Virus Or Something On Laptop

durbancic · Mar 30, 2026

My wife said she was looking for pictures or a map of campgrounds and did a google search. When she clicked on some pictures she started getting popups on the right side of her screen. Similar to windows/microsoft notifications. When trying to X them out they sometimes pop up the browser and are advertising mcafee, etc. They will continually pop up every minute or few more of them.

windows defender showed no issues on a scan. Here are the results from the FRST scans.

EDIT: Also wanted to mention that 2 programs were installed on the laptop that day: Google Drive Version 123.0.1.0 (I can uninstall this - but will wait for guidance) and HEIF image extension Microsoft Corporation 16.0KB (cannot uninstall) Version 1.2.30.0. She did not knowingly install any programs.

durbancic · Mar 30, 2026

EDITED ^^^

Oh My! · Mar 30, 2026

Greetings and :welcome: to Major Geeks Malware Forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

===================================================

Ground Rules:

First, please keep in mind most of us at Major Geeks volunteer our assistance for your benefit in your time of need. Please try to match our commitment to you with your patience toward us.

It is important to not run any tools or take any steps other than those I will provide for you.

Please perform all steps in the order they are listed. If things are not clear or you experience problems be sure to stop and let me know.

Please take special note in my instructions whether to copy and paste, attach, or upload reports or files requested in my instructions

When your computer is clean I will let you know, provide instructions to remove tools and reports, and offer you information about how you can combat future infections.

===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and let me know.

Please allow me some time to review what you have posted.

Oh My! · Mar 30, 2026

Greetings.

Overall your computer is in very nice shape, other than some Edge Push Notifications that snuck onto your computer.

Please do this.

===================================================

Delete Edge Notifications

--------------------

Note: I would recommend deleting all Notifications and blocking that capability unless you find notifications necessary

Launch Edge

Copy and paste edge://settings/content/notifications in the address bar and hit Enter

Click on the 3 dots to the right of the below listed items and any entry you do not recognize or want and select Remove

d26ac17pm37ktvra3a.qodks.co.in
d722aaohubcc738g0c5g.lendovia.co.in

I recommend you Disable Edge Notifications and if you would like to follow the instructions here

Close Edge, relaunch the browser and check the performance

===================================================

Farbar Recovery Scan Tool Fix

--------------------

Close any open programs or windows because your computer will automatically reboot after FRST64 is run

Right click on the FRST64 icon and select Run as administrator

Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied

There is no need to paste the information anywhere, FRST64 will do it for you
Code:
Start::
CreateRestorePoint:
CloseProcesses:
2018-08-01 12:49 - 2018-08-01 12:49 - 000000000 _____ () C:\Users\terra\AppData\Local\{4E2D864F-4A5D-43B1-BF90-93D55E6E0847}
HKU\S-1-5-21-2556308274-104924463-3244872640-1005\...\Run: [EPSDNMON] => "" (No File)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
FirewallRules: [{1EE2FE6A-3B01-4DA8-9991-1475137C8E8B}] => (Allow) C:\Program Files (x86)\Common Files\Mcafee\MMSSHost\MMSSHost.exe => No File
FirewallRules: [{B2F93E99-04E3-4C4B-98BF-7EF9B37A236E}] => (Allow) C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHost.exe => No File
FirewallRules: [{9E6112B0-9A77-4EEE-86FB-E1D390169B3E}] => (Allow) C:\Users\terra\AppData\Local\Temp\EpInsNav\DL\3013\Network\EpsonNetSetup\Data\ENEasyApp.exe => No File
FirewallRules: [{7023F4E1-D29F-4F9C-825C-9BA588250E53}] => (Allow) C:\Users\terra\AppData\Local\Temp\EpInsNav\DL\3013\Network\EpsonNetSetup\Data\ENEasyApp.exe => No File
FirewallRules: [{79396349-14E4-484B-8B4C-1F98165D9037}] => (Allow) C:\Users\terra\AppData\Local\Temp\EPSON\Download Navigator\20260311205307\ET-2850 Series    L4260 Series    ST-C2100 Series\FWCJ63TL\EPFWUPD.exe => No File
FirewallRules: [{D9A4DA63-E689-4A34-B380-B4C6FD47FB48}] => (Allow) C:\Users\terra\AppData\Local\Temp\EPSON\Download Navigator\20260311205307\ET-2850 Series    L4260 Series    ST-C2100 Series\FWCJ63TL\EPFWUPD.exe => No File
2018-05-17 21:37 - 2018-05-17 21:37 - 000000000 _____ () C:\Program Files (x86)\GUT29A6.tmp
cmd: sfc /scannow
cmd: DISM /Online /Cleanup-Image /CheckHealth
End::
Click Fix

When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.

Push Notifications removed?

Fixlog

Update on computer/browser behavior

durbancic · Mar 30, 2026

Thank you for your assistance Gary!

I removed push notifications and disabled them.
The computer is now running fine and I have had no pop ups.
Should those two apps be uninstalled that I mentioned in the first post? They both have similar version numbers and were installed the day this started, thus they seem suspicious to me.

- Dan

Log pasted:
Fix result of Farbar Recovery Scan Tool (x64) Version: 28-03-2026
Ran by terra (30-03-2026 11:16:13) Run:1
Running from C:\Users\terra\Downloads
Loaded Profiles: terra
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start::
CreateRestorePoint:
CloseProcesses:
2018-08-01 12:49 - 2018-08-01 12:49 - 000000000 _____ () C:\Users\terra\AppData\Local\{4E2D864F-4A5D-43B1-BF90-93D55E6E0847}
HKU\S-1-5-21-2556308274-104924463-3244872640-1005\...\Run: [EPSDNMON] => "" (No File)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
FirewallRules: [{1EE2FE6A-3B01-4DA8-9991-1475137C8E8B}] => (Allow) C:\Program Files (x86)\Common Files\Mcafee\MMSSHost\MMSSHost.exe => No File
FirewallRules: [{B2F93E99-04E3-4C4B-98BF-7EF9B37A236E}] => (Allow) C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHost.exe => No File
FirewallRules: [{9E6112B0-9A77-4EEE-86FB-E1D390169B3E}] => (Allow) C:\Users\terra\AppData\Local\Temp\EpInsNav\DL\3013\Network\EpsonNetSetup\Data\ENEasyApp.exe => No File
FirewallRules: [{7023F4E1-D29F-4F9C-825C-9BA588250E53}] => (Allow) C:\Users\terra\AppData\Local\Temp\EpInsNav\DL\3013\Network\EpsonNetSetup\Data\ENEasyApp.exe => No File
FirewallRules: [{79396349-14E4-484B-8B4C-1F98165D9037}] => (Allow) C:\Users\terra\AppData\Local\Temp\EPSON\Download Navigator\20260311205307\ET-2850 Series L4260 Series ST-C2100 Series\FWCJ63TL\EPFWUPD.exe => No File
FirewallRules: [{D9A4DA63-E689-4A34-B380-B4C6FD47FB48}] => (Allow) C:\Users\terra\AppData\Local\Temp\EPSON\Download Navigator\20260311205307\ET-2850 Series L4260 Series ST-C2100 Series\FWCJ63TL\EPFWUPD.exe => No File
2018-05-17 21:37 - 2018-05-17 21:37 - 000000000 _____ () C:\Program Files (x86)\GUT29A6.tmp
cmd: sfc /scannow
cmd: DISM /Online /Cleanup-Image /CheckHealth
End::
*****************

CreateRestorePoint: Error(1=8%) -> Failed to create a restore point.
Processes closed successfully.
C:\Users\terra\AppData\Local\{4E2D864F-4A5D-43B1-BF90-93D55E6E0847} => moved successfully
"HKU\S-1-5-21-2556308274-104924463-3244872640-1005\Software\Microsoft\Windows\CurrentVersion\Run\\EPSDNMON" => removed successfully
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1EE2FE6A-3B01-4DA8-9991-1475137C8E8B}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B2F93E99-04E3-4C4B-98BF-7EF9B37A236E}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{9E6112B0-9A77-4EEE-86FB-E1D390169B3E}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7023F4E1-D29F-4F9C-825C-9BA588250E53}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{79396349-14E4-484B-8B4C-1F98165D9037}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{D9A4DA63-E689-4A34-B380-B4C6FD47FB48}" => removed successfully
C:\Program Files (x86)\GUT29A6.tmp => moved successfully

========= sfc /scannow =========

Beginning system scan. This process will take some time.

Beginning verification phase of system scan.

Verification 0% complete.
Verification 1% complete.
Verification 1% complete.
Verification 2% complete.
Verification 2% complete.
Verification 3% complete.
Verification 3% complete.
Verification 4% complete.
Verification 5% complete.
Verification 5% complete.
Verification 6% complete.
Verification 6% complete.
Verification 7% complete.
Verification 7% complete.
Verification 8% complete.
Verification 8% complete.
Verification 9% complete.
Verification 10% complete.
Verification 10% complete.
Verification 11% complete.
Verification 11% complete.
Verification 12% complete.
Verification 12% complete.
Verification 13% complete.
Verification 14% complete.
Verification 14% complete.
Verification 15% complete.
Verification 15% complete.
Verification 16% complete.
Verification 16% complete.
Verification 17% complete.
Verification 17% complete.
Verification 18% complete.
Verification 19% complete.
Verification 19% complete.
Verification 20% complete.
Verification 20% complete.
Verification 21% complete.
Verification 21% complete.
Verification 22% complete.
Verification 22% complete.
Verification 23% complete.
Verification 24% complete.
Verification 24% complete.
Verification 25% complete.
Verification 25% complete.
Verification 26% complete.
Verification 26% complete.
Verification 27% complete.
Verification 28% complete.
Verification 28% complete.
Verification 29% complete.
Verification 29% complete.
Verification 30% complete.
Verification 30% complete.
Verification 31% complete.
Verification 31% complete.
Verification 32% complete.
Verification 33% complete.
Verification 33% complete.
Verification 34% complete.
Verification 34% complete.
Verification 35% complete.
Verification 35% complete.
Verification 36% complete.
Verification 37% complete.
Verification 37% complete.
Verification 38% complete.
Verification 38% complete.
Verification 39% complete.
Verification 39% complete.
Verification 40% complete.
Verification 40% complete.
Verification 41% complete.
Verification 42% complete.
Verification 42% complete.
Verification 43% complete.
Verification 43% complete.
Verification 44% complete.
Verification 44% complete.
Verification 45% complete.
Verification 45% complete.
Verification 46% complete.
Verification 47% complete.
Verification 47% complete.
Verification 48% complete.
Verification 48% complete.
Verification 49% complete.
Verification 49% complete.
Verification 50% complete.
Verification 51% complete.
Verification 51% complete.
Verification 52% complete.
Verification 52% complete.
Verification 53% complete.
Verification 53% complete.
Verification 54% complete.
Verification 54% complete.
Verification 55% complete.
Verification 56% complete.
Verification 56% complete.
Verification 57% complete.
Verification 57% complete.
Verification 58% complete.
Verification 58% complete.
Verification 59% complete.
Verification 59% complete.
Verification 60% complete.
Verification 61% complete.
Verification 61% complete.
Verification 62% complete.
Verification 62% complete.
Verification 63% complete.
Verification 63% complete.
Verification 64% complete.
Verification 65% complete.
Verification 65% complete.
Verification 66% complete.
Verification 66% complete.
Verification 67% complete.
Verification 67% complete.
Verification 68% complete.
Verification 68% complete.
Verification 69% complete.
Verification 70% complete.
Verification 70% complete.
Verification 71% complete.
Verification 71% complete.
Verification 72% complete.
Verification 72% complete.
Verification 73% complete.
Verification 74% complete.
Verification 74% complete.
Verification 75% complete.
Verification 75% complete.
Verification 76% complete.
Verification 76% complete.
Verification 77% complete.
Verification 77% complete.
Verification 78% complete.
Verification 79% complete.
Verification 79% complete.
Verification 80% complete.
Verification 80% complete.
Verification 81% complete.
Verification 81% complete.
Verification 82% complete.
Verification 82% complete.
Verification 83% complete.
Verification 84% complete.
Verification 84% complete.
Verification 85% complete.
Verification 85% complete.
Verification 86% complete.
Verification 86% complete.
Verification 87% complete.
Verification 88% complete.
Verification 88% complete.
Verification 89% complete.
Verification 89% complete.
Verification 90% complete.
Verification 90% complete.
Verification 91% complete.
Verification 91% complete.
Verification 92% complete.
Verification 93% complete.
Verification 93% complete.
Verification 94% complete.
Verification 94% complete.
Verification 95% complete.
Verification 95% complete.
Verification 96% complete.
Verification 97% complete.
Verification 97% complete.
Verification 98% complete.
Verification 98% complete.
Verification 99% complete.
Verification 99% complete.
Verification 100% complete.

Windows Resource Protection found corrupt files and successfully repaired them.
For online repairs, details are included in the CBS log file located at
windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline
repairs, details are included in the log file provided by the /OFFLOGFILE flag.

========= End of CMD: =========

========= DISM /Online /Cleanup-Image /CheckHealth =========

Deployment Image Servicing and Management tool
Version: 10.0.19041.3636

Image Version: 10.0.19045.6466

No component store corruption detected.
The operation completed successfully.

========= End of CMD: =========

The system needed a reboot.

==== End of Fixlog 11:20:08 ====

Oh My! · Mar 30, 2026

The Fixlist worked as planned and looks good.

Neither one of those programs are malicious. You can remove Google Drive if you'd like (see below). I recommend using Revo Uninstaller (see below). Although I don't see any reference to HEIF in your logs, that extension will assist in opening files using that particular format.

==================================================

Uninstalling Programs Using Revo Uninstaller Free Portable

--------------------

Download Revo Uninstaller Free Portable and save it to your Desktop

Right click on the folder and select Extract All..., then click Extract

Double click on the RevoUninstaller-Portable folder

Right click on RevoUPort and select Run as administrator

Click OK on the License Agreement

From the list of programs double click on the listed program(s), or anything similar, to remove it (if it exists)
Code:
Google Drive
If the program's uninstaller appears work through the steps to remove the program(s)

Be sure the Advanced option is selected then click Scan

For each window that may appear identifying leftover items click Select All, Delete, then confirm the deletion

Once done click Finish

Reboot your computer

===================================================

Things I would like to see in your next reply.

Results?

durbancic · Mar 30, 2026

Ok, after looking closer, those are the actual numbers of current versions of each software. It is just a coincidence that they both have 123 in the version number. I am going to go ahead and leave them installed. Thank you for your help - problem solved!!

Dan

Oh My! · Mar 30, 2026

Sounds good.

Looks like we are all set.

Here is our final step and some additional information to consider.

===================================================

KpRm by Kernel-panik

--------------

Download KpRm and save it to your Desktop (see here if you must use Chrome)

Note: If the file is detected as malware it is not and it is safe to download. The detection is a false positive.

Right click on the icon and select Run as administrator

Click Yes on the Disclaimer

Place a check mark in Delete Tools, Create Restore Point, and Delete in 7 days

Click Run

Click OK on All operations are completed

KpRm will delete itself from you Desktop and you can either save or remove the report that is generated

You are free to remove any other tools/reports still remaining

===================================================

All Clean!

--------------

Your computer is now clean. Please consider this going forward.

Answers to common security questions - Best Practices

So How did I get infected?

Why I Stopped Using Third-Party Antivirus on Windows

Pirated Software is All Fun and Games Until Your Data is Stolen

Why You Should Update All Your Software

Thank you for placing your trust in Major Geeks. It was a pleasure serving you.

Log in or Sign up

Virus Or Something On Laptop

durbancic Private E-2

Attached Files:

FRST.txt

Addition.txt

durbancic Private E-2

Oh My! Malware Expert Staff Member

Oh My! Malware Expert Staff Member

durbancic Private E-2

Oh My! Malware Expert Staff Member

durbancic Private E-2

Oh My! Malware Expert Staff Member