Exos

Yeah i can reset them but every time i reboot the computer they go back to full speed. I even tried setting the default speed in bios but doesnt seem to work. Should i maybe seek help on a different forum?

So, hi again!! No worries this thing is not back again so we re good on that! The only issue i just recently noticed is that the malware must have messed with some setting on my computer because every time i reboot it, the system and cpu fan reset themselves on full speed (something i later change back to my likings using msi command center). Any chance we can have a look on that?

Done! Once again, thank you very much for this!!

That did the trick and real time protection is working again. After several reboots and scans seems like everything is clean again. Kevin i have no words to express my gratitude.. I sincerely thank you a lot for the time and effort u put into this! You are the man and wish you the best!

After 5 reboots nothings comes up when i scan with Malwarebytes and zemana. Also nothing suspicious at killswitch.. Only odd thing is that malwarebyres real time protection got disabled and i cant enable it no matter what.. You think we got it? Fixlog.txt

Sorry forgot to reboot. Here are the logs after the reboot Addition.txt FRST.txt

Addition.txt FRST.txt

Also i found this comment about "iastore.sys" at VirusTotal community: " This is a part of Trojan.Siggen7.35349. The following files were detected: iaStroE.sys, mserver.exe and svghost.exe. The last two files were detected as RiskWare.BitCoinMiner by Malwarebytes. Both files signed by "Xi' an JingTech electronic Technology Co.,LTD" but certificate was revoked. " That seems to fit my case

Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/18/18 Scan Time: 10:28 PM Log File: 4ffcf963-14ea-11e8-834d-309c23623158.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3994 License: Trial -System Information- OS: Windows 10 (Build 16299.248) CPU: x64 File System: NTFS User: DESKTOP-ENCBR82\Tasos -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 275875 Threats Detected: 12 Threats Quarantined: 11 Time Elapsed: 1 min, 48 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 2 Trojan.BitCoinMiner, C:\WINDOWS\SYSTEM32\MSERVER.EXE, Quarantined, [68], [485917],1.0.3994 RiskWare.BitCoinMiner, C:\WINDOWS\TEMP\SVGHOST.EXE, Quarantined, [82], [485447],1.0.3994 Module: 2 Trojan.BitCoinMiner, C:\WINDOWS\SYSTEM32\MSERVER.EXE, Quarantined, [68], [485917],1.0.3994 RiskWare.BitCoinMiner, C:\WINDOWS\TEMP\SVGHOST.EXE, Quarantined, [82], [485447],1.0.3994 Registry Key: 1 Trojan.BitCoinMiner, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\mserver, Quarantined, [68], [485917],1.0.3994 Registry Value: 2 Trojan.Agent.AppFlsh, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|APPINIT_DLLS, Quarantined, [1999], [-1],0.0.0 Trojan.Agent.AppFlsh, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|APPINIT_DLLS, Quarantined, [1999], [-1],0.0.0 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 5 Trojan.BitCoinMiner, C:\WINDOWS\SYSTEM32\MSERVER.EXE, Quarantined, [68], [485917],1.0.3994 RiskWare.BitCoinMiner, C:\WINDOWS\TEMP\SVGHOST.EXE, Quarantined, [82], [485447],1.0.3994 Trojan.Agent.AppFlsh, C:\WINDOWS\SYSTEM32\KEYHOOK64.DLL, Quarantined, [1999], [491504],1.0.3994 Trojan.Agent.AppFlsh, C:\WINDOWS\SYSTEM32\USP20.DLL, Quarantined, [1999], [491503],1.0.3994 RiskWare.BitCoinMiner, C:\USERS\TASOS\DESKTOP\TOOLS\CLAYMORE'S DUAL ETHEREUM+DECRED_SIACOIN_LBRY_PASCAL_BLAKE2S_KECCAK AMD+NVIDIA GPU MINER V11.0 - CATALYST 15.12-18.X - CUDA 8.0_9.1_7.5_6.5.ZIP, No Action By User, [82], [489368],1.0.3994 Physical Sector: 0 (No malicious items detected) (end) Some things i would like to point out. 1. i found a sys at this location C:\Windows\system32\drivers\iaStorE.sys with that very interesting virustotal entry https://www.virustotal.com/#/file/f44eb647df4ca6482fb6120935d21ca8410fce19e4c51978ea3016367514cb93/detection 2. i got the message displayed in the "message.jpg" picture i uploaded right after the frst triggered reboot. I tried to translate it in red 3. Trying to follow this step of your guide " When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard. " i noticed that, as displayed in the pic i uploaded (mwb.jpg) there is just an export summary button and not export summary after deletion that doesnt follow up with a reboot of the system. Not sure if im doing smthing wrong here Hope i didnt confuse you too much with my broken english and random infos Fixlog.txt export sum.txt export.txt

Its ok, thanks for helping.. Here are the logs Addition.txt FRST.txt

Oh by fresh did u mean i had to reboot first? Im still in the session started after the malwarebytes-triggered reboot

