Excessive HDD activity re:PTSnoop.exe

I've recently become aware of excessive HDD activity at various times and are puzzeling me. I have shut down all running processes except explorer and systray during one of these times and the activity is still there. I downloaded Wintop and see a PTSnoop.exe running on both C and D. My first thought was that it was something I had intentionally downloaded and had forgotten but a little looking around on Google tells me that it might be a trojan. I have an updated Norton A/V running but has caught nothing like this. I put PTSnoop.exe in Symantec search and came up empty. However, F-Secure.com says it could be a trojan(altho some modem programs do use this thing to search for ports). Does anyone have any info on this thing? I suspect that it is the culprit running my HDD ragged when nothing should be. TIA, Bob

 

Hi bobmc32
How's this? Or this?

Daizy

 

Thanks Daizy. I must have Phronemophobia cause I did some more checking inside my machine and found that it is a legit program I intentionally downloaded a while ago. Seems strange and confusing to me that modem programs, legit software, and Backdoor Trojans can have the same name. Maybe that's the aim of the trojan. ?
Well, that was an "aside" because I still have/or had the unexplained activity on HDD. I'm still looking.

 

Well hello again bobmc32
That ptsnoop is indeed a pain in the rear. The name alone raises suspicion for heaven's sakes. Do take a gander through those threads when you get a chance. I believe one of the members (AnnMarie) went in great detail on how to remove it properly.
Let's go about this systematically though? Are you running Zonealarm? What all do you have checked under msconfig? Have you downloaded and run Ad-Aware and got rid of any and all spyware?

Daizy

*edit*
msconfig
To get to msconfig:
Go to start...then run....type in: msconfig
Click ok
Look under the start up tab.

msconfig entry definitions

Zonealarm
Download free zonealarm here.

Ad-Aware
download Ad-aware here.

 

Daizy - Oh, I looked(wouldn't want your efforts wasted) and read AnnMarie's posts and no, I don't have ZA but do have Sygate and do have Adaware and have run(altho not tonight-but recently).
Startup tab in Sys config has been pruned(no PTSnoop there). As said, did a bit more checking and found that I intentionally downloaded a program from Karen Kenworthy( http://www.karenware.com/powertools/ptsnoop.asp)named PTSnoop(for some unknown reason) and that is , I think, the root of my snooper and not a trojan. Thanks for your help and will keep looking on this end, too.

 

How do you know that you have excessive HDD activity? What's happening? What sort of connection do you have?

Good work on having a firewall, pruning msconfig and using ad-aware!

Daizy

 

Daizy - I have 56k dialup which isn't 56k at all as I live in the boonies and really get about 28.8 or thereabout(maybe 33.3 sometimes) and I "think" I have excessive HDD activity on occaision 'cause my drive light on the box is on, not constantly, but I would estimate 60%or more of the time, that is, flickering rapidly. As it is doing right now. I downloaded Wintop to monitor all running processes, which it seems to do better than the Close Program program. That's where I came across PTSnoop. Shut them down via Close Program but still have the flicker rapidly. I have no scheduled mx going and not A/V schedule running nor anything else I can think of. I do distributed computing for United Devices Cancer Research, but that uses processor and not disk far as I know. Anyway, can shut that down and doesn't change conditions. Is an intermittant condition, it seems. The drive activity , that is. That's about all I know about it at the moment and thanks for your continued help.
Bob

 

I do not see any mention as to what version of Windows you are running.

What is the condition of your hard drive as far as loading on it. ?

If the HD to heavily loaded and the Swap file does not have room enough to work it may cause almost constant disk access.

Does this occur just when online or at other times also ? If only online it nay be one thing. Do you know if you have Windows Critical update loading at startup.

But if it also occurs while not online it is more than likely something that Windows ( or some software ) is doing in the background.

Do you by some chance have MS Office on the machine ? That will also drive a machine nuts.

Do you have the newer version of Windows Media Player ( 7 or above ) ?

Do you have Real PLayer installed and running in the Systray and its' access to the Net not blocked by the Firewall ?

Both of the above are nasty resource hogging NOSEY pieces of software. And may be on line Spying on you anytime you are on line. And both know just about each and every move you make.

BTW . AD-Adware will not catch that kind of spyware. Also a lot of newer Software will set tiself up to go online But, unless very careful during the install of same the user may not even know it

BillyBob

 

Ah, BillyBob joins the detective team.

Win98fe (noted in sig. area)
20Gb HDD divided into C (2.5gb-bout 1.2 used)D =Rest not very used
Occurs both on and offline
Occurs with usual apps running and with only explorer and systray
Have both MP7 and RP neither running in tray(I will check settings)
No MS Office
Since you mentioned it I did block both RP and MP in Sygate firewall(Hadn't done that before.)

After I submit this I will check settings in MP and RP and thanks.

 

I love seeing the samll C: drive. And gald to see the 98FE.

