TV Media will not fix or delete, WinNT 4.0 Wkstn sp6

Posted on 2004-09-16
Last Modified: 2013-12-04
Hi, I hope you can help.

I have an extremely sluggish computer and believe it to be caused by TV Media.  Ad-Aware and HiJackThis both appear to fix/delete the entries but an immediate re-scan shows they are still there.  I used add/remove programs to uninstall TV Media and it appears to uninstall but when i exit and relaunch add/remove progs it is back.  When I search for and delete registry entries that contain references to TVMedia they will disappear but if I exit and relaunch regedit I find the entries are still there.  I can't delete the files in c:\winnt\system32\tvmedia because i get a msg "The specified file is being used by Windows".  I tried ending task on all tasks that Windows would allow to be ended but still unable to delete the files.  I tried booting on Windows NT boot diskettes to see if it has a command line repair console like win2000, it does not.  There is no safe boot mode for WinNT.  I don't know any way to get to a dos level before the culprit files load.  Is there a way to manually create a script that will delete those files upon reboot?  Do you have other advise?


Logfile of HijackThis v1.97.7
Scan saved at 6:53:55 PM, on 9/16/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Hewlett-Packard\Extended Keyboard\HpMmKbd.exe
C:\Program Files\MGA NT PowerDesk\QDesk\MGAQDESK.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
D:\Program Files\Microsoft Office\Office\1033\msoffice.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =*
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =*
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =*
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = prpsbs01:80
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\WINNT\System32\TV Media\TvmBho.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HpMmKbd] "C:\Program Files\Hewlett-Packard\Extended Keyboard\HpMmKbd.exe"
O4 - HKLM\..\Run: [MGA QuickDesk] "C:\Program Files\MGA NT PowerDesk\QDesk\MGAQDESK.EXE"
O4 - HKLM\..\Run: [MGA Hook] "C:\WINNT\System32\MGAHOOK.EXE"
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINNT\System32\runonce.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TV Media] C:\WINNT\System32\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [TV Media] C:\WINNT\System32\TV Media\Tvm.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: InoculateIT Realtime Monitor.LNK = C:\Inoculan\realmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Login Express.lnk = D:\CCHLOGIN\logexp.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\NPQTPL~1.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O13 - WWW. Prefix: http://
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =

Question by:DouglasBetts
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 12081202
run adware and highjack in safe mode and remove what you have been removing, then reboot back to normal and scan again, should be gone.

Expert Comment

ID: 12081206
also remove tv media(control panel) in safe mode.

Author Comment

ID: 12085207
There is no safe mode in Windows NT 4.0.
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

LVL 11

Expert Comment

ID: 12091393
Use msconfg (win98 version is supposed to work in nt 4.0,  or other similar startup control utilities to boot without any non-microsoft startup items.  Then do your removal.
LVL 12

Expert Comment

ID: 12092356

As stated above - reboot into safe mode,
make sure the option to show all files and folders, including hidden, is enabled -
run HijackThis and have it fix the following (put a check-mark in front of):
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =*
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =*
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =*
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\WINNT\System32\TV Media\TvmBho.dll
O4 - HKLM\..\Run: [TV Media] C:\WINNT\System32\TV Media\Tvm.exe
O4 - HKCU\..\Run: [TV Media] C:\WINNT\System32\TV Media\Tvm.exe
O4 - HKLM\..\Run: [sysbot] c:\windows.001\system\sysbot.exe
Search your entire computer and delete all instances of the following files:
C\WINNT\System32\TV Media <- the entire TV Media folder
Clean out your temp files, including your "Temporary Internet Files"
Empty your recycle bin
Reboot your computer into "normal" mode
Post a new HijackThis log here.

Good luck!

Author Comment

ID: 12115328
I got the problem solved but the techniques you guys described did not work.  I want to let you know what I did because it may be helpful for someone else.  For those of you who advised me to use safe mode, I repeat for the 3rd time there is no safe mode in WinNT 4.0.  In regards to using MSConfig I was already aware of that technique but did not try it before my first post because I could not delete these registry entries manually, Ad-aware and HiJackThis could not delete them.  After MSConfig was suggested I tried it just to verify and as expected it also failed to disable the TVMedia items.  My solution was to connect the drive as a slave to another WinNT 4.0 drive.  I was then able to delete the TV Media folder.  That fixed the problem so the subject computer would run properly.  HiJackThis was then able to delete the culprit registry entries.  I then searched for and found files matching tvm*.*.  I found C:\winnt\system32\tvmk8.dll, C:\winnt\system32\tvm_b5b8.exe, C:\winnt\profiles\susan\applicationdata\tvmuknwrd.dll, C:\temp\tvmupdater.exe, C:\temp\tvm.log.  These files all had the same date and time as the three files that were in the TV Media folder so i deleted them.  I think TV Media uses a technology similar to Ad-Aware's AdWatch feature that has the capability of "lock startup sections in registry".  The Ad-Aware developers should be able to figure this one out if any of you have contacts with them.  We have an Internet monitoring software that showed the user visited and on 9/16/04 at 7:29:46am.  The folder for TV Media and all the culprit files were dated 9/16/04 at 7:30am.  Hope this is useful to someone.

Author Comment

ID: 13987093
I took the time to provide the solution to this problem.  I hope your not going to just throw it away.

Accepted Solution

modulo earned 0 total points
ID: 14012051
PAQed with points refunded (500)

Community Support Moderator

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question