PDA

View Full Version : Zlob codecs,HJT and rapport logs + query on ctfmon.exe



CScrutiniser
2007-01-25, 17:31
I followed Tashi's post 'VirusBurst, X Password Generator, various ZLOB CODECS, and other desktop type hijacks' and succesfully removed a zlobActiveXVideoObject trojan but i can't remove a startup hijacker called ctfmon.exe.I know I should just search for previous posts but i have suspicions or perhaps paranoia about other behaviour aswell so i'll post my spybot logs here too.Please have a look.thanks;)

CScrutiniser
2007-01-25, 17:34
SmitFraudFix v2.135

Scan done at 5:40:07.78, 25/01/2007
Run from C:\Documents and Settings\Ryan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{fa19bd7e-50bc-4203-80ac-c4edc81ca9a3}"="hirtellous"

[HKEY_CLASSES_ROOT\CLSID\{fa19bd7e-50bc-4203-80ac-c4edc81ca9a3}\InProcServer32]
@="C:\WINDOWS\system32\nbbrhbd.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{fa19bd7e-50bc-4203-80ac-c4edc81ca9a3}\InProcServer32]
@="C:\WINDOWS\system32\nbbrhbd.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\nbbrhbd.dll -> Hoax.Win32.Renos.gen.i
C:\WINDOWS\system32\nbbrhbd.dll -> Deleted


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\Ryan\FAVORI~1\Online Security Test.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Logfile of HijackThis v1.99.1
Scan saved at 06:10:18, on 25/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.ie/0SEENIE/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_09) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{F30145C8-DC6C-4D5C-97D1-2937DF2E0588}: NameServer = 213.94.190.236,213.94.190.194
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

CScrutiniser
2007-01-25, 17:45
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-01-19 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-01-15 advcheck.dll (1.2.1.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-01-19 Includes\Cookies.sbi
2006-12-08 Includes\Dialer.sbi
2007-01-19 Includes\DialerC.sbi
2006-11-24 Includes\Hijackers.sbi
2007-01-19 Includes\HijackersC.sbi
2006-10-27 Includes\Keyloggers.sbi
2007-01-19 Includes\KeyloggersC.sbi
2004-05-12 Includes\LSP.sbi
2007-01-12 Includes\Malware.sbi
2007-01-19 Includes\MalwareC.sbi
2007-01-19 Includes\PUPS.sbi
2007-01-19 Includes\PUPSC.sbi
2007-01-19 Includes\Revision.sbi
2006-12-08 Includes\Security.sbi
2007-01-19 Includes\SecurityC.sbi
2006-10-13 Includes\Spybots.sbi
2007-01-19 Includes\SpybotsC.sbi
2005-02-17 Includes\Tracks.uti
2006-12-08 Includes\Trojans.sbi
2007-01-19 Includes\TrojansC.sbi

PID: 0 ( 0) [System]
PID: 508 ( 4) \SystemRoot\System32\smss.exe
PID: 572 ( 508) \??\C:\WINDOWS\system32\csrss.exe
PID: 596 ( 508) \??\C:\WINDOWS\system32\winlogon.exe
PID: 640 ( 596) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 652 ( 596) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 796 ( 640) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 852 ( 640) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 888 ( 640) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 944 ( 640) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 976 ( 640) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1132 ( 640) C:\WINDOWS\system32\LEXBCES.EXE
size: 303104
MD5: 027D03D9D8AB95194A115A999E960AC0
PID: 1168 ( 640) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 1176 (1132) C:\WINDOWS\system32\LEXPPS.EXE
size: 174592
MD5: 8D836E60877ED79C409712B9BE2DFC3B
PID: 1316 ( 640) C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
size: 343552
MD5: DD4DB777D2BA1E475F75015B90557795
PID: 1336 ( 640) C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
size: 49664
MD5: 30A14F65DB477DC00A64A5A24E96919C
PID: 1380 ( 640) C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
size: 323072
MD5: 4BB306AE21B59085D49CCA16EA7DAD18
PID: 1412 ( 640) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
size: 322120
MD5: 11F714F85530A2BD134074DC30E99FCA
PID: 1496 ( 640) C:\WINDOWS\system32\slserv.exe
size: 73796
MD5: 91437E27E0B5EF6B59821135A2C00AAB
PID: 1524 ( 640) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1616 ( 640) C:\Program Files\Raxco\PerfectDisk\PDSched.exe
size: 237635
MD5: 1BFBAADF47E6C8B4B332657A78AF180E
PID: 1932 ( 640) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 568 ( 368) C:\WINDOWS\Explorer.EXE
size: 1032192
MD5: A0732187050030AE399B241436565E64
PID: 924 ( 568) C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
size: 406016
MD5: ED0163ACDB2834AC8F53B3265671FB1A
PID: 972 ( 568) C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
size: 57344
MD5: 8E7939D19E49D071110D780BF1EDEC21
PID: 992 ( 568) C:\WINDOWS\SOUNDMAN.EXE
size: 577536
MD5: 9832C37287E523B363DD386A8033DDA0
PID: 1036 ( 568) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496EEE0DDBE485F658693826F44D38
PID: 1048 ( 972) C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
size: 53248
MD5: 9C2991D06E1F40ADBDED988B013828C8
PID: 1076 ( 568) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
PID: 1568 ( 568) C:\WINDOWS\system32\sistray.exe
size: 331776
MD5: 207897DFA64B97CCD7E39A9ACEDF8C9A
PID: 2540 ( 568) C:\Program Files\Nero\Nero 7\Nero ShowTime\ShowTime.exe
size: 2756608
MD5: 92B08B3BAF379A6F2F7028842E3ECCC7
PID: 3140 ( 640) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 3360 ( 568) C:\Program Files\Mozilla Firefox\firefox.exe
size: 7620696
MD5: 6D05E232DDE95D48FBF0D879559CD3CA
PID: 3716 ( 568) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 4 ( 0) System
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-01-19 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-01-15 advcheck.dll (1.2.1.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-01-19 Includes\Cookies.sbi
2006-12-08 Includes\Dialer.sbi
2007-01-19 Includes\DialerC.sbi
2006-11-24 Includes\Hijackers.sbi
2007-01-19 Includes\HijackersC.sbi
2006-10-27 Includes\Keyloggers.sbi
2007-01-19 Includes\KeyloggersC.sbi
2004-05-12 Includes\LSP.sbi
2007-01-12 Includes\Malware.sbi
2007-01-19 Includes\MalwareC.sbi
2007-01-19 Includes\PUPS.sbi
2007-01-19 Includes\PUPSC.sbi
2007-01-19 Includes\Revision.sbi
2006-12-08 Includes\Security.sbi
2007-01-19 Includes\SecurityC.sbi
2006-10-13 Includes\Spybots.sbi
2007-01-19 Includes\SpybotsC.sbi
2005-02-17 Includes\Tracks.uti
2006-12-08 Includes\Trojans.sbi
2007-01-19 Includes\TrojansC.sbi