The probelm occuring both on and off line does lead me to a firm belief that you gotta find and nail down what is running in the back ground. ( not always an easy task )

WAG-- Check the Task Scheduler. Something there may have gone astray and running when it should not be. I myself do not run TaskMonitor and the Scheduler for two reason. One they are not really needed and both have a tendency to go haywire and not work properly.

I suggest getting Startup Cop And do some experimenting with varous items that my be loading at start up.

Startup Cop does nothing other then allow things to start or not start. And it may show things that Cnrtl-Alt-Del does not. And easier ( much ) to use than MSCONFIG.

Swap file should be no problem UNLESS YOU have it set to too small a minimum.

You might check your AV software setting to see if it is set to check all files. This may not only create some activity but also slow the system down.

Other than finding what may be running in the background my only other wild idea ( right now anyway ) would be to ask if you have GoBack on the machine.

BillyBob

 

The culprit is revealed

 

Yup. These things for sure do CPU/memory/disk work on your PC.

I run the Stanford Alzheimer etc. research via folding@home and I can tell from the norton system doctor that my hd fragments lots quicker when it is running (which is mostly) than when it isn't. And lots of the same sort of Hd activity you describe.

Especially with a dial-up connection, the app needs some place to store data after crunching and before transmitting. Hd is about the only reasonable spot.

 

I saw that too. But I dismised it when I read that it can be shut down with no change.

But then I do not know anything about that software.

bobmc32

Is there a possibility that there is more than one file that loads for that and you only shut one down. ?

Newt

norton system doctor

Do you find that usefull ? I never did. Especially if loaded and running in the systray.

BillyBob

 

Good point (I saw UD mentioned and didn't read any further I'm afraid).

Bob - what happens if you prevent UD from running at startup as opposed to simply closing it down?

 

Another good point.

With some software it does make a difference. As it may have more than one part.

For example;

If an .exe file loads at startup and it in turn loads another associated one but only the first may show and it is shut down by Cntrl-Alt-Del it may still leave the other loaded. And * MAY * in turn reload the one that was shut down.

That is why I myself highly recommend Startup Cop for testing various startup combos.

I know Norton Internet Security does the above. If I do not shut down the main file it just keeps right on reloading.

BillyBob

 

Ok, I'm convinced

Thanks all folks who contributed. I will experiment with UD to see what happens as to activity. I do run it just about all the time and it does run out of two files which are both listed in the Close Programs box but will take it out of start sequence to see (Oh, and do have Startup Cop). And still have to look at prefs in RP and MP just to make sure I disabled the "phone home" features. I appreciate the ideas and suggestions. It hasn't been a problem - just I was curious as to what was working in the background without my knowlege or ok. (And of course the possibility that it was a trojan.) I'll report back when I find something (or not).

 

NOTHING wrong with that idea. I would consider it to be good computing practice.

You may at least be able to find out if it is something that is needed or not. And be able to deal with it as necessary.

BTW. I saw no mention and I am too LAZY to back and look

Do you happen to have Norton System Doctor ( or any thing similiar ) running. ? That stuff will FIGHT and fight hard with any MS Utilities that might be running or used.

I find with Win98 that it a better idea to use one or the other not both. They both do things quite differently.

BillyBob

 

No BillyBob, I have System doctor but just run it on occasion and not in startup - just norton A/V which, BTW, is set to scan all files and you mentioned something about that slowing things way down. How so?

 

I have System doctor but just run it on occasion and not in startup - just norton A/V which, BTW, is set to scan all files and you mentioned something about that slowing things way down. How so?

OK. As to System Doctor. If you use it, it is best not to use MS utilities that do the same thing. Other MS get CONFUSED because of the different ways they do things. Especially defrag and SpeedDisk.

With any DISK Utilities it is better to use one or the other and stick with it. Not both. Anything Norton does Windows will either undo or change anyway.

I myself personaly find nothing other then Norton WinDoctor and the Optimizatin Wizard to be of any use. If I feel I need DiskDoctor I Boot up with a Floppy and run it in DOS from the CD.

Signals may have gotten crossed ( or mis-understood ) here as to AV

I was referring to Auto Protect. If it is set to check all files it does slow things down as it does just that.

Usually having it set to check programs files is OK.

When doing a Full System or drive Scan, then IT SHOULD BE set to check all files.

BillyBob

 

BillyBob, I must have seen that statement a hundred times about "all files" but I guess I never got the point.

I now do and understand and have unchecked "all files" in Auto Protect. I always check "all files" when running A/V scan and I didn't get the diff.betweenthe two, I suppose.

I disabled UD in the Startup and it is not running at the moment (nor is GoBack, which I also have) and have seen minimal disk activity since. And this is the time I usually see a lot of action.

I don't have any tasks scheduled, either. All seems well.

Conclusion from all inputs isthatitis UD that was causing the mystery HDD activity. But when it comes to computers, I never say anything with 100% finality.

Thanks all, I appreciate it.
PS: I use Norton Speed Disk and Diskdoc for defrag and scan exclusively.