerd
-
July 22nd, 2003, 04:54 AM
#6
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
July 22nd, 2003, 07:41 AM
#7
Junior Member
Tedob1
No, its not - its a "bitza"
powerd
-
July 22nd, 2003, 10:59 AM
#8
Powerd: "Listen - Location 1080"....... "Source (varies each logon)"
Dunno about you but that sounds a lot like a proxy server to me. Seems like you were made into a "bounce station" to hide someone else's IP while they do the dirty deed. PSPS = * Proxy Server????
Look Here
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
July 22nd, 2003, 10:09 PM
#9
Junior Member
powerd - I think you missed cheyenne1212's point. Click Start->Run->Type "msconfig"->Hit OK. This will bring up a list of everything that starts up on your computer, not just what's in the Startup folder. The best way to remove the program is to click on the far right tab, and uncheck anything that looks suspisious (most likely SPSP.exe will not appear there, the reinstalling program will, though). After you remove it from there, reboot your computer with a DOS disk (click start->settings->Control Panel->Add/Remove Programs->Windows Components->Make Boot Disk (I forget the exact wording of the last two buttons.). Then browse out to the place where the files you removed from startup are located and RENAME them (in case you accidentally unchecked a good program). Then go to your startup folder and delete SPSP.exe. By removing it from startup, and anything else that may be replacing it on boot, you can get rid of the program completely.
Good Luck, Hope this helped.
Intelligent people talk about ideas.
Average people talk about things.
Small people talk about other people.
-
July 25th, 2003, 12:20 AM
#10
Junior Member
Scittish
Thanks for the pointers. I have actually done this - PSPS.exe actually shows up there, but there is nothing else that suggests it is related to it there. If you turn it off, then it turns itself on on reboot. If you turn it off and remove it from the directory using a boot disk, it reinstalls itself and loads - but I cannot find from where.
Has me absolutely confused
powerd
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|