ptsnoop

Printable View

November 30th, 2001, 05:40 AM
duveyduv

ptsnoop

how can i obtain an updated version of ptsnoop. my computer said it is outdated
November 30th, 2001, 05:54 AM
Spiny

Are you sure you want it?
Some people say it's a trojan, some says it's legitimate and is part of a modem's driver.

The best thing to do is to check for viruses.
November 30th, 2001, 05:56 AM
AnnMarie

Hi duveyduv - Welcome to the VirtualDr Forum. I really dont think you want one - see link ptsnoop. Follow the instructions and delete all relevant files.
November 30th, 2001, 06:09 AM
Spiny

Educated guess:
There is a legitimate ptsnoop and a trojan with the same name.

PCTel modems install the legitimate one, but it can be removed without wrecking anything.

The point is:
KILL IT!

It won't hurt and it might help.
November 30th, 2001, 06:30 AM
AnnMarie

hmmm. Spiny, you are right. It looks like the Anti Virus folk cannot work this one out. From Symantec:
"PTSNOOP is a token program that waits for a program to request the COM port to be opened. Then it makes sure that the modem drivers get loaded if they are not.

PTSNOOP can be found with several different modems, such as the MICOM HSP PCTEL and EPS Technology COMM WAVE PCMCIA modems. It is not mandatory for proper operation, and the manufacturers list removal of PTSNOOP in various steps of their troubleshooting procedures."

[This message has been edited by AnnMarie (edited 11-30-2001).]
November 30th, 2001, 06:32 AM
Spiny

On the other hand, Sophos says:

{Troj/Ptsnoop

Infects: Trojan horse
Memory resident: Yes

This is a backdoor Trojan. It copies itself to \windows\system\ptsnoop.exe and changes win.ini adding "c:\windows\system\ptsnoop.exe" to "load = ".

First reported in March 2001.}

I still think you should kill it, just to be sure.

[This message has been edited by Spiny (edited 11-30-2001).]
December 1st, 2001, 08:52 AM
nlday

is it good enough to remove ptsnoop fron sys config utility-startup tab, and uncheck it? or is there a registry hack needed... i'll 'go in' and do it with a little trepidation and some good directions, or visa/versa.
and is it ok to do in win 98se also?

[This message has been edited by nlday (edited 12-01-2001).]
December 2nd, 2001, 05:35 AM
AnnMarie

Hi nlday - I found the following instructions on the Driver Forum:

"To Remove ptsnoop (very quick & easy)
1)Click on START,then RUN
2)Type in sysedit,then click OK
3)Click on Win.ini tab/page
4)Look for(it's often listed very first)
load=ptsnoop.exe
run=C:\WINDOWS\SYSTEM\cmmpu.exe
NullPort=None
5)Delete all that,so it shows only the following;
load=
run=
NullPort=None
(simply click and drag over what needs removing,that will "Blue" it/Select it,,then click Backspace)
6)At top of the SysEdit page,click on File & Save.
Restart your 'puter,either now or later,and upon restart ptsnoop will be permanently gone."

Also check the Windows Registry by selecting Start,Run, typing RegEdit, and pressing Enter. NB Always backup your Registry before making any changes.

Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
If you see a reference to Ptsnoop in the right window, simply highlight that reference and press Delete.Close the Registry. Restart Windows and you're finished.

If you are not confident in doing this, removing it from your startup routine should be sufficient to disable it.

[This message has been edited by AnnMarie (edited 12-02-2001).]
December 2nd, 2001, 11:40 AM
nlday

thanks annmarie and happy monday to ya! i unchecked both ptsnoops on the startup tab, but after reboot, one of them comes back. so i'll follow your directions after i back up the registry.{i've got those directions around here somewhere}...or will it be disabled if only one is unchecked? (i have the hsp pc-tel modem.)
just one more question? is this registry hack the same on win 98se? i'll be doing it on that 'puter also.

[This message has been edited by nlday (edited 12-02-2001).]
December 2nd, 2001, 07:01 PM
AnnMarie

Hmmm. Dont know why you have two ptsnoops nlday. Maybe it would be better if you ran a Trojan Scanner first before you do anything else. You can download a good free one - Ants v2 English Version from here Wilders. The some of the dialogue is still in German but you can download the translations from here Ants English Translation
December 2nd, 2001, 07:26 PM
nlday

ok heading over there. i've had norton internet security 2001 since feb. not having trouble. but let's take a look.
December 2nd, 2001, 07:37 PM
nlday

annmarie-i find trojan hunter v 2.0 nothing that says 'ants' so is trojan hunter the correct one?
December 2nd, 2001, 08:08 PM
AnnMarie

