TV Media will not fix or delete, WinNT 4.0 Wkstn sp6

Hi, I hope you can help.

I have an extremely sluggish computer and believe it to be caused by TV Media.  Ad-Aware and HiJackThis both appear to fix/delete the entries but an immediate re-scan shows they are still there.  I used add/remove programs to uninstall TV Media and it appears to uninstall but when i exit and relaunch add/remove progs it is back.  When I search for and delete registry entries that contain references to TVMedia they will disappear but if I exit and relaunch regedit I find the entries are still there.  I can't delete the files in c:\winnt\system32\tvmedia because i get a msg "The specified file is being used by Windows".  I tried ending task on all tasks that Windows would allow to be ended but still unable to delete the files.  I tried booting on Windows NT boot diskettes to see if it has a command line repair console like win2000, it does not.  There is no safe boot mode for WinNT.  I don't know any way to get to a dos level before the culprit files load.  Is there a way to manually create a script that will delete those files upon reboot?  Do you have other advise?


Logfile of HijackThis v1.97.7
Scan saved at 6:53:55 PM, on 9/16/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Hewlett-Packard\Extended Keyboard\HpMmKbd.exe
C:\Program Files\MGA NT PowerDesk\QDesk\MGAQDESK.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
D:\Program Files\Microsoft Office\Office\1033\msoffice.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =*
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =*
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =*
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = prpsbs01:80
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\WINNT\System32\TV Media\TvmBho.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HpMmKbd] "C:\Program Files\Hewlett-Packard\Extended Keyboard\HpMmKbd.exe"
O4 - HKLM\..\Run: [MGA QuickDesk] "C:\Program Files\MGA NT PowerDesk\QDesk\MGAQDESK.EXE"
O4 - HKLM\..\Run: [MGA Hook] "C:\WINNT\System32\MGAHOOK.EXE"
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINNT\System32\runonce.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TV Media] C:\WINNT\System32\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [TV Media] C:\WINNT\System32\TV Media\Tvm.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: InoculateIT Realtime Monitor.LNK = C:\Inoculan\realmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Login Express.lnk = D:\CCHLOGIN\logexp.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\NPQTPL~1.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O13 - WWW. Prefix: http://
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

run adware and highjack in safe mode and remove what you have been removing, then reboot back to normal and scan again, should be gone.
also remove tv media(control panel) in safe mode.
DouglasBettsAuthor Commented:
There is no safe mode in Windows NT 4.0.
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

Use msconfg (win98 version is supposed to work in nt 4.0,  or other similar startup control utilities to boot without any non-microsoft startup items.  Then do your removal.

As stated above - reboot into safe mode,
make sure the option to show all files and folders, including hidden, is enabled -
run HijackThis and have it fix the following (put a check-mark in front of):
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =*
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =*
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =*
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\WINNT\System32\TV Media\TvmBho.dll
O4 - HKLM\..\Run: [TV Media] C:\WINNT\System32\TV Media\Tvm.exe
O4 - HKCU\..\Run: [TV Media] C:\WINNT\System32\TV Media\Tvm.exe
O4 - HKLM\..\Run: [sysbot] c:\windows.001\system\sysbot.exe
Search your entire computer and delete all instances of the following files:
C\WINNT\System32\TV Media <- the entire TV Media folder
Clean out your temp files, including your "Temporary Internet Files"
Empty your recycle bin
Reboot your computer into "normal" mode
Post a new HijackThis log here.

Good luck!
DouglasBettsAuthor Commented:
I got the problem solved but the techniques you guys described did not work.  I want to let you know what I did because it may be helpful for someone else.  For those of you who advised me to use safe mode, I repeat for the 3rd time there is no safe mode in WinNT 4.0.  In regards to using MSConfig I was already aware of that technique but did not try it before my first post because I could not delete these registry entries manually, Ad-aware and HiJackThis could not delete them.  After MSConfig was suggested I tried it just to verify and as expected it also failed to disable the TVMedia items.  My solution was to connect the drive as a slave to another WinNT 4.0 drive.  I was then able to delete the TV Media folder.  That fixed the problem so the subject computer would run properly.  HiJackThis was then able to delete the culprit registry entries.  I then searched for and found files matching tvm*.*.  I found C:\winnt\system32\tvmk8.dll, C:\winnt\system32\tvm_b5b8.exe, C:\winnt\profiles\susan\applicationdata\tvmuknwrd.dll, C:\temp\tvmupdater.exe, C:\temp\tvm.log.  These files all had the same date and time as the three files that were in the TV Media folder so i deleted them.  I think TV Media uses a technology similar to Ad-Aware's AdWatch feature that has the capability of "lock startup sections in registry".  The Ad-Aware developers should be able to figure this one out if any of you have contacts with them.  We have an Internet monitoring software that showed the user visited and on 9/16/04 at 7:29:46am.  The folder for TV Media and all the culprit files were dated 9/16/04 at 7:30am.  Hope this is useful to someone.
DouglasBettsAuthor Commented:
I took the time to provide the solution to this problem.  I hope your not going to just throw it away.
PAQed with points refunded (500)

Community Support Moderator

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.