Here you go Addition.txt FRST.txt

Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/18/18 Scan Time: 8:27 PM Log File: 6bfb454e-14d9-11e8-915f-309c23623158.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3994 License: Trial -System Information- OS: Windows 10 (Build 16299.248) CPU: x64 File System: NTFS User: DESKTOP-ENCBR82\Tasos -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 275698 Threats Detected: 10 Threats Quarantined: 9 Time Elapsed: 1 min, 51 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 2 Trojan.BitCoinMiner, C:\WINDOWS\SYSTEM32\MSERVER.EXE, Quarantined, [68], [485917],1.0.3994 RiskWare.BitCoinMiner, C:\WINDOWS\TEMP\SVGHOST.EXE, Quarantined, [82], [485447],1.0.3994 Module: 2 Trojan.BitCoinMiner, C:\WINDOWS\SYSTEM32\MSERVER.EXE, Quarantined, [68], [485917],1.0.3994 RiskWare.BitCoinMiner, C:\WINDOWS\TEMP\SVGHOST.EXE, Quarantined, [82], [485447],1.0.3994 Registry Key: 1 Trojan.BitCoinMiner, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\mserver, Quarantined, [68], [485917],1.0.3994 Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 5 Trojan.BitCoinMiner, C:\WINDOWS\SYSTEM32\MSERVER.EXE, Quarantined, [68], [485917],1.0.3994 RiskWare.BitCoinMiner, C:\WINDOWS\TEMP\SVGHOST.EXE, Quarantined, [82], [485447],1.0.3994 Trojan.Agent.AppFlsh, C:\WINDOWS\SYSTEM32\KEYHOOK64.DLL, Quarantined, [1999], [491504],1.0.3994 Trojan.Agent.AppFlsh, C:\WINDOWS\SYSTEM32\USP20.DLL, Quarantined, [1999], [491503],1.0.3994 RiskWare.BitCoinMiner, C:\USERS\TASOS\DESKTOP\TOOLS\CLAYMORE'S DUAL ETHEREUM+DECRED_SIACOIN_LBRY_PASCAL_BLAKE2S_KECCAK AMD+NVIDIA GPU MINER V11.0 - CATALYST 15.12-18.X - CUDA 8.0_9.1_7.5_6.5.ZIP, No Action By User, [82], [489368],1.0.3994 Physical Sector: 0 (No malicious items detected) (end) I hope i ve done everything right. I also attached a photo of a popup i got after the reboot malwarebytes triggered.. Note that i did but no longer have GPU-Z installed Fixlog.txt export sum.txt

Those are taken after malwarebytes deleted what it found.. You want me to reboot and reupload the logs? Addition.txt FRST.txt

Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/18/18 Scan Time: 1:57 PM Log File: f009a272-14a2-11e8-80a0-309c23623158.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3992 License: Trial -System Information- OS: Windows 10 (Build 16299.248) CPU: x64 File System: NTFS User: DESKTOP-ENCBR82\Tasos -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 273198 Threats Detected: 14 Threats Quarantined: 5 Time Elapsed: 1 min, 49 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 2 Trojan.BitCoinMiner, C:\WINDOWS\SYSTEM32\MSERVER.EXE, Quarantined, [68], [485917],1.0.3992 RiskWare.BitCoinMiner, C:\WINDOWS\TEMP\SVGHOST.EXE, Quarantined, [82], [485447],1.0.3992 Module: 2 Trojan.BitCoinMiner, C:\WINDOWS\SYSTEM32\MSERVER.EXE, Quarantined, [68], [485917],1.0.3992 RiskWare.BitCoinMiner, C:\WINDOWS\TEMP\SVGHOST.EXE, Quarantined, [82], [485447],1.0.3992 Registry Key: 1 Trojan.BitCoinMiner, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\mserver, No Action By User, [68], [485917],1.0.3992 Registry Value: 2 Trojan.Agent.AppFlsh, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|APPINIT_DLLS, No Action By User, [1999], [-1],0.0.0 Trojan.Agent.AppFlsh, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|APPINIT_DLLS, No Action By User, [1999], [-1],0.0.0 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 7 Trojan.BitCoinMiner, C:\WINDOWS\SYSTEM32\MSERVER.EXE, No Action By User, [68], [485917],1.0.3992 RiskWare.BitCoinMiner, C:\WINDOWS\TEMP\SVGHOST.EXE, Quarantined, [82], [485447],1.0.3992 Trojan.Agent.AppFlsh, C:\WINDOWS\SYSTEM32\KEYHOOK64.DLL, No Action By User, [1999], [491504],1.0.3992 Trojan.Agent.AppFlsh, C:\WINDOWS\SYSTEM32\USP20.DLL, No Action By User, [1999], [491503],1.0.3992 RiskWare.BitCoinMiner, C:\USERS\TASOS\DESKTOP\CLAYMORE'S DUAL ETHEREUM+DECRED_SIACOIN_LBRY_PASCAL_BLAKE2S_KECCAK AMD\CLAYMORE'S DUAL ETHEREUM+DECRED_SIACOIN_LBRY_PASCAL AMD+NVIDIA GPU MINER V11.0\CUDA7.5\ETHDCRMINER64.EXE, No Action By User, [82], [489367],1.0.3992 RiskWare.BitCoinMiner, C:\USERS\TASOS\DESKTOP\CLAYMORE'S DUAL ETHEREUM+DECRED_SIACOIN_LBRY_PASCAL_BLAKE2S_KECCAK AMD\CLAYMORE'S DUAL ETHEREUM+DECRED_SIACOIN_LBRY_PASCAL AMD+NVIDIA GPU MINER V11.0\ETHDCRMINER64.EXE, No Action By User, [82], [489153],1.0.3992 RiskWare.BitCoinMiner.VMP, C:\USERS\TASOS\DESKTOP\CLAYMORE'S DUAL ETHEREUM+DECRED_SIACOIN_LBRY_PASCAL_BLAKE2S_KECCAK AMD\CLAYMORE'S DUAL ETHEREUM+DECRED_SIACOIN_LBRY_PASCAL AMD+NVIDIA GPU MINER V11.0\CUDA9.1\ETHDCRMINER64.EXE, No Action By User, [1403], [489366],1.0.3992 Physical Sector: 0 (No malicious items detected) (end) I myself excluded the ethdcrminer64.exe from getting quarantined because its a false positive since im using this part of claymore miner v.11 on several other pc's w/o any problem. As for the rest of the detections marked with "no action by user" Im 100% sure i had marked them to get quarantined