DouglasBetts
asked on
TV Media will not fix or delete, WinNT 4.0 Wkstn sp6
Hi, I hope you can help.
I have an extremely sluggish computer and believe it to be caused by TV Media. Ad-Aware and HiJackThis both appear to fix/delete the entries but an immediate re-scan shows they are still there. I used add/remove programs to uninstall TV Media and it appears to uninstall but when i exit and relaunch add/remove progs it is back. When I search for and delete registry entries that contain references to TVMedia they will disappear but if I exit and relaunch regedit I find the entries are still there. I can't delete the files in c:\winnt\system32\tvmedia because i get a msg "The specified file is being used by Windows". I tried ending task on all tasks that Windows would allow to be ended but still unable to delete the files. I tried booting on Windows NT boot diskettes to see if it has a command line repair console like win2000, it does not. There is no safe boot mode for WinNT. I don't know any way to get to a dos level before the culprit files load. Is there a way to manually create a script that will delete those files upon reboot? Do you have other advise?
TIA
Doug
Logfile of HijackThis v1.97.7
Scan saved at 6:53:55 PM, on 9/16/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\spoolss.
C:\Inoculan\INOJOBSV.EXE
C:\WINNT\LogWatNT.exe
C:\WINNT\System32\mgasc.ex
C:\WINNT\System32\mgactrl.
C:\WINNT\System32\mnmsrvc.
C:\WINNT\system32\RpcSs.ex
c:\winnt\system32\pstores.
C:\WINNT\system32\MSTask.e
C:\WINNT\Explorer.EXE
C:\WINNT\System32\SysTray.
C:\WINNT\System32\DACONFIG
C:\Program Files\Hewlett-Packard\Exte
C:\Program Files\MGA NT PowerDesk\QDesk\MGAQDESK.E
C:\WINNT\System32\MGAHOOK.
C:\mouse\system\em_exec.ex
C:\WINNT\loadqm.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Inoculan\realmon.exe
D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
D:\CCHLOGIN\logexp.exe
D:\Program Files\Microsoft Office\Office\1033\msoffic
C:\HiJackThis\HijackThis.e
R1 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [DACONFIGEXE] DACONFIG.EXE R
O4 - HKLM\..\Run: [HpMmKbd] "C:\Program Files\Hewlett-Packard\Exte
O4 - HKLM\..\Run: [MGA QuickDesk] "C:\Program Files\MGA NT PowerDesk\QDesk\MGAQDESK.E
O4 - HKLM\..\Run: [MGA Hook] "C:\WINNT\System32\MGAHOOK
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.ex
O4 - HKLM\..\Run: [mdac_runonce] C:\WINNT\System32\runonce.
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TV Media] C:\WINNT\System32\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypa
O4 - HKCU\..\Run: [TV Media] C:\WINNT\System32\TV Media\Tvm.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: InoculateIT Realtime Monitor.LNK = C:\Inoculan\realmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Login Express.lnk = D:\CCHLOGIN\logexp.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGI
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGI
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGI
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugi
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGI
O13 - WWW. Prefix: http://
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-9
O16 - DPF: {33564D57-0000-0010-8000-0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-7
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
I have an extremely sluggish computer and believe it to be caused by TV Media. Ad-Aware and HiJackThis both appear to fix/delete the entries but an immediate re-scan shows they are still there. I used add/remove programs to uninstall TV Media and it appears to uninstall but when i exit and relaunch add/remove progs it is back. When I search for and delete registry entries that contain references to TVMedia they will disappear but if I exit and relaunch regedit I find the entries are still there. I can't delete the files in c:\winnt\system32\tvmedia because i get a msg "The specified file is being used by Windows". I tried ending task on all tasks that Windows would allow to be ended but still unable to delete the files. I tried booting on Windows NT boot diskettes to see if it has a command line repair console like win2000, it does not. There is no safe boot mode for WinNT. I don't know any way to get to a dos level before the culprit files load. Is there a way to manually create a script that will delete those files upon reboot? Do you have other advise?
TIA
Doug
Logfile of HijackThis v1.97.7
Scan saved at 6:53:55 PM, on 9/16/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\spoolss.
C:\Inoculan\INOJOBSV.EXE
C:\WINNT\LogWatNT.exe
C:\WINNT\System32\mgasc.ex
C:\WINNT\System32\mgactrl.
C:\WINNT\System32\mnmsrvc.
C:\WINNT\system32\RpcSs.ex
c:\winnt\system32\pstores.
C:\WINNT\system32\MSTask.e
C:\WINNT\Explorer.EXE
C:\WINNT\System32\SysTray.
