PTSnoop.exe 2

[cdogg]

Has anyone come across a good way to remove this infection on an older Windows 98SE PC? Trying to help out a friend, and spyware scanners seem to ignore it.

From what I've found, it can be one of two things:

1) Related to PCTel modems
2) Backdoor trojan that keeps respawning


It seems to be scenario #2 in this case, and McAfee Virus Scan doesn't seem to pick it up.

~cdogg
"Insanity: doing the same thing over and over again and expecting different results." - Albert Einstein
[tab][navy]For general rules and guidelines to get better answers, click here:[/navy] faq219-2884

 

[cdogg]

Forgot to mention that one of the main issues here is that the PC will boot into Safe Mode and Explorer.exe works fine. I can browse the hard drive and execute the virus and spyware scans.

When booting into Normal Mode, explorer.exe locks up as soon as I try to open My Computer or open anything that searches for local drives.

I've cleaned out Win.ini, system.ini, and autoexec.bat, not to mention the registry for anything that seemed related to PTSnoop. The entry keeps reappearing in the Registry under RUN, but the EXE has been deleted.

 

[greyted]

cdogg:

It was a PCTel modem that gave me this problem on a Compaq. Removed PTSnoop as in the following link and modem functioned as it should.
Tried the same in an Advent and it did not work so replaced the modem, end of problem.

http://www.bleepingcomputer.com/startups/Ptsnoop.exe-4263.html

HTH




Ted

"The difference between a misfortune and a calamity is this: If Gladstone fell into the Thames, it would be a misfortune. But if someone dragged him out again, that would be a calamity."
Benjamin Disraeli.

 

[cdogg]

Thanks, that helps. Yeah, it's an older Compaq. I'll try removing the modem which isn't even used anymore and see if that helps. I'm not sure if there's something else running that's causing the explorer.exe hang issue, but I'll run Hijack This! and find out...

~cdogg
"Insanity: doing the same thing over and over again and expecting different results." - Albert Einstein
[tab][navy]For general rules and guidelines to get better answers, click here:[/navy] faq219-2884

 

[diogenes10]

Hi cdogg

Another possibility for ptsnoop is something relating to video palette. I cant remember exactly what it is but there is some setting in the bios that can be enabled/disabled - at least on some machines - that will cause ptsnoop to appear/disappear. I have been ignoring ptsnoop in 9x hijackthis logs because of that.

I'm not good enough to know all the cases where this is appropriate and where it's not:

http://windowsxp.mvps.org/IEFIX.htm

but it has helped users a couple of times in a final cleanup after fixing lop.



-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[diogenes10]

Here's a link with ptsnoop comments relating to what I was talking about:

http://www.d-a-l.com/help/archive/index.php/t-1800.html

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[cdogg]

Thanks. At this point, however, it has become a larger problem than just PTSnoop. Explorer will not let me browse any of the hard drives unless I'm in Safe Mode. I suspect there are some corrupted entries in Win.ini or System.ini.

I have my finger on the red FORMAT button, so this may all be over soon. I don't know if the PCTel modem issue is causing the Explorer problem, and I don't think I'm going to spend too much more time messing with it!

~cdogg
"Insanity: doing the same thing over and over again and expecting different results." - Albert Einstein
[tab][navy]For general rules and guidelines to get better answers, click here:[/navy] faq219-2884

 

[BadFrog]

@cdogg

I have my finger on the red FORMAT button, so this may all be over soon.

Do it!

"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy"
Albert Einstein

 

[BadBigBen]

@diogenes10 - FYI starting with XP SP2, Internet Explorer's main files aswell as DLLs can be reregistered using a simple command: iexplorer.exe /rereg

@cdogg - do a repair installation, ie. install w98 over itself, I believe that either a hardware driver or explorer.exe itself may be infected and thus causing the problems...


Ben

If it works don't fix it! If it doesn't use a sledgehammer...

 

[cdogg]

Ben,

That's exactly what I did last night, reinstalled Windows overtop. Some improvement was noticed with boot times, and explorer now works for a short amount of time (like 5 minutes).

Then it dies saying there was an "invalid page fault in module <unknown>".

I also tried replacing system.ini and win.ini with backups (autoexec.bat and config.sys were identical to their backups). This helped other small issues like the mouse, screen resolution, and wallpaper, but didn't affect the "explorer" problem.
__________________________________________________________


Now here's the kicker...

I installed Norton Antivirus and got an error after rebooting (the user had an outdated version of McAfee which I removed first). The error said that something unknown was trying to change the app's settings and that the Antivirus installation configuration would be undone - or something to that effect. The error also noted that a virus could be causing the trouble.

So I did a scan from the CD at an MS-DOS prompt and it found nada. That's right, "format" is upon us!

~cdogg
"Insanity: doing the same thing over and over again and expecting different results." - Albert Einstein
[tab][navy]For general rules and guidelines to get better answers, click here:[/navy] faq219-2884

 

[BadBigBen]

@cdogg - I use FPROT (with updated definitions) from DOS, ergo no windows interference, when I encounter a nasty like that...

doing a fresh install would probably be the best avenue to head to... usually once a Virus hits, system integrity is already breached, some are easy to remove, others you just plain out of luck and need to reformat/fixmbr/and install the OS new...

good hunting and good luck...




Ben

If it works don't fix it! If it doesn't use a sledgehammer...

 

[G0AOZ]

I've had fairly good success with badly infected systems by taking the offending hard disk and attaching it to a known good clean W2K system with Norton already installed. Ran Norton on the temporarily attached drive, and it usually cleans off what it's caught... Good luck cdogg.

ROGER - G0AOZ.

 

[cdogg]

Roger,
Yeah, I considered that too. Unfortunately I was feeling too lazy and noticed that there also just too many device driver issues to deal with. Turns out I reformatted last night and I'm just waiting to finish loading drivers and patch it up online.

Thanks everyone for your suggestions...

~cdogg
"Insanity: doing the same thing over and over again and expecting different results." - Albert Einstein
[tab][navy]For general rules and guidelines to get better answers, click here:[/navy] faq219-2884

 

[greyted]

cdogg:

Found some old notes re Compaq Presario.

Did a reinstall using the recovery disk, same problem occured, it wasn't an infection, explorer was corrupted.
Then formatted the hdd, when I tried the recovery cd it would not function without the serial number. This I entered and everthing worked as it should.

Most probably of no help to you (may help another member with the same problem) and sorry if this is a bit late.



Ted

&quot;The difference between a misfortune and a calamity is this: If Gladstone fell into the Thames, it would be a misfortune. But if someone dragged him out again, that would be a calamity.&quot;
Benjamin Disraeli.