?
Solved

your computer is working slowly

Posted on 2008-10-07
11
Medium Priority
?
858 Views
Last Modified: 2012-05-05
Attachment to email was opened (not by me) called bill.zip. SInce then I have been getting popups from the system tray saying various things such as 'your computer is working slowly' and 'Your computer is infected with spyware'. I can't run Smitfraudfix cause it gets hung up trying to clean temporary files because it's been accessed by another process. Malwarebytes anti malware also fails towards the end with windows crash message box send dont send blah blah.
0
Comment
Question by:Paulduberry
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
11 Comments
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 1000 total points
ID: 22659336
Try SDFix, (works only in Safe Mode)

Download SDFix and save it to your desktop.(either one below)
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.
*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and attach the "Report.txt" back  
 
If SDFix also won't complete its run, try Combofix.

Please download ComboFix from either of these links to your Desktop.
http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
* Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. *
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

* The link below is a list of programs that should be disabled. If yours is not listed and you don't know how to disable it, please ask.
http://www.bleepingcomputer.com/forums/topic114351.html

* Close any open browsers.
* WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
* Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
* If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please attach the "C:\ComboFix.txt" for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.
 

0
 
LVL 3

Expert Comment

by:Dicanio37
ID: 22659530
In order to try to fix this you need to stop the service its using from starting up.
use msconfig to stop everything that you dont recodnise.
then disable system restore.
If you get any pop ups then just leave them alone for now. Dont even close them.
Clicking on these even trying to close it could cause the infection to exicute.
Down load spybot and once its up to date run it.
this should remove the issue you are having.
also run your AV. If youre having probs with your av then download and run AVG free.
0
 

Author Comment

by:Paulduberry
ID: 22659567
Ran SDFix. Hasn't fixed the problem. Should I now run ComboFix? Also, the desktop has changed. JPEG and report.txt attached.
Desktop.JPG
Report.txt
0
Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22659934

HKLM\SYSTEM\CurrentControlSet\Services\psyche <-- rootkit scanner found this service

SystemRoot%\System32\psyche.exe <--and this suspicious file, can you submit this for virus check at http://virusscan.jotti.org/

Can you also show us a Hijackthis log please?
Download Hijackthis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
Paste the log in the "Code Snippet" or "Attach File" window.
0
 

Author Comment

by:Paulduberry
ID: 22660034
HJT log attached. Psyche.exe no longer in system32 folder.
hijackthis.log
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22660172

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uesiuqcr.exe,
O2 - BHO: getsn32.msiesn - {67FE3EFE-2915-4D08-8AF9-21723C19B0E4} - C:\WINDOWS\system32\getsn32.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Fix the above entries in Hijackthis.

C:\WINDOWS\system32\uesiuqcr.exe <-- delete this file.
If problem persists run Combofix.
0
 

Accepted Solution

by:
Paulduberry earned 0 total points
ID: 22660891
Problem persisted. Ran ComboFix in Windows regular mode. Report attached. I'm happy. Another job well done. Thanks for coming to the rescue again.
ComboFix.txt
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22664682

Thanks for the log.

I see combofix is not running from the desktop, it's recommended to be run from the desktop.

This entry below is still showing in the combofix log;
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uesiuqcr.exe,

C:\WINDOWS\system32\psyche.exe <-- this file is still present in the system as showing in the CF Gmer's log.

I'm not sure about that file that's why I asked to have it scanned. The file is hidden so you would've to show hidden files first to see it.
OR, You can just have combofix delete that file and the service.


Run combofix again using this script.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
C:\WINDOWS\system32\psyche.exe
C:\WINDOWS\system32\uesiuqcr.exe

Driver::
psyche
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop(in the same location as combofix.exe).
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

Since your combofix is not running from your desktop, CFScript must also be put where you put combofix.exe for the script to work.


Thanks!

0
 

Author Comment

by:Paulduberry
ID: 22676112
I had hidden files showing but still couldn;t find psyche.exe. I saw the entry for C:\WINDOWS\system32\uesiuqcr.exe and removed it from hjt . Not showing up now. I did this before your latest reply. The system has been returned to the user now so I can't do any more work on it easily. I realised afterwards that I ihad executed CombFix from my memory stick. I think everything is all right and again many thanks for your help.
0
 

Author Comment

by:Paulduberry
ID: 22685559
I don't know if there is a problem. I want rpggamergirl  to get the 250 points. rpggamergirl, did you get the points or not?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22696797
Yes, I got the points thanks. There's always that pending 4-day period (for objections) when you close a question this way.
Now, it's finally closed.
Thanks!
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The intent of this Article is to provide the basic First Aid steps for working through most malware infections. The target audience includes experienced IT professionals and the casual user who just wants to make the infection go away. **********…
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Suggested Courses
Course of the Month9 days, 21 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question