C:\WINNT\System32\DACONFIG
C:\Program Files\Hewlett-Packard\Exte
C:\Program Files\MGA NT PowerDesk\QDesk\MGAQDESK.E
C:\WINNT\System32\MGAHOOK.
C:\mouse\system\em_exec.ex
C:\WINNT\loadqm.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Inoculan\realmon.exe
D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
D:\CCHLOGIN\logexp.exe
D:\Program Files\Microsoft Office\Office\1033\msoffic
C:\HiJackThis\HijackThis.e
R1 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [DACONFIGEXE] DACONFIG.EXE R
O4 - HKLM\..\Run: [HpMmKbd] "C:\Program Files\Hewlett-Packard\Exte
O4 - HKLM\..\Run: [MGA QuickDesk] "C:\Program Files\MGA NT PowerDesk\QDesk\MGAQDESK.E
O4 - HKLM\..\Run: [MGA Hook] "C:\WINNT\System32\MGAHOOK
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.ex
O4 - HKLM\..\Run: [mdac_runonce] C:\WINNT\System32\runonce.
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TV Media] C:\WINNT\System32\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypa
O4 - HKCU\..\Run: [TV Media] C:\WINNT\System32\TV Media\Tvm.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: InoculateIT Realtime Monitor.LNK = C:\Inoculan\realmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Login Express.lnk = D:\CCHLOGIN\logexp.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGI
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGI
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGI
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugi
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGI
O13 - WWW. Prefix: http://
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-9
O16 - DPF: {33564D57-0000-0010-8000-0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-7
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
woodendude
run adware and highjack in safe mode and remove what you have been removing, then reboot back to normal and scan again, should be gone.
also remove tv media(control panel) in safe mode.
ASKER
There is no safe mode in Windows NT 4.0.
Use msconfg (win98 version is supposed to work in nt 4.0, http://www.perfectdrivers.com/howto/msconfig.html) or other similar startup control utilities to boot without any non-microsoft startup items. Then do your removal.
Hi!
As stated above - reboot into safe mode,
make sure the option to show all files and folders, including hidden, is enabled -
run HijackThis and have it fix the following (put a check-mark in front of):
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C
O4 - HKLM\..\Run: [TV Media] C:\WINNT\System32\TV Media\Tvm.exe
O4 - HKCU\..\Run: [TV Media] C:\WINNT\System32\TV Media\Tvm.exe
O4 - HKLM\..\Run: [sysbot] c:\windows.001\system\sysb
Search your entire computer and delete all instances of the following files:
sysbot.exe
Tvm.exe
TvmBho.dll
C\WINNT\System32\TV Media <- the entire TV Media folder
Clean out your temp files, including your "Temporary Internet Files"
Empty your recycle bin
Reboot your computer into "normal" mode
Post a new HijackThis log here.
Good luck!
RF
As stated above - reboot into safe mode,
make sure the option to show all files and folders, including hidden, is enabled -
run HijackThis and have it fix the following (put a check-mark in front of):
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C
O4 - HKLM\..\Run: [TV Media] C:\WINNT\System32\TV Media\Tvm.exe
O4 - HKCU\..\Run: [TV Media] C:\WINNT\System32\TV Media\Tvm.exe
O4 - HKLM\..\Run: [sysbot] c:\windows.001\system\sysb
Search your entire computer and delete all instances of the following files:
sysbot.exe
Tvm.exe
TvmBho.dll
C\WINNT\System32\TV Media <- the entire TV Media folder
Clean out your temp files, including your "Temporary Internet Files"
Empty your recycle bin
Reboot your computer into "normal" mode
Post a new HijackThis log here.
Good luck!
RF
ASKER
I got the problem solved but the techniques you guys described did not work. I want to let you know what I did because it may be helpful for someone else. For those of you who advised me to use safe mode, I repeat for the 3rd time there is no safe mode in WinNT 4.0. In regards to using MSConfig I was already aware of that technique but did not try it before my first post because I could not delete these registry entries manually, Ad-aware and HiJackThis could not delete them. After MSConfig was suggested I tried it just to verify and as expected it also failed to disable the TVMedia items. My solution was to connect the drive as a slave to another WinNT 4.0 drive. I was then able to delete the TV Media folder. That fixed the problem so the subject computer would run properly. HiJackThis was then able to delete the culprit registry entries. I then searched for and found files matching tvm*.*. I found C:\winnt\system32\tvmk8.dl
ASKER
I took the time to provide the solution to this problem. I hope your not going to just throw it away.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.