Removing PTSnoop

[Gram123]

Hi guys.

I'm trying to fix a 'freezing' problem in another thread and was wondering if any of you could help me remove PTSnoop from my PC.
I unchecked it from the Msconfig list, but today when I tried Ctrl+Alt+Del, a new (checked) version had appeared. If I don't need this file I'd rather get rid, especially if it could be trojanic.

Alternatively, if anyone can tell me a good reason to keep it, please do.

Gram

 

[wen]

if i remember rightly pt snoop is harmless, i have it, i think its linked to your modem somehow.

its in a few of the threads of a few months ago.

wen

 

[Gram123]

THat's the impression I was under too, Wen, but from Savvy Lady's reply o my other problem:

Two descriptions I've come across - both valid as far as I can see :-
(1) Program installed with some modems that monitors the COM ports for the modem driver. Not needed from what I've read - may need a registry edit to get rid of it
(2) Backdoor trojan virus that copies itself as PTSNOOP.EXE -see here for more info...
http://www.f-secure.com/v-descs/ptsnoop.shtml

Gram

 

[eddie5659]

Gram

Check here:

http://housecall.antivirus.com/housecall/start_corp.asp

and also get startup log and run it from here:

http://home.earthlink.net/~rmbox/Reticulated/Toys.html

Let the DOS window close, then copy/paste the list here.

More than likely, its the first and not a trojan, but lets be safe.

Regards

eddie

 

[Gram123]

The following is a list of your current Start-Ups
__________________________________________________________________________

1. HKLM Run - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"SiS Tray"=""
"gnetmous"="C:\\Gmouse\\gnetmous.exe"
"Gearbox"="\"C:\\Program Files\\Gearbox Connection Kit\\bin\\confsvr.exe\""
"CountrySelection"="pctptt.exe"
"PTSNOOP"="ptsnoop.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"


==========================================================================
__________________________________________________________________________

2. HKCU Run - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]


==========================================================================
__________________________________________________________________________

3. HKLM RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

4. HKCU RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

5. HKLM RunServices - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]


==========================================================================
__________________________________________________________________________

6. HKLM RunServicesOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


==========================================================================
__________________________________________________________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file

run=

load=

==========================================================================
__________________________________________________________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.


This is the shell line in your SYSTEM.INI file

shell=Explorer.exe

==========================================================================
__________________________________________________________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)


These are your program startups and set paths in your autoexec.bat file

mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi)
mode con codepage select=850
keyb uk,,C:\WINDOWS\COMMAND\keyboard.sys

==========================================================================
__________________________________________________________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your StartUp folder

*(No start-ups found)*

==========================================================================
__________________________________________________________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your All Users StartUp folder


*(No start-ups found)*

==========================================================================
__________________________________________________________________________

12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.....................................................................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.....................................................................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


.....................................................................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.....................................................................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


.....................................................................

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)

@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

-=========================-
HKLM RunOnceEx - Registry
-=========================-


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


-=========================-
HKU (.Default) Run - Registry
-=========================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]


-==============================-
HKU (.Default) RunOnce - Registry
-==============================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]


-================================-
StubPaths - Registry (Partial Listing)
-================================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components


"RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"OldRealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"StubPath"=""
"StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-


==========================================================================
__________________________________________________________________________

- Supplemental Environment Information -

TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
COMSPEC=C:\WINDOWS\COMMAND.COM
windir=C:\WINDOWS


==========================================================================

 

[TonyKlein]

Hi,

The ptsnoop.exe file is installed with certain modems. The file watches the COM ports for activity and allocates system resources to open the port.

I'd just leave it alone.

You can disable SiS Tray (NOT Systray) and CountrySelection in Msconfig/startup.
They're not necessary.

I'm assuming here you're running Windows 98.

But I'm afraid that some stuff that is neccessary is actually absent:

You don't seem to have an antivirus or a firewall running, and both are absolutely vital .

And ScanRegistry isn't starting up either, which means that you have no recent Registry backup to fall back on, should something go seriously wrong.

I suggest you recheck that one in Msconfig/Startup.

If it's no longer there, please post back.

Good luck,

 

[Marc123]

I checked the msconfig list and ScanReg is there and checked.
I'll leave PTSnoop alone, as long as it's not the trojan.
I've unchecked country selection and SiS tray (what is it anyway?).

I will shortly have ZA and Norton installed and protecting. I'll do a full check at that time.

Thanks guys.
If you're at all bored, why not pop over and see if you can help me in my other problems:

Manual Connection failing in Win XP

or

PC Freezing

Thanks again!
Gram

 

[eddie5659]

Hiya

Tony's right about the protection, and you don't have a trojan on there. Just update Norton when you get it, scan and keep it updated on a regular basis.

Regards

eddie

 

[Gram123]

Okay, as I mentioned, I had already unchecked PTSnoop in the msconfig list, and a new checked version appeared. Same thing happened with CountrySelection. So now I have 2 of each in there. Can I remove the 'unchecked' versions in the registry?

Gram

 

[TonyKlein]

Yes, in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run- and RunServices-

Note the - (minus) sign behind Run and RunServices.

In those two subkeys you'll find the Msconfig/startup entries that are UNchecked.
Highlight the ones you'd like to get rid of in the RIGHT pane, and choose 'delete'.

Good luck,

 

[TonyKlein]

Adding to that, one or two might turn up in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run- as well, if they're not in HKEY_LOCAL_MACHINE.

 

[Gram123]

Cheers Tony.
Does the minus sign signify those that have ben unchecked?

Gram

 

[TonyKlein]

Yes.

If programs are registered to run at startup they're in the Run, RunServices, and RunOnce keys, and if you disable them they go to Run- and RunServices-

And others are loaded from your Startup folder, of course, and if you disable those through Msconfig/startup, a new folder Disabled Startup Items is created

Useful article: INFO: Run, RunOnce, RunServices, RunServicesOnce and Startup (Q179365)