• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 295
  • Last Modified:

TV Media will not fix or delete, WinNT 4.0 Wkstn sp6

Hi, I hope you can help.

I have an extremely sluggish computer and believe it to be caused by TV Media.  Ad-Aware and HiJackThis both appear to fix/delete the entries but an immediate re-scan shows they are still there.  I used add/remove programs to uninstall TV Media and it appears to uninstall but when i exit and relaunch add/remove progs it is back.  When I search for and delete registry entries that contain references to TVMedia they will disappear but if I exit and relaunch regedit I find the entries are still there.  I can't delete the files in c:\winnt\system32\tvmedia because i get a msg "The specified file is being used by Windows".  I tried ending task on all tasks that Windows would allow to be ended but still unable to delete the files.  I tried booting on Windows NT boot diskettes to see if it has a command line repair console like win2000, it does not.  There is no safe boot mode for WinNT.  I don't know any way to get to a dos level before the culprit files load.  Is there a way to manually create a script that will delete those files upon reboot?  Do you have other advise?

TIA
Doug

Logfile of HijackThis v1.97.7
Scan saved at 6:53:55 PM, on 9/16/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\Inoculan\INOJOBSV.EXE
C:\WINNT\LogWatNT.exe
C:\WINNT\System32\mgasc.exe
C:\WINNT\System32\mgactrl.exe
C:\WINNT\System32\mnmsrvc.exe
C:\WINNT\system32\RpcSs.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\SysTray.Exe
C:\WINNT\System32\DACONFIG.EXE
C:\Program Files\Hewlett-Packard\Extended Keyboard\HpMmKbd.exe
C:\Program Files\MGA NT PowerDesk\QDesk\MGAQDESK.EXE
C:\WINNT\System32\MGAHOOK.EXE
C:\mouse\system\em_exec.exe
C:\WINNT\loadqm.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Inoculan\realmon.exe
D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
D:\CCHLOGIN\logexp.exe
D:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = prpsbs01:80
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\WINNT\System32\TV Media\TvmBho.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [DACONFIGEXE] DACONFIG.EXE R
O4 - HKLM\..\Run: [HpMmKbd] "C:\Program Files\Hewlett-Packard\Extended Keyboard\HpMmKbd.exe"
O4 - HKLM\..\Run: [MGA QuickDesk] "C:\Program Files\MGA NT PowerDesk\QDesk\MGAQDESK.EXE"
O4 - HKLM\..\Run: [MGA Hook] "C:\WINNT\System32\MGAHOOK.EXE"
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINNT\System32\runonce.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TV Media] C:\WINNT\System32\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [TV Media] C:\WINNT\System32\TV Media\Tvm.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: InoculateIT Realtime Monitor.LNK = C:\Inoculan\realmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Login Express.lnk = D:\CCHLOGIN\logexp.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\NPQTPL~1.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O13 - WWW. Prefix: http://
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=c94b64495398ef46c59fead604833655c91396297ecd7a0274ea1f3e572b0e2a59b03a9e4d03f4e723cf1d57f25fd6b2bed655f724f6153a34bc473c:ed2a7402b78507bee361352a2f230c93
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/apop/default/popcaploader_v5.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pricereinhardtprice.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pricereinhardtprice.com

0
DouglasBetts
Asked:
DouglasBetts
1 Solution
 
woodendudeCommented:
run adware and highjack in safe mode and remove what you have been removing, then reboot back to normal and scan again, should be gone.
0
 
woodendudeCommented:
also remove tv media(control panel) in safe mode.
0
 
DouglasBettsAuthor Commented:
There is no safe mode in Windows NT 4.0.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
QuetzalCommented:
Use msconfg (win98 version is supposed to work in nt 4.0, http://www.perfectdrivers.com/howto/msconfig.html)  or other similar startup control utilities to boot without any non-microsoft startup items.  Then do your removal.
0
 
rossfingalCommented:
Hi!

As stated above - reboot into safe mode,
make sure the option to show all files and folders, including hidden, is enabled -
run HijackThis and have it fix the following (put a check-mark in front of):
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\WINNT\System32\TV Media\TvmBho.dll
O4 - HKLM\..\Run: [TV Media] C:\WINNT\System32\TV Media\Tvm.exe
O4 - HKCU\..\Run: [TV Media] C:\WINNT\System32\TV Media\Tvm.exe
O4 - HKLM\..\Run: [sysbot] c:\windows.001\system\sysbot.exe
Search your entire computer and delete all instances of the following files:
sysbot.exe
Tvm.exe
TvmBho.dll
C\WINNT\System32\TV Media <- the entire TV Media folder
Clean out your temp files, including your "Temporary Internet Files"
Empty your recycle bin
Reboot your computer into "normal" mode
Post a new HijackThis log here.

Good luck!
RF
0
 
DouglasBettsAuthor Commented:
I got the problem solved but the techniques you guys described did not work.  I want to let you know what I did because it may be helpful for someone else.  For those of you who advised me to use safe mode, I repeat for the 3rd time there is no safe mode in WinNT 4.0.  In regards to using MSConfig I was already aware of that technique but did not try it before my first post because I could not delete these registry entries manually, Ad-aware and HiJackThis could not delete them.  After MSConfig was suggested I tried it just to verify and as expected it also failed to disable the TVMedia items.  My solution was to connect the drive as a slave to another WinNT 4.0 drive.  I was then able to delete the TV Media folder.  That fixed the problem so the subject computer would run properly.  HiJackThis was then able to delete the culprit registry entries.  I then searched for and found files matching tvm*.*.  I found C:\winnt\system32\tvmk8.dll, C:\winnt\system32\tvm_b5b8.exe, C:\winnt\profiles\susan\applicationdata\tvmuknwrd.dll, C:\temp\tvmupdater.exe, C:\temp\tvm.log.  These files all had the same date and time as the three files that were in the TV Media folder so i deleted them.  I think TV Media uses a technology similar to Ad-Aware's AdWatch feature that has the capability of "lock startup sections in registry".  The Ad-Aware developers should be able to figure this one out if any of you have contacts with them.  We have an Internet monitoring software that showed the user visited http://my.cheaptickets.com and http://cheaptickets.ed4.net on 9/16/04 at 7:29:46am.  The folder for TV Media and all the culprit files were dated 9/16/04 at 7:30am.  Hope this is useful to someone.
0
 
DouglasBettsAuthor Commented:
I took the time to provide the solution to this problem.  I hope your not going to just throw it away.
0
 
moduloCommented:
PAQed with points refunded (500)

modulo
Community Support Moderator
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now