Spyware- TVM.exe TV Media

Craif

I can see this browser help object in my registry and it won't stay deleted for 3 seconds after it is deleted. Hijack is not getting it out! Any cures on this thing? I can't delete the subdirectory it created because the files are registered and I can unregister them for some unknown reason. Eeegads! Who are these people???!!!!

shwaip

have you run adaware and spypot s&d lately? Make sure you have the most recent versions and definitions.

Dexter

Can you post a Hijack THis log please?

Also, best to work in SAFE MODE when deleting any of these things, as when you are in normal mode, if the processes are active they can easily reinstall and re-register themselves.

Dexter...

TheBaron

you need to use hijackthis as well as delete the directory. thats one of several that my sister managed to install, and was in fact the most persistant of the bunch

Craif

Dexter wrote:

Can you post a Hijack THis log please?

Also, best to work in SAFE MODE when deleting any of these things, as when you are in normal mode, if the processes are active they can easily reinstall and re-register themselves.

Dexter...

Here's the log...

Logfile of HijackThis v1.97.7
Scan saved at 8:32:58 AM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Downloads\Spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.att.net/
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: SpywareGuard.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D957860-F106-49A1-8CC9-5E476C118491}: NameServer = 66.73.20.40 206.141.193.55

primesuspect

Here's a cool trick:

Rename the TV Media folder. Call it "DELETE THIS CRAP" and then reboot.

Next reboot, it will be "broken" -- delete it.

Because the folder itself is not in use, you can rename it. You can't delete it, but you can rename it. Then, when the reloader goes looking for the TV Media folder, it can't find it. Problem solved. I've been using this bit a lot lately for this latest crop of scumware.

LanLord

If you rename and delete the folder, you will still have the registry entries. You can delete these at anytime. When you rename the folder, indeed you have "broken" the program, but there are commands sitting in the registry that should be cleaned up as well:

[HKEY_CLASSES_ROOT\CLSID\{707E6F76-9FFB-4920-A976-EA101271BC25}\InprocServer32]
@="C:\\Program Files\\TV Media\\TvmBho.dll"
"ThreadingModel"="Both"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TV Media"="C:\\Program Files\\TV Media\\Tvm.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"TV Media"="C:\\Program Files\\TV Media\\Tvm.exe"

[HKEY_USERS\S-1-5-21-1715567821-1770027372-682003330-1003\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TV Media"="C:\\Program Files\\TV Media\\Tvm.exe"

Set default (@) value to 0 and delete the other 3 entries. This is a winxp regedit I found, the win2k edit is not dissimilar. The only difference in the win2k is the last entry:

[HKEY_USERS\S-1-5-21-1675692939-1525298235-314601362-1373\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TV Media"="C:\\Program Files\\TV Media\\Tvm.exe"

Shorty

LanLord wrote:

If you rename and delete the folder, you will still have the registry entries. You can delete these at anytime. When you rename the folder, indeed you have "broken" the program, but there are commands sitting in the registry that should be cleaned up as well:

[HKEY_CLASSES_ROOT\CLSID\{707E6F76-9FFB-4920-A976-EA101271BC25}\InprocServer32]
@="C:\\Program Files\\TV Media\\TvmBho.dll"
"ThreadingModel"="Both"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TV Media"="C:\\Program Files\\TV Media\\Tvm.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"TV Media"="C:\\Program Files\\TV Media\\Tvm.exe"

[HKEY_USERS\S-1-5-21-1715567821-1770027372-682003330-1003\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TV Media"="C:\\Program Files\\TV Media\\Tvm.exe"

Set default (@) value to 0 and delete the other 3 entries. This is a winxp regedit I found, the win2k edit is not dissimilar. The only difference in the win2k is the last entry:

[HKEY_USERS\S-1-5-21-1675692939-1525298235-314601362-1373\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TV Media"="C:\\Program Files\\TV Media\\Tvm.exe"

Nice extra little bit of information there LanLord cheers!

z0iid

(in regards to the "rename the folder" advice)

I am not sure what system you were running or if you aren't using NTFS as the file system - but on systems running Windows XP (home or pro), you cannot rename a folder that contains running files. At least on the systems I have tested it.

I have found a way to remove Tv Media and any other sort of future spyware that won't allow you to delete from registry.

When the computer is booted up normally, run regedit. (you will need to already know which registry keys are infected.) find the FOLDER that contains the infected keys. Right-Click on the FOLDER - usually the RunOnce folder(s)(not the key) and choose permissions. change permissions for ALL users (including adminstrator and SYSTEM) to DENY ACCESS. When you complete that, you will no longer see the key within the folder. YOU ARE NOT FINISHED YET!

Reboot the computer (normal mode is ok!). Now you can navigate to the folder that was previously undeletable. You will now be able to delete it. Then go back into the registry and change the permissions back to what the were before. (if you wish) When you do, the registry key will be visible again, but you will now be able to delete it. After deleting it, hit F5 to insure that it has not respawned.

It is highly unlikely that anti-spyware software will be able to combat this automatically in the future since as far as I know, programs cannot change permissions - which is a good thing, or else the new batch of viruses and spyware could deny your user access to certain registry keys not to mention many other horrible things that would force a reinstall to completely remove. (worse case scenario, deleting or changing the password to the administrator accounts and downgrading your user account to limited access user level.)

Please let me know if this helped anyone.

blake d

:bawling: I am having a problem with this too. I have no idea how it got installed. I tried renaming the folder but it won't let me. I have Windows 2000 Professional. I think z0iid's way might work for me but, I don't "already know which registry keys are infected" and am unsure how to find out. I am a computer novice but would really appriciate some help with this. Thanks

PS I have no idea what safe mode is or how to run in it or anything about hijack.

Thanks for helping!

z0iid

<b>bake d</b> - personally, if you are not comfortable with playing around with the registry and such - I would suggest finding someone who is. I can give you as detailed instructions as possible - and you could still mess it up. Like for instance, if your expertise is auto-mechanics (or whatever) - you could give me detailed instructions, yet I could still do something wrong - because it isn't where my skills are. - let the mechanics work on cars and the IT Pro's work on computers)

That said, if you don't know anyone that could do this for you, I can show you how to let me in remotely to fix it - just once though, normally I am supposed to charge $110/hr for this sort of work.

yahoo s/n - <b>z0iid</b>

Chris022088

THANK YOU SO MUCH z0iid

I was able to delete it and eveything works fine now.