Thread: probable spyware +windows alert messages
View Single Post
Old 11-11-2008, 05:23 PM   #4 (permalink)
sjb007
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,230
OS: Windows 7 Premium x64

My System

Re: probable spyware +windows alert messages
Hi there minaccia

I notice that you have Tea timer running which is part of Spybot's Search & Destroy. While this is a great tool to have, it can stop the fix from working correctly. We need to disable your TeaTimer for now

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

After all of the fixes are complete it is very important that you enable TeaTimer again, I will let you know when it is safe to do so.

Download ResetTeaTimer.bat by right-clicking on the link, and choosing Save As.

* Save it to your Desktop.
* Double-click ResetTeaTimer.zip
* Double-click ResetTeaTimer.bat and click Run to remove all entries set by TeaTimer.

A Tutorial for Tea Timer can be found here -> http://russelltexas.com/malware/teatimer.htm

Next Steps....

I notice that the recovery console was not installed during the run of combofix. We need to install this before we proceed further.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System



Download the file & save it as it's originally named, next to ComboFix.exe.



Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • At the next prompt, click 'NO' to exit ComboFix.

Once done.....

Go to start menu - Select Run and in the command box type in notepad
Next - copy/paste the text in the code box below into it:

Quote:
File::
c:\windows\system32\winwp.bmp
c:\windows\system32\mkrnl.exe
c:\windows\system32\jsne87fidgf.dll
c:\windows\system32\prun.exe
c:\windows\system32\siejf93.dll

Folder::
c:\windows\system32\sX3i19
c:\temp\PRE45
C:\Documents and Settings\Owner\Application Data\NI.GSCNS

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5AF42A3-94F3-42BD-F434-3604832C897D}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{C5AF42A3-94F3-42BD-F434-3604832C897D}"=-

- Save this to your desktop as CFScript.txt
- Drag the CFScript.txt over onto Combofix.exe and release.



Combofix will then execute the script and produce a fresh log
If your computer does not reboot on completion then reboot it now and generate and fresh HJT log.

Post both logs back to me in your next reply.
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline