Help removing spyware popups and strange things appearing on desktop

Welcome to Majorgeeks!

Note: You do not have an antivirus application installed. You have PC Tools Spyware Doctor which is an antispyware application and it also appears to be broken. Is this a paid version or a free trial? If a free trial, uninstall it as it is of no use to you unless you buy it.

Why didn't you run Windows Defender as instructed in the READ ME? If you could not run it, you should indicate why and then you are still supposed to run CounterSpy and attach the log from CounterSpy.

Let's get an installed programs list from HijackThis too!

• Run HijackThis, click Open the Misc Tools section
• Click Open Uninstall Manager
• Click Save List (generates uninstall_list.txt)
• Click Save, to save it to a file where you can find it.
• Attach the uninstall_list.txt file to your next message.

You also have a Qoologic infection that we need to get more information on! Download FindQool by LonnyRJones

• Extract the files and place the FindQool folder into root folder of your hard disk. This is usually C:\
• Open the folder and run Qlocate.bat
• attach the contents of the txt.log which will open when the scan is finished.

 

Well it does show in your Uninstall list but in your HJT log it shows that it is not running or working. Since it is only a trial and since it is broken anyway, you should uninstall it and download one of the free fully functional antivirus applications in step 2 of the below link. (Make sure you uninstall PC Tools first before installing any new AV.)

How to Protect yourself from malware!

Also uninstall the below two old versions of Sun Java:
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 5

Do you know what the below installed program is?
There (remove only)

You need to install the current version of Mozilla FireFox and uninstall your old version:
Mozilla Firefox (1.5.0.1)

You also need uninstall the below malware!
iWon Prize Machine
MediaTickets by OIN
Viewpoint Media Player

The below two items you have installed and are running at startup are from Verizon. But they are known to be massive resource hogs and are not something that you want to have running.
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"

Read the below two links for additional info on these and consider uninstalling this junk unless you really use it (I doubt it).
http://www.bleepingcomputer.com/startups/ipclient.exe-2308.html
http://www.bleepingcomputer.com/startups/ipmon32.exe-2309.html


What in the world is the below running process from:
C:\Program Files\Online Services\Use MSN Explorer to sign up for Internet Access (US only).exe

Did this come from Verizon too? If you do not know what this is, you should delete the file!

Now continue onto my next message.

 

Download - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later to run it.

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click OK.

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.
C:\Program Files\Common Files\misc001\webhc1.exe
C:\WINDOWS\system32\miyumxq.exe

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes. (You may not see these! If not, just continue.)
C:\Program Files\Online Services\Use MSN Explorer to sign up for Internet Access (US only).exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,miyumxq.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll (file missing)
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1450/ftp.coupons.com/r3302/cpbrkpie.cab
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\

Now exit HJT
Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):
C:\Program Files\webHancer <--- the whole folder
C:\Program Files\whInstall <--- the whole folder
C:\Program Files\Common Files\misc001 <--- the whole folder
C:\WINDOWS\system32\miyumxq.exe

Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

Now attach a new HJT log and a new log from FindQool

Also tell me how things are working!

 

Are you sure you installed a full package that contains antivirus, antispyware, and a firewall. I see the firewall and also Isafe.exe which is some kind of package from CA that has to do with a Security Suite. But I'm not sure what it all contains. Personally I don't like security suites. They are typically too resource hungry and if malware does sneak in, it can tend to break the whole security suite. I prefer the route of choosing my own AV, AS, and firewall.

You need to show me what you are referring to. Attach a log. Ignore adware and its report about a tracking cookie. Cookies are rarely of any concern and you will have them anytime you surf.

Do you still have Spyware Doctor installed? A service for it is still showing:

O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe (file missing)

You should have HijackThis fix the below to lines:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

And then we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

 

No it is not malware. You cannot fix services like that. They require more complex procedures to remove.

If you do not have a Lexmark printer now, did you have one at some time?

You did not attach a log from Ad-Aware but I don't really need one. Ad-Aware logs are rarely required as they do not normally provide any info that we need to fix problems. Why did you want to post one?


Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to LexBce Server (if that is not found, look for the short name: aswUpdSv)... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now repeat the above stop and disable for the following services:
PC Tools Spyware Doctor
Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

LexBceS

Now repeat the Delete NT Service steps for:
SDhelper
If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure viewing of hidden files is enabled (per the tutorial).

Shutdown/exit all protection software like Ewido before continuing or it may block the below changes and ALSO make sure you exit browsers when I tell you to.
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Spyware Doctor <--- the whole folder
C:\WINDOWS\system32\LEXBCES.EXE

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point. This will also take care of what Kaspersky showed you since it only found items in System Restore.

After that, you should work thru the below link:

How to Protect yourself from malware!