1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Removing PTSnoop

Discussion in 'All Other Software' started by Gram123, Jan 3, 2002.

Thread Status:
Not open for further replies.
Advertisement
  1. Gram123

    Gram123 Thread Starter

    Joined:
    Mar 15, 2001
    Messages:
    1,829
    Hi guys.

    I'm trying to fix a 'freezing' problem in another thread and was wondering if any of you could help me remove PTSnoop from my PC.
    I unchecked it from the Msconfig list, but today when I tried Ctrl+Alt+Del, a new (checked) version had appeared. If I don't need this file I'd rather get rid, especially if it could be trojanic.

    Alternatively, if anyone can tell me a good reason to keep it, please do.

    Gram
     
  2. wen

    wen

    Joined:
    Jun 17, 2001
    Messages:
    601
    if i remember rightly pt snoop is harmless, i have it, i think its linked to your modem somehow.

    its in a few of the threads of a few months ago.

    wen
     
  3. Gram123

    Gram123 Thread Starter

    Joined:
    Mar 15, 2001
    Messages:
    1,829
    THat's the impression I was under too, Wen, but from Savvy Lady's reply o my other problem:
    Gram
     
  4. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    36,102
  5. Gram123

    Gram123 Thread Starter

    Joined:
    Mar 15, 2001
    Messages:
    1,829
    The following is a list of your current Start-Ups
    __________________________________________________________________________

    1. HKLM Run - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
    "SystemTray"="SysTray.Exe"
    "SiS Tray"=""
    "gnetmous"="C:\\Gmouse\\gnetmous.exe"
    "Gearbox"="\"C:\\Program Files\\Gearbox Connection Kit\\bin\\confsvr.exe\""
    "CountrySelection"="pctptt.exe"
    "PTSNOOP"="ptsnoop.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "NoChange"="1"
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed"="1"


    ==========================================================================
    __________________________________________________________________________

    2. HKCU Run - Registry

    [RegPath]
    "StartUp"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]


    ==========================================================================
    __________________________________________________________________________

    3. HKLM RunOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


    ==========================================================================
    __________________________________________________________________________

    4. HKCU RunOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


    ==========================================================================
    __________________________________________________________________________

    5. HKLM RunServices - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]


    ==========================================================================
    __________________________________________________________________________

    6. HKLM RunServicesOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


    ==========================================================================
    __________________________________________________________________________

    7. WIN.INI File - (c:\windows\win.ini)

    Your win.ini run/load lines should look like run= and load= exclusively.
    There should be nothing to the right of the equal signs.


    These are the run and load lines in your WIN.INI file

    run=

    load=

    ==========================================================================
    __________________________________________________________________________

    8. SYSTEM.INI File - (c:\windows\system.ini)

    Your system.ini shell line should look like shell=Explorer.exe exclusively.
    You should only see Explorer.exe following the equal sign.


    This is the shell line in your SYSTEM.INI file

    shell=Explorer.exe

    ==========================================================================
    __________________________________________________________________________

    9. AUTOEXEC.BAT File - (c:\autoexec.bat)

    (Some trojans have been known to start from this file)


    These are your program startups and set paths in your autoexec.bat file

    mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi)
    mode con codepage select=850
    keyb uk,,C:\WINDOWS\COMMAND\keyboard.sys

    ==========================================================================
    __________________________________________________________________________

    10. StartUp Folder - (c:\windows\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your StartUp folder

    *(No start-ups found)*

    ==========================================================================
    __________________________________________________________________________

    11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your All Users StartUp folder


    *(No start-ups found)*

    ==========================================================================
    __________________________________________________________________________

    12. Miscellaneous StartUp Configurations

    -============================-
    Registry StartUp Directories
    -============================-

    Should show the Start Menu StartUp and All Users StartUp directories

    .....................................................................

    [1] HKCU - Shell Folders

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

    "Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

    .....................................................................

    [2] HKCU - User Shell Folders

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


    .....................................................................

    [3] HKLM - Shell Folders

    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

    "Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

    .....................................................................

    [4] HKLM - User Shell Folders

    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


    .....................................................................

