I Think I Got Virus

Greetings and welcome to Major Geeks Malware Forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

===================================================

Ground Rules:

• First, please keep in mind most of us at Major Geeks volunteer our assistance for your benefit in your time of need. Please try to match our commitment to you with your patience toward us.
• It is important to not run any tools or take any steps other than those I will provide for you.
• Please perform all steps in the order they are listed. If things are not clear or you experience problems be sure to stop and let me know.
• Please take special note in my instructions whether to copy and paste, attach, or upload reports or files requested in my instructions
• When your computer is clean I will let you know, provide instructions to remove tools and reports, and offer you information about how you can combat future infections.

===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and let me know.

Please allow me some time to review what you have posted.

 

Greetings.

Let's start with this.

===================================================

Deleting Edge Startup URL

--------------------

• Launch Edge
• Copy and paste the following in the Address Bar then hit Enter

edge://settings/startHomeNTP​

• If necessary, select Open custom sites
• Click the 3 dots to the right of any entry you don't recognize or want and select Delete

===================================================

Farbar Recovery Scan Tool Fix

--------------------

• Close any open programs or windows because your computer will automatically reboot after FRST64 is run
• Right click on the FRST64 icon and select Run as administrator
• Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
• There is no need to paste the information anywhere, FRST64 will do it for you

Code:

Start::
CreateRestorePoint:
CloseProcesses:
Folder: C:\Users\Arguelles\AppData\LocalLow\jixin
Folder: C:\Users\Arguelles\AppData\LocalLow\XD
C:\Users\Arguelles\AppData\Roaming\Intel\MEIPreload
2026-02-04 18:35 - 2026-02-04 18:35 - 000000000 ____D C:\ProgramData\tmp
Task: {EBF4CB1D-1984-4A5B-BD7C-D17B4168228B} - System32\Tasks\NCR Rs 70517-S-1-5-21-732113480-1200635168-1762392391-1001 => C:\Users\Arguelles\AppData\Roaming\Intel\MEIPreload\intdb_win64\101adeaedc563292\agent_ovpnconnect.exe [104280 2026-02-04] (Python Software Foundation -> Python Software Foundation) -> "C:\Users\Arguelles\AppData\Roaming\Intel\MEIPreload\intdb_win64\101adeaedc563292\node_modules.asar" <==== ATTENTION 
S4 uhssvc; "C:\Program Files\Microsoft Update Health Tools\uhssvc.exe" [X] 
S3 NEProtect; \??\C:\Program Files (x86)\Steam\steamapps\common\Once Human\NEProtect.sys [X] 
HKLM-x32\...\Run: [] => C:\Program Files (x86)\Broadcom\WirelessBCM MIMO\Utility\Wlan11ag.exe -hide (No File) 
HKU\S-1-5-21-732113480-1200635168-1762392391-1001\...\Run: [RiotClient] => C:\Riot Games\Riot Client\RiotClientServices.exe --launch-background-mode (No File) 
Task: {D76BB0EB-42AE-471E-8B54-E246327DED39} - System32\Tasks\OneDrive Reporting Task-S-1-5-21-732113480-1200635168-1762392391-1002 => %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe  /reporting (No File) 
Task: {4230B101-0EC6-4723-8252-58E2DFB43DC0} - System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-732113480-1200635168-1762392391-1002 => %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe  (No File) 
CustomCLSID: HKU\S-1-5-21-732113480-1200635168-1762392391-1001_Classes\CLSID\{28A80003-18FD-411D-B0A3-3C81F618E22B}\InprocServer32 -> C:\Users\Arguelles\AppData\Local\Kingsoft\WPS Office\12.2.0.23196\office6\kwpsmenushellext64.dll => No File 
ContextMenuHandlers1_S-1-5-21-732113480-1200635168-1762392391-1001: [          kwpsshellext] -> {28A80003-18FD-411D-B0A3-3C81F618E22B} => C:\Users\Arguelles\AppData\Local\Kingsoft\WPS Office\12.2.0.23196\office6\kwpsmenushellext64.dll -> No File 
ContextMenuHandlers4_S-1-5-21-732113480-1200635168-1762392391-1001: [          kwpsshellext] -> {28A80003-18FD-411D-B0A3-3C81F618E22B} => C:\Users\Arguelles\AppData\Local\Kingsoft\WPS Office\12.2.0.23196\office6\kwpsmenushellext64.dll -> No File 
CustomCLSID: HKU\S-1-5-21-732113480-1200635168-1762392391-1001_Classes\CLSID\{B4CB80B5-D295-711A-E263-14B7E8C0AB3F}\InprocServer32 -> no filepath 
U4 npcap_wifi; no ImagePath 
HKLM\...\Policies\Explorer: [ConfirmFileDelete] 0
IFEO\CompatTelRunner.exe: [Debugger] C:\WINDOWS\system32\systray.exe 
IFEO\wsqmcons.exe: [Debugger] C:\WINDOWS\system32\systray.exe 
AlternateDataStreams: C:\Users\Arguelles\Application Data:eb92b835a834003ac00ee2632de0e925 [394] 
AlternateDataStreams: C:\Users\Arguelles\AppData\Roaming:eb92b835a834003ac00ee2632de0e925 [394] 
HKU\S-1-5-21-732113480-1200635168-1762392391-1001\...\RunOnce: [Application Restart #2] => C:\Users\Arguelles\AppData\Local\Lark\app\Lark.exe [4058944 2026-02-03] (Lark Technologies Pte. Ltd. -> Lark Technologies Pte. Ltd.) 
cmd: netsh winsock reset catalog
cmd: netsh int ip reset resetlog.txt
Reg: reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy\FirewallRules C:\Firewall.reg
C:\Firewall.reg
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state ON
cmd: bitsadmin /reset /allusers
cmd: ipconfig /flushdns
Removeproxy:
hosts:
cmd: sfc /scannow
cmd: DISM /Online /Cleanup-Image /CheckHealth
Emptytemp:
End::

