I Have a Malware , Please Help

[Elbasel]

I Used to have 3  Security Software :

1-Avira Anti virus 

2-SUPER AntiSpware 

3-Malware Bytes Anti malware

 

 

It all begun when i couldn't start malware bytes anymore 

I scanned my pc with super antispyware ( Quick scan ) , it detected some threats and asked for a restart 

But before restarting my pc i did everything in here to try to get malware bytes to run again :

Https://forums.malwarebytes.org/index.php?showtopic=85715

 

But none worked 

 

I made a  Clean Uninstall as mentioned here : https://forums.malwarebytes.org/index.php?showtopic=85715

 

and restated then tried installing again ( I got the error : External exception E06D7363 )

 

Starting malware still won't work 

 

 

I also noticed that SUPER anti Spyware Isn't running and i couldn't find it's icon anywhere  on my computer but i did find an alternate start for it 

so i started it using an alternate start and did a rescue scan ( full scan ) 

 

Super antispywar dected a Trojan and a malware and after removal it asked me to restart so i pressed yes 

 

 

 

after rebooting i tried starting malware bytes or clean reinstalling it , but still i cant get malware bytes to work at all

 

i think i still have the malware , what should i do ?

 

 

 

i attached FRST.TXT and Addition.TXT to this post ( as advised in here : https://forums.malwarebytes.org/index.php?showtopic=119858 )

 

FRST.txtAddition.txt

 

 

 

I really need some expert help

[MrCharlie]

Welcome to the forum.

Please disable Windows Defender, you have AVIRA running and having two anti-virus programs running on a system only causes poor performance, conflicts and spotty protection.

How to Disable Defender

Dangers of running 2 anti-virus programs

 

AV: Avira Desktop (Enabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859}
AS: Avira Desktop (Enabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

 

-----------------------------------------------------------------

Please run a Quick Scan with Malwarebytes (if you can)

For Malwarebytes ver: 1.75
Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.
Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.
Make sure that everything is checked, and click Remove Selected.

For Malwarebytes 2.0, please run a Threat Scan
Click on Settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware
Same for PUM (Potentially Unwanted Modifications)
Quarantine all that's found

General P2P/Piracy Warning:
 

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.
2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.
Failure to remove such software will result in your topic being closed and no further assistance being provided.

Then.......

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.
(please don't put logs in code or quotes and use the default font)

MrC

Note:
Please read all of my instructions completely including these.

Make sure system restore is turned on and running. Create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------
If I don't respond within 24 hours, please send me a PM

[Elbasel]

I am sorry if this makes it harder for you but i have already clean reinstalled windows 7

 

What i did :

1-Booted from the Installation Cd

2-Deleted all partitions

3-Made new partitions and installed windows 7 

4-Installed Drivers 

 

Then i installed

1-eset smart security Anti-Virus

2-Malwarebytes Anti-malware

3-SUPER anispyware

 

I did a scan with eset and malwarebytes 

 

I made a threat scan , hyper scan , Custom scan with everything checked 

 

i attached a screen shot of the custom scan result 

 

 

i got no detection on all scans 

 

 

but i still think i have a malware 

 

 

because i have high ram usage when i am actually got nothing open ( 50% ram usage of 3.5GB ram total )

 

 

so i did a  new FRST scan and attached both FRST.txt and ADDITION.txt 

 

and i also attached Rogue Killer report 

 

so can pls tell me if i still have a malware ?

 

 

 

 

Addition.txtFRST.txtRKreport_SCN_06132014_161909.log

 

 

[MrCharlie]

Looks OK to me, MrC

[Elbasel]

Ouh , okay thanks 

 

 

do i need to do anything regarding FRST AND rogue killer ( how do i remove it )

 

 

Also why do i have such high ram usage , it's not a malware problem ?

[MrCharlie]

This will get rid of some of the tools, the rest you can manually delete:

Download Delfix from here and save it to your desktop. (you may already have this)

• Ensure Remove disinfection tools is checked.
• Click the Run button.
• Reboot

--------------------------------------------------------

So far as the ram, look at all you have running:

Unless it's the paid version, there's no need for SUPERAntiSpyware to be running.

You can run a program like StartupLite to stop un-necessary programs:
https://www.malwarebytes.org/startuplite/
 

(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\sched.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avguard.exe
(Blue Coat Systems, Inc.) C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
(BlueStack Systems, Inc.) C:\Program Files\BlueStacks\HD-UpdaterService.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Alcatel-Lucent) C:\Program Files\Common Files\Motive\McciCMService.exe
() C:\Windows\System32\PnkBstrA.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\My Avira\Avira.OE.ServiceHost.exe
(CyberGhost S.R.L) C:\Program Files\CyberGhost 5\Service.exe
(Google Inc.) C:\Program Files\Google\Update\1.3.23.9\GoogleCrashHandler.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(Greenshot) C:\Program Files\Greenshot\Greenshot.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\My Avira\Avira.OE.Systray.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
(SoftPerfect Research) C:\Program Files\NetWorx\networx.exe
(Alcatel-Lucent) C:\Program Files\TEData\McciTrayApp.exe
() C:\Users\Abdulrahman\AppData\Roaming\Dashlane\Dashlane.exe
(Akamai Technologies, Inc.) C:\Users\Abdulrahman\AppData\Local\Akamai\netsession_win.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
(Akamai Technologies, Inc.) C:\Users\Abdulrahman\AppData\Local\Akamai\netsession_win.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
(LogMeIn Inc.) C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn Hamachi\LMIGuardianSvc.exe
(Innovative Solutions) C:\Program Files\Innovative Solutions\Advanced Uninstaller PRO\uninstaller.exe
(LogMeIn Inc.) C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
(Hi-Rez Studios) C:\Program Files\Hi-Rez Studios\HiPatchService.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
() C:\Users\Abdulrahman\AppData\Roaming\Dashlane\DashlanePlugin.exe

 

MrC

[Elbasel]

Hello , i did a process scan using process explorer and virus total 

 

and it says that i have this malware process running : poclbm.exe

 

i tried googling it and it gives me something about Bitcoins Mining 

[Elbasel]

It also says that poclbm.exe is using 93% of my cpu 

[Elbasel]

I have confirmed that this process isn't chrome 

 

since it's still running while chrome isn't

 

I am really afraid right now , what should i do 

[Elbasel]

Should i end this process ?

[Elbasel]

i haven't done anything yet 

 

 

i am hoping that you tell me what to do , until then i wont touch it

[Elbasel]

Restarted My pc several times , but it's still there

[Elbasel]

I cant find it anymore in my process list ( Process explorer list )

 

But my cpu usage stays the same and i also notices slowness in my internet connection 

[MrCharlie]

It's not in any of your logs, can you do a search for it?

or.....

Please run a free online scan with the ESET Online Scanner (it may take a while to run)

Note: You will need to use Internet Explorer for this scan.

First please Disable any Antivirus you have active, as shown in This Topic

Note: Don't forget to re-enable it after the scan.

http://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the ActiveX control to install

Click Start

Make sure that the options Remove found threats is unchecked and the option Scan unwanted applications is checked

Click Advanced settings and select the following:

• Scan potentially unwanted applications
• Scan for potentially unsafe applications
• Enable Anti-Stealth technology

Click Start

Wait for the scan to finish

If threats were found:

Click on "list of threats found"

Click on "export to text file" and save it as ESET SCAN and save to the desktop

Click on back

Put a checkmark in "Uninstall application on close"

Click on finish

Post back the log.....MrC

[Elbasel]

I am doing a Eset online scan using eset online scanner as you said 

 

but what did u mean can you do a search for it ?

 

How do i a search for it ?

[Elbasel]

i recently reinstalled windows , so i don't have that much files 

 

the scan is already 50% complete

 

but i would love you to tell me how to search it myself 

[Elbasel]

The Scan is at 99% but it has already found 2  threats 

[MrCharlie]

When it's done, post the report.

MrC

[Elbasel]

Well , it's not what i expected

 

but here it's anyway :

 

C:\Users\Elbasel\Desktop\Other\Setup(s)\Advanced Uninstaller PRO 11 Setup.exe a variant of Win32/OpenCandy.A potentially unsafe application

C:\Users\Elbasel\Desktop\Other\Setup(s)\Driver Max Setup.exe a variant of Win32/OpenCandy.A potentially unsafe application

 

 

 

 

 

 

These programmes aren't malware , i know that

 

 

But believe me when i say that i found this process ( poclbm.exe ) with process explorer earlier and when i scanned it using virus total , only an anti virus called Drweb identified it as a malware 

 

when i did the eset scan it was already not in the process explorer list as it has hidden it self 

 

 

 

 

what i think that't it uses by someone to mine bitcoins using my pc

 

which is why my cpu usage is over 50%

 

 

 

 

but anyway , you are the expert

 

i will believe what you say 

 

ESET SCAN.txt

[MrCharlie]

Both of the items contain adware.

Run FRST and in the search box, copy and paste: poclbm.exe in and click on search.

Post the results...MrC

[Elbasel]

I did a FRST scan with poclbm.exe in the search box 

and with every check box checked 

 

 

I will attach all files to this reply 

Search.txt

Shortcut.txt

FRST.txt

Addition.txt

[Elbasel]

One more thing 

 

i found poclbm.exe in C/Elbasel/windows/System32/Drivers 

 

But now i cant find it there anymore

[MrCharlie]

Run FRST again and in the search box, copy and paste: poclbm.exe in and click on search files only.

 

Post the results...MrC

[Elbasel]

Farbar Recovery Scan Tool (x86) Version:12-06-2014 02

Ran by Elbasel at 2014-06-14 18:16:00

Running from C:\Users\Elbasel\Desktop\Virus

Boot Mode: Normal

 

================== Search: "poclbm.exe" ===================

 

=== End Of Search ===

[Elbasel]

What should i do now