Removing PTSnoop

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Gram123

Thread Starter
Joined
Mar 15, 2001
Messages
1,829
Hi guys.

I'm trying to fix a 'freezing' problem in another thread and was wondering if any of you could help me remove PTSnoop from my PC.
I unchecked it from the Msconfig list, but today when I tried Ctrl+Alt+Del, a new (checked) version had appeared. If I don't need this file I'd rather get rid, especially if it could be trojanic.

Alternatively, if anyone can tell me a good reason to keep it, please do.

Gram
 

wen

Joined
Jun 17, 2001
Messages
601
if i remember rightly pt snoop is harmless, i have it, i think its linked to your modem somehow.

its in a few of the threads of a few months ago.

wen
 

Gram123

Thread Starter
Joined
Mar 15, 2001
Messages
1,829
THat's the impression I was under too, Wen, but from Savvy Lady's reply o my other problem:
Two descriptions I've come across - both valid as far as I can see :-
(1) Program installed with some modems that monitors the COM ports for the modem driver. Not needed from what I've read - may need a registry edit to get rid of it
(2) Backdoor trojan virus that copies itself as PTSNOOP.EXE -see here for more info...
http://www.f-secure.com/v-descs/ptsnoop.shtml
Gram
 

Gram123

Thread Starter
Joined
Mar 15, 2001
Messages
1,829
The following is a list of your current Start-Ups
__________________________________________________________________________

1. HKLM Run - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"SiS Tray"=""
"gnetmous"="C:\\Gmouse\\gnetmous.exe"
"Gearbox"="\"C:\\Program Files\\Gearbox Connection Kit\\bin\\confsvr.exe\""
"CountrySelection"="pctptt.exe"
"PTSNOOP"="ptsnoop.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"


==========================================================================
__________________________________________________________________________

2. HKCU Run - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]


==========================================================================
__________________________________________________________________________

3. HKLM RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

4. HKCU RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

5. HKLM RunServices - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]


==========================================================================
__________________________________________________________________________

6. HKLM RunServicesOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


==========================================================================
__________________________________________________________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file

run=

load=

==========================================================================
__________________________________________________________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.


This is the shell line in your SYSTEM.INI file

shell=Explorer.exe

==========================================================================
__________________________________________________________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)


These are your program startups and set paths in your autoexec.bat file

mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi)
mode con codepage select=850
keyb uk,,C:\WINDOWS\COMMAND\keyboard.sys

==========================================================================
__________________________________________________________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your StartUp folder

*(No start-ups found)*

==========================================================================
__________________________________________________________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your All Users StartUp folder


*(No start-ups found)*

==========================================================================
__________________________________________________________________________

12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.....................................................................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.....................................................................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


.....................................................................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.....................................................................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


.....................................................................

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)

@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

-=========================-
HKLM RunOnceEx - Registry
-=========================-


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


-=========================-
HKU (.Default) Run - Registry
-=========================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]


-==============================-
HKU (.Default) RunOnce - Registry
-==============================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]


-================================-
StubPaths - Registry (Partial Listing)
-================================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components


"RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"OldRealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"StubPath"=""
"StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-


==========================================================================
__________________________________________________________________________

- Supplemental Environment Information -

TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
COMSPEC=C:\WINDOWS\COMMAND.COM
windir=C:\WINDOWS


==========================================================================
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Hi,

The ptsnoop.exe file is installed with certain modems. The file watches the COM ports for activity and allocates system resources to open the port.

I'd just leave it alone.

You can disable SiS Tray (NOT Systray) and CountrySelection in Msconfig/startup.
They're not necessary.

I'm assuming here you're running Windows 98.

But I'm afraid that some stuff that is neccessary is actually absent:

You don't seem to have an antivirus or a firewall running, and both are absolutely vital .

And ScanRegistry isn't starting up either, which means that you have no recent Registry backup to fall back on, should something go seriously wrong.

I suggest you recheck that one in Msconfig/Startup.

If it's no longer there, please post back.

Good luck,
 
Joined
Dec 31, 2001
Messages
15
I checked the msconfig list and ScanReg is there and checked.
I'll leave PTSnoop alone, as long as it's not the trojan.
I've unchecked country selection and SiS tray (what is it anyway?).

I will shortly have ZA and Norton installed and protecting. I'll do a full check at that time.

Thanks guys.
If you're at all bored, why not pop over and see if you can help me in my other problems:

Manual Connection failing in Win XP

or

PC Freezing

Thanks again!
Gram
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,298
Hiya

Tony's right about the protection, and you don't have a trojan on there. Just update Norton when you get it, scan and keep it updated on a regular basis.

Regards

eddie
 

Gram123

Thread Starter
Joined
Mar 15, 2001
Messages
1,829
Okay, as I mentioned, I had already unchecked PTSnoop in the msconfig list, and a new checked version appeared. Same thing happened with CountrySelection. So now I have 2 of each in there. Can I remove the 'unchecked' versions in the registry?

Gram
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Yes, in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run- and RunServices-

Note the - (minus) sign behind Run and RunServices.

In those two subkeys you'll find the Msconfig/startup entries that are UNchecked.
Highlight the ones you'd like to get rid of in the RIGHT pane, and choose 'delete'.

Good luck,
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Adding to that, one or two might turn up in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run- as well, if they're not in HKEY_LOCAL_MACHINE.
 

Gram123

Thread Starter
Joined
Mar 15, 2001
Messages
1,829
Cheers Tony.
Does the minus sign signify those that have ben unchecked?

Gram
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top