RobertWev

Aura - my computer is working fine. Thanks for your help. Robert

Aura - not sure what you mean. What e-mail address do I use for "To" box on the SendSpace Upload screen? https://www.sendspace.com/file/wttr5w Hope this works!

Aura - not sure what you mean. What e-mail address do I use for "To" box on the SendSpace Upload screen?

Hi Aura - do you have an e-mail address that I can use to send the file to you? Robert

I get an error message that I am only allowed to upload 58.59 mb; looks like the zipped quarantine folder is 161 mb.

Aura, Thank you so much. Your fix appears to have worked. I see no evidence that the KNCTR or Idle Buddy apps are present. I'll give it a few days to further test the computer and follow up with another report to confirm that the fix worked. You asked for the content of the fixlog file; here it is. What is the reason for copy/paste the content of the file vs just attaching the file? Just curious. I will upgrade to Malware Premium shortly. Thanks again. Robert Fix result of Farbar Recovery Scan Tool (x64) Version: 20.06.2018 Ran by Robert (24-06-2018 17:05:56) Run:1 Running from C:\Users\Robert\Desktop Loaded Profiles: Robert (Available Profiles: Robert & Cathy) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: CreateRestorePoint: VirusTotal: C:\WINDOWS\System32\drivers\SurfacePro1725TypeCoverIntegration.sys VirusTotal: C:\WINDOWS\System32\drivers\SurfacePro1786DigitizerIntegration.sys HKU\S-1-5-21-2270328152-1225066204-1418297232-1001\...\Run: [Knctr] => C:\Users\Robert\AppData\Roaming\Knctr\app\KnctrLauncher.exe [40088 2018-06-17] (Knctr Inc) HKU\S-1-5-21-2270328152-1225066204-1418297232-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=omr&hsimp=yhs-001&type=863138258&param1=y6bdVFVIsvuYsgEClQfz8IfaIrULFWUA2DMVetLqXBoEG%2Beetca0YIKhitOKhjh90n%2FdmfB7tqbRR0RG9QqYlKVYdZ%2B%2BDuknfrzPvwPzdu2sMtwGUDqWA3AamXewo%2B2r5ndq43T7M%2BkQT0DBjp2eGA6svlidmHZWPsBRneic7HfO30Ka1AJW8tPT72Cx0sRJQuPbdbkrQPF4HUgoV5X%2FhwJ8l8DJSGU0uSTOuYvZ9lPXLCHMn1HbmhXp4jXnrR12jfk%2F4ywFgq2w1M4yzf5XBQ%3D%3D SearchScopes: HKU\S-1-5-21-2270328152-1225066204-1418297232-1001 -> {1711FC25-F05A-40CE-B859-A0C1CF01FD18} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=omr&hsimp=yhs-001&type=863138258&param1=y6bdVFVIsvuYsgEClQfz8IfaIrULFWUA2DMVetLqXBoEG%2Beetca0YIKhitOKhjh93DYk236SHlWyqzU8jhSGN57B7uyMr3n77deD8813QPnCYFeOf4PWlF%2BGtmHvWB4zzgK5hgDqItuA2kPVl3NNENN%2BV3gcPzjEkqg8OmGcNBgS%2F8SjetD68HUcYkM7l5a0R7BKAeYdwabuou2ODJJ1O8e562CvJew%2Fr1j4lFoL7xFGz5NHof3pWEhhgoJgjCZ1ljX5of5e8VavMbNwJEWSpA%3D%3D&p={searchTerms} CHR HKLM-x32\...\Chrome\Extension: [gannpgaobkkhmpomoijebaigcapoeebl] - hxxps://clients2.google.com/service/update2/crx R2 ibservice; C:\Program Files (x86)\Idle-Buddy\ibservice.exe [7063832 2018-06-21] () C:\Program Files (x86)\Idle-Buddy C:\Program Files (x86)\AnonymizerGadget C:\ProgramData\IdleBuddy C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget C:\Users\Robert\AppData\Local\SuperFolder C:\Users\Robert\AppData\Local\UnashamedSweat C:\Users\Robert\AppData\Local\Opera Software C:\Users\Robert\AppData\Roaming\PCAPInstallFiles C:\Users\Robert\AppData\Roaming\AGData C:\Users\Robert\AppData\Roaming\Knctr C:\Users\Robert\AppData\Roaming\PrUpdater C:\Users\Robert\AppData\Roaming\KnctrDownloader C:\Users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Idle-Buddy C:\Users\Robert\AppData\Roaming\Opera Software EmptyTemp: ***************** Processes closed successfully. Restore point was successfully created. VirusTotal: C:\WINDOWS\System32\drivers\SurfacePro1725TypeCoverIntegration.sys => https://www.virustotal.com/file/69f331874e45100aadca9ffd71704ebbc111ff9783402d2735ebef3a6a87e749/analysis/1503233334/ VirusTotal: C:\WINDOWS\System32\drivers\SurfacePro1786DigitizerIntegration.sys => https://www.virustotal.com/file/2948d8f1e9180cdb10e57923aeef8a54a1eea39aabe242d443e144bd5653252b/analysis/1529539778/ "HKU\S-1-5-21-2270328152-1225066204-1418297232-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Knctr" => removed successfully HKU\S-1-5-21-2270328152-1225066204-1418297232-1001\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully "HKU\S-1-5-21-2270328152-1225066204-1418297232-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{1711FC25-F05A-40CE-B859-A0C1CF01FD18}" => removed successfully HKLM\Software\Classes\CLSID\{1711FC25-F05A-40CE-B859-A0C1CF01FD18} => not found "HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gannpgaobkkhmpomoijebaigcapoeebl" => removed successfully "HKLM\System\CurrentControlSet\Services\ibservice" => removed successfully ibservice => service removed successfully C:\Program Files (x86)\Idle-Buddy => moved successfully C:\Program Files (x86)\AnonymizerGadget => moved successfully C:\ProgramData\IdleBuddy => moved successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget => moved successfully C:\Users\Robert\AppData\Local\SuperFolder => moved successfully C:\Users\Robert\AppData\Local\UnashamedSweat => moved successfully C:\Users\Robert\AppData\Local\Opera Software => moved successfully C:\Users\Robert\AppData\Roaming\PCAPInstallFiles => moved successfully C:\Users\Robert\AppData\Roaming\AGData => moved successfully C:\Users\Robert\AppData\Roaming\Knctr => moved successfully C:\Users\Robert\AppData\Roaming\PrUpdater => moved successfully C:\Users\Robert\AppData\Roaming\KnctrDownloader => moved successfully C:\Users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Idle-Buddy => moved successfully C:\Users\Robert\AppData\Roaming\Opera Software => moved successfully =========== EmptyTemp: ========== BITS transfer queue => 7364608 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 72965487 B Java, Flash, Steam htmlcache => 100930894 B Windows/system/drivers => 1046856 B Edge => 81444609 B Chrome => 0 B Firefox => 0 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 0 B Users => 0 B ProgramData => 0 B Public => 0 B systemprofile => 0 B systemprofile32 => 0 B LocalService => 4508 B LocalService => 0 B NetworkService => 63210 B NetworkService => 0 B Robert => 104975011 B Cathy => 579188 B RecycleBin => 0 B EmptyTemp: => 352.3 MB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 17:06:44 ====

Hi Aura, Thank you for the quick response. I will comply with all of your requests, and I do not have any pirated, illegal or counterfeited software on my computer. I am against that also and have never done it. I realize this may take some time to resolve. I got these unwanted programs when I was downloading a Mod for a game I play (Strategic Command: WWII War in Europe). If you can help me with these malware problems, it is a guaranteed upgrade to Premium from my Trial version. Robert

Hi - I downloaded the 14 day trial version of Malwarebytes to help me eliminate several malware apps on my MS Surface PC. I know that IdleBuddy and KNCTR are present, but the Malwarebytes scan does not find them. I also tried Bitdefender and that program didn't find anything, leading me to Malwarebytes. Please help me get rid of these annoying apps. I have attached the requested files. Thanks Robert Wevodau MWScan Report.txt FRST.txt Addition.txt