[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


your computer is working slowly

Posted on 2008-10-07
Medium Priority
Last Modified: 2012-05-05
Attachment to email was opened (not by me) called bill.zip. SInce then I have been getting popups from the system tray saying various things such as 'your computer is working slowly' and 'Your computer is infected with spyware'. I can't run Smitfraudfix cause it gets hung up trying to clean temporary files because it's been accessed by another process. Malwarebytes anti malware also fails towards the end with windows crash message box send dont send blah blah.
Question by:Paulduberry
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
LVL 47

Assisted Solution

rpggamergirl earned 1000 total points
ID: 22659336
Try SDFix, (works only in Safe Mode)

Download SDFix and save it to your desktop.(either one below)

Double click SDFix and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.
*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and attach the "Report.txt" back  
If SDFix also won't complete its run, try Combofix.

Please download ComboFix from either of these links to your Desktop.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
* Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. *
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

* The link below is a list of programs that should be disabled. If yours is not listed and you don't know how to disable it, please ask.

* Close any open browsers.
* WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
* Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
* If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please attach the "C:\ComboFix.txt" for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.


Expert Comment

ID: 22659530
In order to try to fix this you need to stop the service its using from starting up.
use msconfig to stop everything that you dont recodnise.
then disable system restore.
If you get any pop ups then just leave them alone for now. Dont even close them.
Clicking on these even trying to close it could cause the infection to exicute.
Down load spybot and once its up to date run it.
this should remove the issue you are having.
also run your AV. If youre having probs with your av then download and run AVG free.

Author Comment

ID: 22659567
Ran SDFix. Hasn't fixed the problem. Should I now run ComboFix? Also, the desktop has changed. JPEG and report.txt attached.
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

LVL 47

Expert Comment

ID: 22659934

HKLM\SYSTEM\CurrentControlSet\Services\psyche <-- rootkit scanner found this service

SystemRoot%\System32\psyche.exe <--and this suspicious file, can you submit this for virus check at http://virusscan.jotti.org/

Can you also show us a Hijackthis log please?
Download Hijackthis:

Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
Paste the log in the "Code Snippet" or "Attach File" window.

Author Comment

ID: 22660034
HJT log attached. Psyche.exe no longer in system32 folder.
LVL 47

Expert Comment

ID: 22660172

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uesiuqcr.exe,
O2 - BHO: getsn32.msiesn - {67FE3EFE-2915-4D08-8AF9-21723C19B0E4} - C:\WINDOWS\system32\getsn32.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Fix the above entries in Hijackthis.

C:\WINDOWS\system32\uesiuqcr.exe <-- delete this file.
If problem persists run Combofix.

Accepted Solution

Paulduberry earned 0 total points
ID: 22660891
Problem persisted. Ran ComboFix in Windows regular mode. Report attached. I'm happy. Another job well done. Thanks for coming to the rescue again.
LVL 47

Expert Comment

ID: 22664682

Thanks for the log.

I see combofix is not running from the desktop, it's recommended to be run from the desktop.

This entry below is still showing in the combofix log;
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uesiuqcr.exe,

C:\WINDOWS\system32\psyche.exe <-- this file is still present in the system as showing in the CF Gmer's log.

I'm not sure about that file that's why I asked to have it scanned. The file is hidden so you would've to show hidden files first to see it.
OR, You can just have combofix delete that file and the service.

Run combofix again using this script.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:

3. Save the above as CFScript.txt on your desktop(in the same location as combofix.exe).
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

Since your combofix is not running from your desktop, CFScript must also be put where you put combofix.exe for the script to work.



Author Comment

ID: 22676112
I had hidden files showing but still couldn;t find psyche.exe. I saw the entry for C:\WINDOWS\system32\uesiuqcr.exe and removed it from hjt . Not showing up now. I did this before your latest reply. The system has been returned to the user now so I can't do any more work on it easily. I realised afterwards that I ihad executed CombFix from my memory stick. I think everything is all right and again many thanks for your help.

Author Comment

ID: 22685559
I don't know if there is a problem. I want rpggamergirl  to get the 250 points. rpggamergirl, did you get the points or not?
LVL 47

Expert Comment

ID: 22696797
Yes, I got the points thanks. There's always that pending 4-day period (for objections) when you close a question this way.
Now, it's finally closed.

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of the most commonly posted questions in the "Virus & Malware" Zones are related to the family of rogue malware with the date "2012" somewhere in the title. Examples: XP Antispyware 2012 XP Antivirus 2012 XP Security 2012   XP Home Sec…
Malware seems to be getting smarter and smarter. If you are having trouble being able to launch your malware removal tools such as (and recommended): MalwareBytes, HiJackThis, ComboFix, etc. you can try some of the workarounds listed below. 1. Ma…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question