What's "mspmspv.exe"?

[Milt]

Can you tell me what "mspmspv.exe" is/does? It is in
C:\Windows\System32. It's listed twice in msconfig\System
Configuration Utility\Startup. Once under
HKCU\Microsoft\Windows\Current Version\Run and once under
HKLM\Microsoft\Windows\Current Version\Run. There's also
an entry in C:\Documents and Settings\All Users\Start
Menu|Programs\Startup\Microsoft Office.hta. which
generates this page at every bootup:


TG!¶'ò?²Ï#ª_þX
gÒ­cöëÏ°ãª?


Á<Z¶ëmÐöª_þX


|¾"µÈó\έ
åªDw=ÿÿ?ÿÿ"IÁ<Z¶ëmÐöª_þX 2'?

Item1¸
ÿÿ ?#aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?_


It seems to generate a request for internet access in my
Zone Alarm firewall. It doesn't show up in SpyBot, AdAware
or NAV.

I'd like to get rid of the page but don't know if I should
delete the Registry entries, disable one or both entries
in msconfig\Startup or just delete the entry in
C:\Documents and Settings\All Users\Start
Menu\Programs\Startup. I'd like to know why it recently
appeared too.

Thanks,
Milt

 

[Ama3rd]

Milt
The service allows WMDM (Windows Media Device Manager) to copy audio
content from a computer to a portable audio player.

http://www.neuber.com/taskmanager/process/mspmspsv.exe.html




Can you tell me what "mspmspv.exe" is/does? It is in
C:\Windows\System32. It's listed twice in msconfig\System
Configuration Utility\Startup. Once under
HKCU\Microsoft\Windows\Current Version\Run and once under
HKLM\Microsoft\Windows\Current Version\Run. There's also
an entry in C:\Documents and Settings\All Users\Start
Menu|Programs\Startup\Microsoft Office.hta. which
generates this page at every bootup:


TG!¶'ò?²Ï#ª_þX
gÒ­cöëÏ°ãª?


Á<Z¶ëmÐöª_þX


|¾"µÈó\έ
åªDw=ÿÿ?ÿÿ"IÁ<Z¶ëmÐöª_þX 2'?

Item1¸
ÿÿ ?#aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?_


It seems to generate a request for internet access in my
Zone Alarm firewall. It doesn't show up in SpyBot, AdAware
or NAV.

I'd like to get rid of the page but don't know if I should
delete the Registry entries, disable one or both entries
in msconfig\Startup or just delete the entry in
C:\Documents and Settings\All Users\Start
Menu\Programs\Startup. I'd like to know why it recently
appeared too.

Thanks,
Milt

 

[Ronnie Vernon MVP]

Can you tell me what "mspmspv.exe" is/does? It is in
C:\Windows\System32. It's listed twice in msconfig\System
Configuration Utility\Startup. Once under
HKCU\Microsoft\Windows\Current Version\Run and once under
HKLM\Microsoft\Windows\Current Version\Run. There's also
an entry in C:\Documents and Settings\All Users\Start
Menu|Programs\Startup\Microsoft Office.hta. which
generates this page at every bootup:


TG!¶'ò?²Ï#ª_þX
gÒ­cöëÏ°ãª?


Á<Z¶ëmÐöª_þX


|¾"µÈó\έ
åªDw=ÿÿ?ÿÿ"IÁ<Z¶ëmÐöª_þX 2'?

Item1¸
ÿÿ ?#aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?_


It seems to generate a request for internet access in my
Zone Alarm firewall. It doesn't show up in SpyBot, AdAware
or NAV.

I'd like to get rid of the page but don't know if I should
delete the Registry entries, disable one or both entries
in msconfig\Startup or just delete the entry in
C:\Documents and Settings\All Users\Start
Menu\Programs\Startup. I'd like to know why it recently
appeared too.

Thanks,
Milt

Are you sure about the spelling of that file?

There is a legitimate XP file spelled "MsPMSPSv.exe" (extra S) that is
associated with the Windows Media Player DRM service. This is a service that
runs in XP, but I don't believe that it needs to be in the Start Up of
msconfig? You should remove this item from both "Run" locations in the
Registry. It can also be disabled in the Services, where it is shown as WMDM
PMSP Service.

If your spelling is correct, I would immediately remove all instances of
this file from the system.

The Microsoft Office.hta file is a mystery. An .hta file can execute code. I
would remove this file from the Start Up folder and place it in another
folder for the time being until you can determine where it came from.

Make sure that your anti-virus programs have the latest definition files and
run a complete scan from Safe Mode.

 

[Milt]

Thanks for the comments Ronnie. And yes, I spelled it
correctly. They're both in the System 32 file. I didn't
think that it needed to be in Start-up either. I searched
Google before posting this and couldn't find anything. But
I thought I'd see if anyone has had experience with it
before barging ahead. (I did recently install WMP 10. That
may be where it came from.) And my NAV, SpyBot and AdAware
are all kept up to date at all times.

Milt

 

[Don]

Take a look at this link:
http://sophos.com/virusinfo/analyses/trojchuma.html
According to Sophos it's a new backdoor Trojan virus. I
found it on my machine exactly the same way you did - and
it didn't show up on my AdAware,Spybot or NAV either. My
Zonealarm also alerted me to it. Seems to propagate
through the IRC route, but I don't know which service.
I've manually removed it from the registry, the start
programs list in MSConfig and also removed the executable
and all is well with my PC. Looks like maybe Norton
haven't got around to protecting us users from it yet -
their website doesn't even mention it
Don

 

[Don]

No it's not that - it merely is a close spelling of it -
it actually seems to be a Trojan whose names' formed to
look similar (dropping the final s)
Don

 

[Milt]

Thanks for the comments Don. I did disable it in Startup
and removed and "hid" the files in Startup Programs and
disabled the entries in System Config. Startup. I haven't
seen any problems. If all is O.K. for a week or so, I'll
completely delete them. I think I should probably
leave "mspmspv.exe" in the Windows\System 32 though.

Milt