TV Media

primesuspectprimesuspect Beepin n' BoopinDetroit, MI Icrontian
edited June 2004 in Spyware & Virus Removal
I'm stumped. TV Media keeps showing up in the registry, and keeps trying to load after reboot. I've tried everything that I can think of (and you know I'm no slouch at this)....

I can't find anything relating to the about:_blank trojan, there aren't any appInit problems in the registry, but one thing I've noticed is that CWS crashes on the CWS.Smartserach variants.. I have the latest versions of everything (CWS, defs for spybot and adaware), I've tried all the current methods (safe mode, PV, killbox, etc.) and I cannot kill this thing.

Any suggestions?

Comments

  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited June 2004
    Log?
  • MediaManMediaMan Powered by loose parts.
    edited June 2004
    I found this.

    1) Restart in Safe Mode
    2) Enable Hidden Files

    Locate and delete the following:

    C:\Program Files\TV Media <--this folder
    C:\WINDOWS\twaintec.dll <--this file
    C:\WINDOWS\twaintec.ini <--this file
    C:\WINDOWS\bxxs5.dll <--this file
    C:\WINDOWS\xqfkbqd.exe <--this file
    C:\WINDOWS\System32\sxcggasj.exe <--this file
    C:\Program Files\whInstall <--this folder

    While still in Safe Mode:
    Close all open windows, rescan with HijackThis and "Fix checked" the following:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
    O4 - HKLM\..\Run: [xqfkbqd] C:\WINDOWS\xqfkbqd.exe
    O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\whInstall\WhSurvey.exe
    O4 - HKLM\..\Run: [ofkqefx] C:\WINDOWS\System32\sxcggasj.exe
    O4 - HKLM\..\Run: [mswspl] C:\WINDOWS\System32\sxcggasj.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

    Restart normally, update and rescan with SpyBot, reboot and post a fresh log ...
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited June 2004
    But none of those things show up. The about:_blank thing makes no appearance. It's driving me nuts... Perhaps this is a new variant or something...
  • DexterDexter Vancouver, BC Canada
    edited June 2004
    I'll echo what Mr. K said: Log? But in your case, let's see both a regular HJT log and full startup log.

    MediaMan, since when did you start making appearances here in the SVT forum??

    Dexter...
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited June 2004
    The problem is that none of them show up in the HJT log......

    The log looks clean, and that scares me.
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited June 2004
    I've attached a zip file containing the most suspicious things I could find. A folder in C:\WINDOWS\ and some registry entries.

    DON'T install the registry entries! These are for viewing purposes!
  • MediaManMediaMan Powered by loose parts.
    edited June 2004
    Dexter wrote:
    MediaMan, since when did you start making appearances here in the SVT forum??

    Dexter...

    When I have 2c...I give it. Of course my 2c is Canadian so it's not worth that much.
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited June 2004
    Check out the removal instructions for Delfin Media Viewer. See if that will help.

    You might also want to add www.delfinproject.com to your hosts file.
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited June 2004
    Nope, it's not Delfin anymore. The directory was there from a previous infestation. The only thing I get is an unnamed R3 URL Search hook {C1300860-xxxxxxx-xxxx-xxx-xxxxx}. If I kill it, it comes back. I reboot, and the hook that TRIES to launch C:\Program Files\TV Media\tvmwhatever shows up in the HJT log again, but that folder doesn't exist. I feel safe in saying that the active parts of the infection are gone, but the hook and reloader are still trying to launch the app, and I cannot for the life of me find them....
  • DexterDexter Vancouver, BC Canada
    edited June 2004
    Prime,

    can you please post a STARTUP log. Not a regular HJT log, but a STARTUP log.

    Dexter...

    ///EDIT: Did you find this: http://vil.nai.com/vil/content/v_100534.htm
    To remove this application one must uninstall both the TV Media and MemoryMeter applications via the ADD/REMOVE Programs Control Panel.
  • kanezfankanezfan sunny south florida Icrontian
    edited June 2004
    try memtest86 ;D
  • DexterDexter Vancouver, BC Canada
    edited June 2004
    kanezfan wrote:
    try memtest86 ;D

    ;D;D;D;D;D
Sign In or Register to comment.