I have just determined that my computer is infected with a Trojan called "ptsnoop." I looked up this trojan of the Internet and learned that it may reconfigure itslef as a WIN.INI file. I am running eTrust EZ Antivirus software and it has not detected this trojan and has not removed it.
According to posts on the Internet I have read, ptsnoop allows people to load it from a web site undetected by most firewalls.
I need help to remove it. I have located this Trojan and attempted to uninstall it. No luck so far.
Are you on dialup? From what I've read, ptsnoop.exe is a modem driver that is sometimes misdiagnosed as a trojan by certain anti-virus programs.
"This is from Computer User.com on 12/5/2002:
http://www.computeruser.com/articles/1908,5,21,1,0801,00.html Q. I read that article about the ptsnoop.exe file. Is there a way to get the file back? Because my antivirus software detected a virus on it, I deleted the file. Now I get an error message, but instead of just editing the win.ini, like someone suggested in a previous article, is there away to get that file back?
A. There seems to be a lot of confusion about this famous ptsnoop.exe file. The ptsnoop.exe file is installed with certain modems. The file watches the COM ports for activity and allocates system resources to open the port.
It is a Terminate and Stay Resident (TSR) program that uses roughly 1 MB of resources to run. The problem here is that Norton Antivirus misdiagnoses this file to have a Trojan virus in it. This has caused many people to become frightened of this file, as if it were the Black Plague itself. It isn't a virus. The file is safe, and if you deleted it, you can reinstall the drivers that came with your modem to restore it."
And then there is.:
"From:
http://www.f-secure.com/v-descs/ptsnoop.shtml NAME: Ptsnoop
ALIAS: Backdoor.Ptsnoop
Please note that certain software packages for certain modems contain PTSNOOP.EXE files, but these are not trojans. If you are not sure if that file is a trojan or not, use F-Secure Anti-Virus to check it out.
Ptsnoop is a simple backdoor program written in Visual Basic. Being activated it first looks for active RAS connections and exits immediately if none is found.
If a connection is present, the backdoor installs itself to system by copying itself as PTSNOOP.EXE file to \Windows\System\ directory and modifying WIN.INI file. The backdoor adds its execution string after LOAD= variable in [Windows] section of WIN.INI file. Diring this operation WIN.INI file gets copied to WIN.ANA file, the backdoor's execution st ring is then added and WIN.INI file is deleted. Then WIN.ANA file is renamed to WIN.INI file. This way the backdoor will become active every time Windows starts.
Being active the backdoor tries to connect to the following websites:
http://setway.cjb.net http://setway1.cjb.net http://setone.cjb.net When the connection succeeds, the backdoor clips cursor to a certain area and allows a hacker or script on these websites to control mouse movement and window positions. It is not clear why this is done and it is impossible to check any more because the contents of the above mentioned websites were changed or removed.
The idea might have been to make a user click on certain areas of a website to download or run a script or binary from there. In any case, this backdoor should be deleted from a system and WIN.INI file should be cleaned from backdoor's execution string after LOAD= variable. "
I would recommend scanning your system with the 30 day functional shareware version of Trojan Remover
http://www.simplysup.com/tremover/download.html ""Did it's job!"
I downloaded this software because I had trouble removing Ptsnoop. Trojan Remover was quick and easy to use. It found and removed Ptsnoop immediately. I only wish I'd found this software sooner!" ( testimonial from c-net)
I used to have a modem installed (as backup for broadband outages)) and Trojan Remover never diagnosed the modem TSR ptsnoop.exe as a trojan...so...
Thanks to both of you !! I found the virus on House Call's web site. It detected the virus immediately and then scanned all my files. My computer is clean now!
PCTel chip modems use ptsnoop.exe file in configuring the com port for the modem. If that is not the case, then you may have had the ptsnoop trojan.