Nope - had problems installing that one - it kept reporting a missing file - Ants is on the link below. Most AV's are not that good at picking up trojans nlday, its a good idea to run a dedicated trojan detection program as well as your AV. http://www.wilders.org/downloads.htm
December 2nd, 2001, 08:41 PM
nlday

i found it and dl'd it. ran the scan of c: and then rescanned windows folder...no trojans found. so could it be--the 2 pt snoops-- is from an aborted DL of hsptel modem driver from windows update site. it told me it was available,tried twice but got a tan error box. this was actually on the win 98 puter.... discussion with triple 7...decided to leave well enough alone since modem is working well. then one more? the directions for removing ptsnoop will work on win98se as well? ps this trojan program is very nice-classy!
December 3rd, 2001, 02:25 AM
AnnMarie

Hi again nlday - sorry, had to dash off to work and didnt see your last post. If you decide to remove PTSNOOP, I have posted this link which gives you full information on editing your registry Win98/ME Editing The Windows Registry. I guess I have a reservation in view of the conflicting reports on PTSNOOP. Like Triple 7's, I think if its working well, its best to leave it alone. Yes Ants is a great program, I'm pleased that you like it however neither Nav or Ants detected PTSNOOP as a trojan, so it may have been misdiagnosed.
December 3rd, 2001, 09:24 AM
nlday

thanks ann marie. for now i'll leave it alone, but will look over the registry procedures. in feb. i'll be doing a full restore anyway...lots of fun reinstalling everything???! but it is a rewarding pastime. thanks for the link to we- compute...lots of fun reading there,and i put it on my fav. list.

just did a complete scan with ants ...Beginne mit Scanvorgang ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~

C:\Program Files\Real\RealJukebox\realjbox.exe könnte ein Trojaner sein! (13)
=> Programm schreibt in Registry (Run, RunOnce usw.) oder greift auf INIs zu!
=> Programm erfragt das System-Verzeichnis!
=> Programm erfragt das Windows-Verzeichnis!
=> Programm nutzt die WinSock-Schnittstelle!
=> Programm belegt einen Port!
=> Programm beinhaltet die Zeichenkette "Server"!

C:\cpqs\Backweb\Program\backweb.exe könnte ein Trojaner sein! (13)
=> Programm schreibt in Registry (Run, RunOnce usw.) oder greift auf INIs zu!
=> Programm erfragt das System-Verzeichnis!
=> Programm erfragt das Windows-Verzeichnis!
=> Programm nutzt die WinSock-Schnittstelle!
=> Programm beinhaltet die Zeichenkette "Server"!
=> Programm baut DialUp-Verbindungen auf!

Report vom 12/3/01
ANTS Version 2.0 mit 1606 geladenen Signaturen.

Es wurde wahrscheinlich ein Trojaner gefunden in:
C:\Program Files\Real\RealJukebox\realjbox.exe

Es wurde wahrscheinlich ein Trojaner gefunden in:
C:\cpqs\Backweb\Program\backweb.exe

Helfen Sie uns - übermitteln Sie die Scanresultate!

~~~~~~~~~~~~~~~~
Benötigte Zeit: 1140 Sekunden
any thing to worry about? ?start a new thread? i can't find how to fix it if it needs to be fixed,wil keep looking

[This message has been edited by nlday (edited 12-03-2001).]

[This message has been edited by nlday (edited 12-03-2001).]
December 3rd, 2001, 10:04 PM
AnnMarie

Hi nlday - there is no problem. Ants is reporting that realjbox.exe and backweb.exe could be possible trojans however realjbox.exe is a valid plugin and backweb.exe is an updater normally loaded onto HP machines (and sometimes compaq) so unless you do not have RealJukeBox installed on your machine you have nothing to worry about.
December 3rd, 2001, 10:56 PM
nlday

thanks annmarie. trying to translate this german ...what a headache. here's a eng/german online dictionary i found http://dict.leo.org/
December 4th, 2001, 03:57 AM
AnnMarie

Thanks very much - it will be very handy (I'm running Ants too). Have added it to my favorites folder. Auf Wiedersehen https://discussions.virtualdr.com/
December 4th, 2001, 11:35 AM
Styx

PTSnoop is completely unnecessary. It is also not spy or malware. If you're running Win 98 FE or SE use the System Configuration Utility to shut it off. You may have to delete it from your registry and the above utility (more than once after a restart) in that order.

First clean out your Startup folder - Start; Programs; Startup. Right click each item in turn there and choose delete. I have only 'swtray' there, the joystick driver, and it has to be there. On most machines you don't want anything in that folder.

Check your available resources by right-clicking My Computer; clicking Properties; Click the Performance tab. Resources available are displayed as percent there at top. Check it when you get done running the System Configuration Utility mentioned below.

Clicking Start; Run; typing 'msconfig', without the quoatation marks, in the Run box and clicking OK; Then clicking the Startup tab; Uncheck anything you don't need running in the background. For reference on what's not needed running in the background in the System Configuration Utility view this website first and print out the list:
http://www2.whidbey.net/djdenham/Running_items.htm