    -=======================-
    Registry Shell Spawning
    -=======================-

    Open Commands for Executable File Types

    @="\"%1\" %*"
    (.exe file - RegPath = HKCR\exefile\shell\open\command)

    @="\"%1\" %*"
    (.com file - RegPath = HKCR\comfile\shell\open\command)

    @="\"%1\" /S"
    (.scr file - RegPath = HKCR\scrfile\shell\open\command)

    @="\"%1\" %*"
    (.bat file - RegPath = HKCR\batfile\shell\open\command)

    @="\"%1\" %*"
    (.pif file - RegPath = HKCR\piffile\shell\open\command)

    @="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
    (.hta file - RegPath = HKCR\htafile\shell\open\command)

    -=========================-
    HKLM RunOnceEx - Registry
    -=========================-


    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


    -=========================-
    HKU (.Default) Run - Registry
    -=========================-


    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]


    -==============================-
    HKU (.Default) RunOnce - Registry
    -==============================-


    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]


    -================================-
    StubPaths - Registry (Partial Listing)
    -================================-

    (Please see the StubPath.txt on your desktop for complete listing)

    HKLM\Software\Microsoft\Active Setup\Installed Components


    "RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
    "OldRealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
    "StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
    "RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
    "StubPath"=""
    "StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
    "StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
    -=====================-
    Screen Saver Settings (Possible system.ini start-up)
    -=====================-


    ==========================================================================
    __________________________________________________________________________

    - Supplemental Environment Information -

    TMP=C:\WINDOWS\TEMP
    TEMP=C:\WINDOWS\TEMP
    winbootdir=C:\WINDOWS
    PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
    COMSPEC=C:\WINDOWS\COMMAND.COM
    windir=C:\WINDOWS


    ==========================================================================
     
  6. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Hi,

    The ptsnoop.exe file is installed with certain modems. The file watches the COM ports for activity and allocates system resources to open the port.

    I'd just leave it alone.

    You can disable SiS Tray (NOT Systray) and CountrySelection in Msconfig/startup.
    They're not necessary.

    I'm assuming here you're running Windows 98.

    But I'm afraid that some stuff that is neccessary is actually absent:

    You don't seem to have an antivirus or a firewall running, and both are absolutely vital .

    And ScanRegistry isn't starting up either, which means that you have no recent Registry backup to fall back on, should something go seriously wrong.

    I suggest you recheck that one in Msconfig/Startup.

    If it's no longer there, please post back.

    Good luck,
     
  7. Marc123

    Marc123

    Joined:
    Dec 31, 2001
    Messages:
    15
    I checked the msconfig list and ScanReg is there and checked.
    I'll leave PTSnoop alone, as long as it's not the trojan.
    I've unchecked country selection and SiS tray (what is it anyway?).

    I will shortly have ZA and Norton installed and protecting. I'll do a full check at that time.

    Thanks guys.
    If you're at all bored, why not pop over and see if you can help me in my other problems:

    Manual Connection failing in Win XP

    or

    PC Freezing

    Thanks again!
    Gram
     
  8. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    36,102
    Hiya

    Tony's right about the protection, and you don't have a trojan on there. Just update Norton when you get it, scan and keep it updated on a regular basis.

    Regards

    eddie
     
  9. Gram123

    Gram123 Thread Starter

    Joined:
    Mar 15, 2001
    Messages:
    1,829
    Okay, as I mentioned, I had already unchecked PTSnoop in the msconfig list, and a new checked version appeared. Same thing happened with CountrySelection. So now I have 2 of each in there. Can I remove the 'unchecked' versions in the registry?

    Gram
     
  10. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Yes, in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run- and RunServices-

    Note the - (minus) sign behind Run and RunServices.

    In those two subkeys you'll find the Msconfig/startup entries that are UNchecked.
    Highlight the ones you'd like to get rid of in the RIGHT pane, and choose 'delete'.

    Good luck,
     
  11. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Adding to that, one or two might turn up in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run- as well, if they're not in HKEY_LOCAL_MACHINE.
     
  12. Gram123

    Gram123 Thread Starter

    Joined:
    Mar 15, 2001
    Messages:
    1,829
    Cheers Tony.
    Does the minus sign signify those that have ben unchecked?

    Gram
     
  13. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Yes.

    If programs are registered to run at startup they're in the Run, RunServices, and RunOnce keys, and if you disable them they go to Run- and RunServices-

    And others are loaded from your Startup folder, of course, and if you disable those through Msconfig/startup, a new folder Disabled Startup Items is created

    Useful article: INFO: Run, RunOnce, RunServices, RunServicesOnce and Startup (Q179365)
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Removing PTSnoop
  1. staffingpro
    Replies:
    4
    Views:
    551
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/64069

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice