Solved

TV Media will not fix or delete, WinNT 4.0 Wkstn sp6

Posted on 2004-09-16
9
264 Views
Last Modified: 2013-12-04
Hi, I hope you can help.

I have an extremely sluggish computer and believe it to be caused by TV Media.  Ad-Aware and HiJackThis both appear to fix/delete the entries but an immediate re-scan shows they are still there.  I used add/remove programs to uninstall TV Media and it appears to uninstall but when i exit and relaunch add/remove progs it is back.  When I search for and delete registry entries that contain references to TVMedia they will disappear but if I exit and relaunch regedit I find the entries are still there.  I can't delete the files in c:\winnt\system32\tvmedia because i get a msg "The specified file is being used by Windows".  I tried ending task on all tasks that Windows would allow to be ended but still unable to delete the files.  I tried booting on Windows NT boot diskettes to see if it has a command line repair console like win2000, it does not.  There is no safe boot mode for WinNT.  I don't know any way to get to a dos level before the culprit files load.  Is there a way to manually create a script that will delete those files upon reboot?  Do you have other advise?

TIA
Doug

Logfile of HijackThis v1.97.7
Scan saved at 6:53:55 PM, on 9/16/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\Inoculan\INOJOBSV.EXE
C:\WINNT\LogWatNT.exe
C:\WINNT\System32\mgasc.exe
C:\WINNT\System32\mgactrl.exe
C:\WINNT\System32\mnmsrvc.exe
C:\WINNT\system32\RpcSs.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\SysTray.Exe
C:\WINNT\System32\DACONFIG.EXE
C:\Program Files\Hewlett-Packard\Extended Keyboard\HpMmKbd.exe
C:\Program Files\MGA NT PowerDesk\QDesk\MGAQDESK.EXE
C:\WINNT\System32\MGAHOOK.EXE
C:\mouse\system\em_exec.exe
C:\WINNT\loadqm.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Inoculan\realmon.exe
D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
D:\CCHLOGIN\logexp.exe
D:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = prpsbs01:80
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\WINNT\System32\TV Media\TvmBho.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [DACONFIGEXE] DACONFIG.EXE R
O4 - HKLM\..\Run: [HpMmKbd] "C:\Program Files\Hewlett-Packard\Extended Keyboard\HpMmKbd.exe"
O4 - HKLM\..\Run: [MGA QuickDesk] "C:\Program Files\MGA NT PowerDesk\QDesk\MGAQDESK.EXE"
O4 - HKLM\..\Run: [MGA Hook] "C:\WINNT\System32\MGAHOOK.EXE"
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINNT\System32\runonce.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TV Media] C:\WINNT\System32\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [TV Media] C:\WINNT\System32\TV Media\Tvm.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: InoculateIT Realtime Monitor.LNK = C:\Inoculan\realmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Login Express.lnk = D:\CCHLOGIN\logexp.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\NPQTPL~1.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O13 - WWW. Prefix: http://
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=c94b64495398ef46c59fead604833655c91396297ecd7a0274ea1f3e572b0e2a59b03a9e4d03f4e723cf1d57f25fd6b2bed655f724f6153a34bc473c:ed2a7402b78507bee361352a2f230c93
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/apop/default/popcaploader_v5.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pricereinhardtprice.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pricereinhardtprice.com

0
Comment
Question by:DouglasBetts
9 Comments
 
LVL 9

Expert Comment

by:woodendude
ID: 12081202
run adware and highjack in safe mode and remove what you have been removing, then reboot back to normal and scan again, should be gone.
0
 
LVL 9

Expert Comment

by:woodendude
ID: 12081206
also remove tv media(control panel) in safe mode.
0
 

Author Comment

by:DouglasBetts
ID: 12085207
There is no safe mode in Windows NT 4.0.
0
 
LVL 11

Expert Comment

by:Quetzal
ID: 12091393
Use msconfg (win98 version is supposed to work in nt 4.0, http://www.perfectdrivers.com/howto/msconfig.html)  or other similar startup control utilities to boot without any non-microsoft startup items.  Then do your removal.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 12

Expert Comment

by:rossfingal
ID: 12092356
Hi!

As stated above - reboot into safe mode,
make sure the option to show all files and folders, including hidden, is enabled -
run HijackThis and have it fix the following (put a check-mark in front of):
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\WINNT\System32\TV Media\TvmBho.dll
O4 - HKLM\..\Run: [TV Media] C:\WINNT\System32\TV Media\Tvm.exe
O4 - HKCU\..\Run: [TV Media] C:\WINNT\System32\TV Media\Tvm.exe
O4 - HKLM\..\Run: [sysbot] c:\windows.001\system\sysbot.exe
Search your entire computer and delete all instances of the following files:
sysbot.exe
Tvm.exe
TvmBho.dll
C\WINNT\System32\TV Media <- the entire TV Media folder
Clean out your temp files, including your "Temporary Internet Files"
Empty your recycle bin
Reboot your computer into "normal" mode
Post a new HijackThis log here.

Good luck!
RF
0
 

Author Comment

by:DouglasBetts
ID: 12115328
I got the problem solved but the techniques you guys described did not work.  I want to let you know what I did because it may be helpful for someone else.  For those of you who advised me to use safe mode, I repeat for the 3rd time there is no safe mode in WinNT 4.0.  In regards to using MSConfig I was already aware of that technique but did not try it before my first post because I could not delete these registry entries manually, Ad-aware and HiJackThis could not delete them.  After MSConfig was suggested I tried it just to verify and as expected it also failed to disable the TVMedia items.  My solution was to connect the drive as a slave to another WinNT 4.0 drive.  I was then able to delete the TV Media folder.  That fixed the problem so the subject computer would run properly.  HiJackThis was then able to delete the culprit registry entries.  I then searched for and found files matching tvm*.*.  I found C:\winnt\system32\tvmk8.dll, C:\winnt\system32\tvm_b5b8.exe, C:\winnt\profiles\susan\applicationdata\tvmuknwrd.dll, C:\temp\tvmupdater.exe, C:\temp\tvm.log.  These files all had the same date and time as the three files that were in the TV Media folder so i deleted them.  I think TV Media uses a technology similar to Ad-Aware's AdWatch feature that has the capability of "lock startup sections in registry".  The Ad-Aware developers should be able to figure this one out if any of you have contacts with them.  We have an Internet monitoring software that showed the user visited http://my.cheaptickets.com and http://cheaptickets.ed4.net on 9/16/04 at 7:29:46am.  The folder for TV Media and all the culprit files were dated 9/16/04 at 7:30am.  Hope this is useful to someone.
0
 

Author Comment

by:DouglasBetts
ID: 13987093
I took the time to provide the solution to this problem.  I hope your not going to just throw it away.
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 14012051
PAQed with points refunded (500)

modulo
Community Support Moderator
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now