Removing PTSnoop

Hi guys.

I'm trying to fix a 'freezing' problem in another thread and was wondering if any of you could help me remove PTSnoop from my PC.
I unchecked it from the Msconfig list, but today when I tried Ctrl+Alt+Del, a new (checked) version had appeared. If I don't need this file I'd rather get rid, especially if it could be trojanic.

Alternatively, if anyone can tell me a good reason to keep it, please do.

Gram

 

if i remember rightly pt snoop is harmless, i have it, i think its linked to your modem somehow.

its in a few of the threads of a few months ago.

wen

 

THat's the impression I was under too, Wen, but from Savvy Lady's reply o my other problem:

Gram

 

The following is a list of your current Start-Ups
__________________________________________________________________________

1. HKLM Run - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"SiS Tray"=""
"gnetmous"="C:\\Gmouse\\gnetmous.exe"
"Gearbox"="\"C:\\Program Files\\Gearbox Connection Kit\\bin\\confsvr.exe\""
"CountrySelection"="pctptt.exe"
"PTSNOOP"="ptsnoop.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"


==========================================================================
__________________________________________________________________________

2. HKCU Run - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]


==========================================================================
__________________________________________________________________________

3. HKLM RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

4. HKCU RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

5. HKLM RunServices - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]


==========================================================================
__________________________________________________________________________

6. HKLM RunServicesOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


==========================================================================
__________________________________________________________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file

run=

load=

==========================================================================
__________________________________________________________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.


This is the shell line in your SYSTEM.INI file

shell=Explorer.exe

==========================================================================
__________________________________________________________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)


These are your program startups and set paths in your autoexec.bat file

mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi)
mode con codepage select=850
keyb uk,,C:\WINDOWS\COMMAND\keyboard.sys

==========================================================================
__________________________________________________________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your StartUp folder

*(No start-ups found)*

==========================================================================
__________________________________________________________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your All Users StartUp folder


*(No start-ups found)*

==========================================================================
__________________________________________________________________________

12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.....................................................................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.....................................................................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


.....................................................................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.....................................................................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


.....................................................................

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)

@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

-=========================-
HKLM RunOnceEx - Registry
-=========================-


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


-=========================-
HKU (.Default) Run - Registry
-=========================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]


-==============================-
HKU (.Default) RunOnce - Registry
-==============================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]


-================================-
StubPaths - Registry (Partial Listing)
-================================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components


"RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"OldRealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"StubPath"=""
"StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-


==========================================================================
__________________________________________________________________________

- Supplemental Environment Information -

TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
COMSPEC=C:\WINDOWS\COMMAND.COM
windir=C:\WINDOWS


==========================================================================

 

Hi,

The ptsnoop.exe file is installed with certain modems. The file watches the COM ports for activity and allocates system resources to open the port.

I'd just leave it alone.

You can disable SiS Tray (NOT Systray) and CountrySelection in Msconfig/startup.
They're not necessary.

I'm assuming here you're running Windows 98.

But I'm afraid that some stuff that is neccessary is actually absent:

You don't seem to have an antivirus or a firewall running, and both are absolutely vital .

And ScanRegistry isn't starting up either, which means that you have no recent Registry backup to fall back on, should something go seriously wrong.

I suggest you recheck that one in Msconfig/Startup.

If it's no longer there, please post back.

Good luck,

 

I checked the msconfig list and ScanReg is there and checked.
I'll leave PTSnoop alone, as long as it's not the trojan.
I've unchecked country selection and SiS tray (what is it anyway?).

I will shortly have ZA and Norton installed and protecting. I'll do a full check at that time.

Thanks guys.
If you're at all bored, why not pop over and see if you can help me in my other problems:

Manual Connection failing in Win XP

or

PC Freezing

Thanks again!
Gram

 

Okay, as I mentioned, I had already unchecked PTSnoop in the msconfig list, and a new checked version appeared. Same thing happened with CountrySelection. So now I have 2 of each in there. Can I remove the 'unchecked' versions in the registry?

Gram

 

Yes, in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run- and RunServices-

Note the - (minus) sign behind Run and RunServices.

In those two subkeys you'll find the Msconfig/startup entries that are UNchecked.
Highlight the ones you'd like to get rid of in the RIGHT pane, and choose 'delete'.

Good luck,

 

Adding to that, one or two might turn up in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run- as well, if they're not in HKEY_LOCAL_MACHINE.

 

Cheers Tony.
Does the minus sign signify those that have ben unchecked?

Gram

 

Yes.

If programs are registered to run at startup they're in the Run, RunServices, and RunOnce keys, and if you disable them they go to Run- and RunServices-

And others are loaded from your Startup folder, of course, and if you disable those through Msconfig/startup, a new folder Disabled Startup Items is created

Useful article: INFO: Run, RunOnce, RunServices, RunServicesOnce and Startup (Q179365)