• Click Fix
• When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
• Note: This step resets your Firewall settings and you may be asked later to grant permission for legitimate programs to pass through the Firewall. If you recognize the program agree to the request.
• Note: The Emptytemp: command will remove cookies and may result in some websites (like banking) indicating they do not recognize your computer. It may be necessary to receive and apply a verification code. In addition, all temporary files including items in the Recycle Bin will be removed. If you are unsure about emptying temporary files stop and let me know.

===================================================

Things I would like to see in your next reply. Please attach the report to your reply.

• Edge Startup entries reviewed?
• Fixlog

 

Thank you.

This is what is being shown as the Edge Startup URL's. We need to remove this then you can set new Edge Startup URLs.

===================================================

Farbar Recovery Scan Tool Fix

--------------------

• Close any open programs or windows because your computer will automatically reboot after FRST64 is run
• Right click on the FRST64 icon and select Run as administrator
• Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
• There is no need to paste the information anywhere, FRST64 will do it for you

Code:

Start::
CloseProcesses:
Edge StartupUrls: Default -> "hxxps://www.facebook.com/messages/t/100043103078753","hxxps://www.google.com/maps/place/Pao+Ong+Kong+Chinese+Temple/@14.5556727,120.9907983,19z/data=!4m10!1m2!2m1!1sWen+Sheng+Temple++pasay!3m6!1s0x3397c9633d722259:0x990f620158ed7c50!8m2!3d14.556047!4d120.9912352!15sChdXZW4gU2hlbmcgVGVtcGxlICBwYXNheVoYIhZ3ZW4gc2hlbmcgdGVtcGxlIHBhc2F5kgENdGFvaXN0X3RlbXBsZZoBI0NoWkRTVWhOTUc5blMwVkpRMEZuU1VSbE0yOURkbFJSRUFF4AEA-gEECAAQGw!16s%2Fg%2F1tf77mnk?entry=ttu&g_ep=EgoyMDI1MTIwOS4wIKXMDSoKLDEwMDc5MjA2OUgBUAM%3D","hxxps://www.pcso.gov.ph/SearchLottoResult.aspx","hxxps://www.youtube.com/watch?v=8CdcCD5V-d8&list=RDGMEMHDXYb1_DDSgDsobPsOFxpAVMwXhTHyIgQ_U&index=11","hxxps://mtusea01.teleopticloud.com/Web/MyTime#Schedule/Week/2026/01/04","hxxps://ssgph-ess.payrollsolutions.ph/","hxxps://mail.s2g.net/#1","hxxps://mail.google.com/mail/u/0/#category/updates","hxxps://docs.google.com/spreadsheets/d/1cGztvf4sn0xi89g8rAlvAZ2MOkvmrZinEDaamzfnAA0/edit?pli=1&gid=133081738#gid=133081738","hxxps://docs.google.com/spreadsheets/d/1Qz_1hYmONhhO0Tfk0iW_6I9wMOwDjZE9JXm4hgVVGx4/edit?pli=1&gid=908531225#gid=908531225","hxxps://docs.google.com/spreadsheets/d/10Th51qvc-V9Ptfcn8NCKNP61yCEVURA7gQD71CiEEkE/edit?gid=774358874#gid=774358874","hxxps://fkcx-mgmt.toxupa.com/"
End::

• Click Fix
• When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
• Set your new Startup URLs

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.

• Fixlog
• Startups set?

 

Great, thanks.

How is your computer running now? Have you received any more reports from your friends?

 

Very good.

Here is our final step and some additional information to consider.

===================================================

KpRm by Kernel-panik

--------------

• Download KpRm and save it to your Desktop (see here if you must use Chrome)
• Note: If the file is detected as malware it is not and it is safe to download. The detection is a false positive.
• Right click on the icon and select Run as administrator
• Click Yes on the Disclaimer
• Place a check mark in Delete Tools, Create Restore Point, and Delete in 7 days
• Click Run
• Click OK on All operations are completed
• KpRm will delete itself from you Desktop and you can either save or remove the report that is generated
• You are free to remove any other tools/reports still remaining

===================================================

All Clean!

--------------

Your computer is now clean. Please consider this going forward.

• Answers to common security questions - Best Practices
• So How did I get infected?
• Why I Stopped Using Third-Party Antivirus on Windows
• Pirated Software is All Fun and Games Until Your Data is Stolen
• Why You Should Update All Your Software

Thank you for placing your trust in Major Geeks. It was a pleasure serving you.