Located: HK_LM:Run, AVG7_CC
command: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
file: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
size: 406016
MD5: ed0163acdb2834ac8f53b3265671fb1a

Located: HK_LM:Run, Lexmark X1100 Series
command: "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
file: C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
size: 57344
MD5: 8e7939d19e49d071110d780bf1edec21

Located: HK_LM:Run, SoundMan
command: SOUNDMAN.EXE
file: C:\WINDOWS\SOUNDMAN.EXE
size: 577536
MD5: 9832c37287e523b363dd386a8033dda0

Located: HK_LM:Run, NeroFilterCheck (DISABLED)
command: C:\WINDOWS\System32\NeroCheck.exe
file: C:\WINDOWS\System32\NeroCheck.exe
size: 155648
MD5: 3e4c03cefad8de135263236b61a49c90

Located: HK_LM:Run, SunJavaUpdateSched (DISABLED)
command: "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
file: C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
size: 49263
MD5: 409c45da1cfbc3fc19eec7cbfe9b2786

Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996a38c0b0cf151c2140ae29fc8

Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496eee0ddbe485f658693826f44d38

Located: HK_CU:Run, msnmsgr (DISABLED)
command: "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
file: C:\Program Files\MSN Messenger\msnmsgr.exe
size: 5354792
MD5: c1ee2387ede907599ee3a6de9493f672

Located: Startup (common), Adobe Reader Speed Launch.lnk
command: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
size: 29696
MD5: 43362b96870ce8649f4f2ec893da93f0

Located: Startup (common), Utility Tray.lnk
command: C:\WINDOWS\system32\sistray.exe
file: C:\WINDOWS\system32\sistray.exe
size: 331776
MD5: 207897dfa64b97ccd7e39a9acedf8c9a

Located: System.ini, crypt32chain (DISABLED)
command: crypt32.dll
file: crypt32.dll

Located: System.ini, cryptnet (DISABLED)
command: cryptnet.dll
file: cryptnet.dll

Located: System.ini, cscdll (DISABLED)
command: cscdll.dll
file: cscdll.dll

Located: System.ini, ScCertProp (DISABLED)
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, Schedule (DISABLED)
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, sclgntfy (DISABLED)
command: sclgntfy.dll
file: sclgntfy.dll

Located: System.ini, SensLogn (DISABLED)
command: WlNotify.dll
file: WlNotify.dll

Located: System.ini, termsrv (DISABLED)
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, wlballoon (DISABLED)
command: wlnotify.dll
file: wlnotify.dll

cant get rid of that damn messenger popping up at the start up either.

pskelley
2007-01-25, 18:14
Welcome to the forum, while a trojan of this name can run, I can not remember when I saw this last. I am most sure this item is valid:
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
ctfmon.exe - ctfmon - Process Information
Process File: ctfmon.exe or ctfmon
Process Name: Alternative User Input Services
Description:
ctfmon.exe is a process belonging to Microsoft Office Suite. It activates the Alternative User Input Text Input Processor (TIP) and the
Microsoft Office XP Language Bar. This program is a non-essential system process, but should not be terminated unless suspected to be causing problems.

I also checked the MD5 number in the Spybot report:
Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996a38c0b0cf151c2140ae29fc8

Returns this information:
http://www.internetsecurityzone.com/Entities/24232996a38c0b0cf151c2140ae29fc8


If you wish to check, use one or more of these free online scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

The file may be a hidden one:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Thanks

CScrutiniser
2007-01-28, 05:55
Everything seems to be working fine since I followed the procedure advised ,a little jerky perhaps,I have to switch spybot tea timer off,which has been going a bit haywire mainly I think because of me noodling around with reg edit and mergeing in a back up of the registry.You've helped save me from doing any more damage.If anything bad happens anytime soon I'll repost on this thread but if it does'nt I'll start a new thread and try to be specific.Thanks for your help keep up the good work,this is the real lord's work.:angel:

pskelley
2007-01-28, 12:54
Thanks for the feedback, I will post some links from experts, but I notice you have no active spyware program. Anymore, this is as important as a antivirus program and a firewall. Here are two programs I run, and one of them called SpywareGuard does what TeaTimer does, so if you are having issues with TT, you may want to give it a try, I am including tutorials for freeware software also for your convienence.
http://www.bleepingcomputer.com/forums/tutorial49.html
http://www.bleepingcomputer.com/forums/tutorial50.html
Microsoft also offers a free program:
http://www.microsoft.com/athome/security/spyware/software/default.mspx

Here are some good ideas that may help your computer to run better:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.