Solved

your computer is working slowly

Posted on 2008-10-07
11
849 Views
Last Modified: 2012-05-05
Attachment to email was opened (not by me) called bill.zip. SInce then I have been getting popups from the system tray saying various things such as 'your computer is working slowly' and 'Your computer is infected with spyware'. I can't run Smitfraudfix cause it gets hung up trying to clean temporary files because it's been accessed by another process. Malwarebytes anti malware also fails towards the end with windows crash message box send dont send blah blah.
0
Comment
Question by:Paulduberry
  • 5
  • 5
11 Comments
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 250 total points
Comment Utility
Try SDFix, (works only in Safe Mode)

Download SDFix and save it to your desktop.(either one below)
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.
*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and attach the "Report.txt" back  
 
If SDFix also won't complete its run, try Combofix.

Please download ComboFix from either of these links to your Desktop.
http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
* Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. *
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

* The link below is a list of programs that should be disabled. If yours is not listed and you don't know how to disable it, please ask.
http://www.bleepingcomputer.com/forums/topic114351.html

* Close any open browsers.
* WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
* Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
* If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please attach the "C:\ComboFix.txt" for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.
 

0
 
LVL 3

Expert Comment

by:Dicanio37
Comment Utility
In order to try to fix this you need to stop the service its using from starting up.
use msconfig to stop everything that you dont recodnise.
then disable system restore.
If you get any pop ups then just leave them alone for now. Dont even close them.
Clicking on these even trying to close it could cause the infection to exicute.
Down load spybot and once its up to date run it.
this should remove the issue you are having.
also run your AV. If youre having probs with your av then download and run AVG free.
0
 

Author Comment

by:Paulduberry
Comment Utility
Ran SDFix. Hasn't fixed the problem. Should I now run ComboFix? Also, the desktop has changed. JPEG and report.txt attached.
Desktop.JPG
Report.txt
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility

HKLM\SYSTEM\CurrentControlSet\Services\psyche <-- rootkit scanner found this service

SystemRoot%\System32\psyche.exe <--and this suspicious file, can you submit this for virus check at http://virusscan.jotti.org/

Can you also show us a Hijackthis log please?
Download Hijackthis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
Paste the log in the "Code Snippet" or "Attach File" window.
0
 

Author Comment

by:Paulduberry
Comment Utility
HJT log attached. Psyche.exe no longer in system32 folder.
hijackthis.log
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uesiuqcr.exe,
O2 - BHO: getsn32.msiesn - {67FE3EFE-2915-4D08-8AF9-21723C19B0E4} - C:\WINDOWS\system32\getsn32.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Fix the above entries in Hijackthis.

C:\WINDOWS\system32\uesiuqcr.exe <-- delete this file.
If problem persists run Combofix.
0
 

Accepted Solution

by:
Paulduberry earned 0 total points
Comment Utility
Problem persisted. Ran ComboFix in Windows regular mode. Report attached. I'm happy. Another job well done. Thanks for coming to the rescue again.
ComboFix.txt
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility

Thanks for the log.

I see combofix is not running from the desktop, it's recommended to be run from the desktop.

This entry below is still showing in the combofix log;
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uesiuqcr.exe,

C:\WINDOWS\system32\psyche.exe <-- this file is still present in the system as showing in the CF Gmer's log.

I'm not sure about that file that's why I asked to have it scanned. The file is hidden so you would've to show hidden files first to see it.
OR, You can just have combofix delete that file and the service.


Run combofix again using this script.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
C:\WINDOWS\system32\psyche.exe
C:\WINDOWS\system32\uesiuqcr.exe

Driver::
psyche
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop(in the same location as combofix.exe).
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

Since your combofix is not running from your desktop, CFScript must also be put where you put combofix.exe for the script to work.


Thanks!

0
 

Author Comment

by:Paulduberry
Comment Utility
I had hidden files showing but still couldn;t find psyche.exe. I saw the entry for C:\WINDOWS\system32\uesiuqcr.exe and removed it from hjt . Not showing up now. I did this before your latest reply. The system has been returned to the user now so I can't do any more work on it easily. I realised afterwards that I ihad executed CombFix from my memory stick. I think everything is all right and again many thanks for your help.
0
 

Author Comment

by:Paulduberry
Comment Utility
I don't know if there is a problem. I want rpggamergirl  to get the 250 points. rpggamergirl, did you get the points or not?
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Yes, I got the points thanks. There's always that pending 4-day period (for objections) when you close a question this way.
Now, it's finally closed.
Thanks!
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Sub-Titled: “My Way” (with apologies to Francis Albert Sinatra) Let me start by stating emphatically that I am one of those Experts who prefer doing things “My Way”. It’s kind of a no-brainer. “The following procedure works for me, so here is …
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now