May 4th, 2002, 04:15 PM
I think I have spyware help help help!
Hello www.Antionline.com members I am a new user to the Windows 98 enviroment when I push Control + Alt + delete I see this program called "Ptsnoop" now I never installed it on my computer, I have .VBS (Visual Basic Scripting) turned off and I have Sygate as my firewall. And I am currently using 2 proxies on this computer Multi proxy and Moxi Logic Server, Can someone please tell me how this got on my computer and what this program is? And yes I did a search for it but no good result's so I am writing this for help thank you, Blunt 23
May 4th, 2002, 04:27 PM
Good guess. Trojan it is indeed.
*bows to the Gods of google*
F-Secure Virus Descriptions
Ptsnoop is a simple backdoor program written in Visual Basic. Being activated it first looks for active RAS connections and exits immediately if none is found.
If a connection is present, the backdoor installs itself to system by copying itself as PTSNOOP.EXE file to \Windows\System\ directory and modifying WIN.INI file. The backdoor adds its execution string after LOAD= variable in [Windows] section of WIN.INI file. Diring this operation WIN.INI file gets copied to WIN.ANA file, the backdoor's execution st ring is then added and WIN.INI file is deleted. Then WIN.ANA file is renamed to WIN.INI file. This way the backdoor will become active every time Windows starts.
Being active the backdoor tries to connect to the following websites:
When the connection succeeds, the backdoor clips cursor to a certain area and allows a hacker or script on these websites to control mouse movement and window positions. It is not clear why this is done and it is impossible to check any more because the contents of the above mentioned websites were changed or removed.
The idea might have been to make a user click on certain areas of a website to download or run a script or binary from there. In any case, this backdoor should be deleted from a system and WIN.INI file should be cleaned from backdoor's execution string after LOAD= variable.
It should be noted that software packages for certain modems contain PTSNOOP.EXE files, but these are not trojans. If you are not sure if that file is a trojan or not, use F-Secure Anti-Virus to check it out.
[Analysis: Alexey Podrezov; F-Secure Corp.; September 2001]
I don't have time to look up removal instructions at the moment. Sorry, hope someone else can help. (In class.)
May 4th, 2002, 04:35 PM
May 4th, 2002, 05:47 PM
Just a little note on this, i use a program that can be downloaded from here. It called ad-ware, cheaks though your registry and your drives for spyware.
May 4th, 2002, 06:03 PM
Found this while looking for removal stuff. Looks like it is most -likely- a trojan, but is also the name for something your modem may actually need to function. Some kind of port snooper.
*BEWARE* PTSnoop.exe is also the name of a background program that comes with PCtel Modems. If you have a modem with a PCtel chipset it is likely that PTsnoop.exe is working in the backround for the modem. I believe it is something to do with the type of modem that uses DSP (digital signal processing) where some of the modem tasks are carried out by the CPU. This makes for cheaper modems. Unfortunately there is a backdoor program that uses this name too. If you have a PCtel modem I would dig out the drivers for it before deleting PTsnoop just in case.
No worries acid. More info never hurt anyone.