[Excal]

Did you try to delete those files yet to see if they would delete>?


Excal

[Advertisements]

This is going to sound stupid, but how to delete. Do I do a file search for each or do I use Explorer? And is that for each log from all three of the programs I ran??
thanks

[lannie]

This is going to sound stupid, but how to delete. Do I do a file search for each or do I use Explorer? And is that for each log from all three of the programs I ran??
thanks

[Excal]

I would be in safe mode and use windows explorer.
I would stick with this one for now.



Excal

[lannie]

Didn't drop off the planet. Sorry, but I was gone for a few days and then tried to clean off a bunch of the files. Some came off some didn't. Loaded a trial of spyware dr. and am posting the results of the scan. I believe that I have gotten Overpro off and BookedSpace. Still can't figure out what to do about IBIS toolbar. Computer running better, but am still getting lots of Fastclick popups. What next. Thanks
Lannie

[Excal]

I just find it strange that I can't see anything in any of the logs I had you run......




Excal

[lannie]

this is spyware dr. log:
Infection Name Location Risk
IBIS Toolbar HKLM\software\microsoft\windows\currentversion\run##viewmgr Medium
Advertising C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\159XJWSD\bins=1[1].gif Low
Tracking Cookie(s) C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt Medium
Overpro.com C:\Program Files\Common Files\SWF Studio High
Overpro.com C:\Program Files\Common Files\SWF Studio\FileSys.dll High
Overpro.com C:\Program Files\Common Files\SWF Studio\SysInfo.dll High
BookedSpace C:\WINDOWS\bsx32.ini Elevated
WildTangent C:\WINDOWS\System32\wtcpl.cpl

[Excal]

Boot into safe mode:

Please remove the following folders using Windows Explorer (if present):

C:\Program Files\Common Files\SWF Studio

Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\System32\wtcpl.cpl
C:\WINDOWS\bsx32.ini

reboot to normal mode

go to start>run and copy and paste this in.

regedit /e C:\search.txt "HKEY_LOCAL_MACHINE\microsoft\windows\currentversion"

Paste the results in your next post (file will be C:\ search.txt)


I think we might be seeing the end of the tunnel!!

[lannie]

Light at the end of the tunnel sounds great. I will follow your instructions and try to post back later.

Thanks!

[lannie]

I believe Overpro and Bookedspace are eliminated. I copied and pasted regedit /e C:\search.txt "HKEY_LOCAL_MACHINE\microsoft\windows\currentversion" in to the run box and hit okay. Nothing happened...what am I doing wrong?!

[Excal]

ok lets try to rebuild the key.


first thing i need you to do is uninstall viewpoint manager. go to your control panel, then to add/remove programs.

after you are done that:

Launch Notepad, and copy/paste the box below into a new text file. Save it as rebuild.reg (make sure that Save as Type is set at "All Files") on your Desktop. Ensure there is no space at or above REGEDIT 4.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe"
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe"
"CamMonitor" = "c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe"
"Share-to-Web Namespace Daemon" = "c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
"KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"]
"StorageGuard" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r"
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE"
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup"
"PS2" = "C:\WINDOWS\system32\ps2.exe"
"EM_EXEC" = "C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE"
"tgcmd" = ""C:\Program Files\Support.com\bin\tgcmd.exe" /server"
"StatusClient" = "C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto"
"TomcatStartup" = "C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe"
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP"
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime"
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe"
"mmtask" = "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe""

Locate rebuild.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

reboot your computer and lets run spyware dr again.

Thanks,



Excal

[lannie]

Hi! Tried to remove Viewpoint Manager from add/remove programs. It is not listed. Interestingly, their is an icon in my control panel that says "viewpoint" it is blue with an eye on a little square button. I opened it and it has viewpoint media manager and viewpoint manager. The program cannot be dragged to the recycle bin. Did not follow your second set of instructions since I was unable to remove Viewpoint Manager. The computer runs well after spy programs remove junk and I use CCleaner, but after a few hours use or a reboot things starting slowing up....freezing...and the popups start. Help! Today my spyscan showed Bookedspace was back again. IBIS toolbar is showing up again. Bookedspace "can't be removed because it is an archived file...do I want to remove the whole archive." When I booted up this morning the display was all crooked and shrunk down again with a big black bar across the top of the screen! I hate all spyware!!!
Thanks for your help and for your time. What next?
Lannie

[Excal]

ack!!!!

you can delete the folder of viewpoint, should be in program files. (probally in safe mode) and when in safe mode, run ewido again.

you can go ahead with the second task after that.

Go ahead and delete that archive

Post a fresh HiJackthis log.



Excal

[lannie]

Was able to delete the Viewpoint from my program files. Have completed the second step. Will now reboot and run spyware dr. I am assuming this should be done in safe mode. Keep your fingers crossed!

[Excal]

yikes haven't heard from you!

fingers are still crosses!

[lannie]

Sorry, went out and didn't get back until late. Completed everything per your directions. Ran Spyware Dr. and Ewido. Received a new warning about Bookedspace. Removed the archive. I rebooted and just ran Ccleaner and Cleanup. Regseeker until things seemed clean. So far so good. Will run more scans and see what happens. I am trying to not get overly happy - don't want to jinx this! Maybe it is finally back to normal. Will let you know tomorrow!
Thanks a ton for all of your help.