TVMedia and others? Help is appreciated...
R3-Xinoen
San Antonio, TX, USA
First off, thank you to anybody who can lend me some help with this; it's been driving me mad for a couple days now. I know it's your free time you're using, and I appreciate your dedication.
I've been having a bit of trouble lately with the ever persisting TV Media folder and its contents. I've run Adaware 6, with the latest defs and sigs, but it hasn't rid me of the folder and its re-installing ability. Spybot 1.3 has been MIA regarding this problem, and seems unable to update its detections. Trend Micro's PC-Cillin and Housecall seems to have gotten rid of a couple trojans, but TV Media has remained, as well as explorer.exe crashing every now and then. How would you guys advise me on getting rid of this stuff?
Here is my HJT log:
Logfile of HijackThis v1.98.0
Scan saved at 2:37:55 AM, on 7/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\pctspk.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\program files\HP OfficeJet 570\bin\ktchnsnk.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\America Online 7.0\waol.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mecha.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
O1 - Hosts file is located at: C:\WINNT\nsdb\hosts
O1 - Hosts: 81.211.105.69 lender-search.com
O1 - Hosts: 81.211.105.68 hot-searches.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [HP OfficeJet Series 500] "c:\program files\HP OfficeJet 570\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 500\Install"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk.disabled
O4 - Global Startup: America Online 9.0 Tray Icon.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\AIMCrap\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1ABCE534-5013-40B7-891E-A895134B1FC5}: NameServer = 205.188.146.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{1ABCE534-5013-40B7-891E-A895134B1FC5}: NameServer = 205.188.146.146
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - (no file)
Thank you all for your time, and whatever help you can offer.
I've been having a bit of trouble lately with the ever persisting TV Media folder and its contents. I've run Adaware 6, with the latest defs and sigs, but it hasn't rid me of the folder and its re-installing ability. Spybot 1.3 has been MIA regarding this problem, and seems unable to update its detections. Trend Micro's PC-Cillin and Housecall seems to have gotten rid of a couple trojans, but TV Media has remained, as well as explorer.exe crashing every now and then. How would you guys advise me on getting rid of this stuff?
Here is my HJT log:
Logfile of HijackThis v1.98.0
Scan saved at 2:37:55 AM, on 7/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\pctspk.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\program files\HP OfficeJet 570\bin\ktchnsnk.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\America Online 7.0\waol.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mecha.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
O1 - Hosts file is located at: C:\WINNT\nsdb\hosts
O1 - Hosts: 81.211.105.69 lender-search.com
O1 - Hosts: 81.211.105.68 hot-searches.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [HP OfficeJet Series 500] "c:\program files\HP OfficeJet 570\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 500\Install"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk.disabled
O4 - Global Startup: America Online 9.0 Tray Icon.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\AIMCrap\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1ABCE534-5013-40B7-891E-A895134B1FC5}: NameServer = 205.188.146.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{1ABCE534-5013-40B7-891E-A895134B1FC5}: NameServer = 205.188.146.146
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - (no file)
Thank you all for your time, and whatever help you can offer.
0
Comments
Then, when you reboot, it will "break" it and you can manually delete it.
But otherwise, get rid of the following:
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
O1 - Hosts file is located at: C:\WINNT\nsdb\hosts
O1 - Hosts: 81.211.105.69 lender-search.com
O1 - Hosts: 81.211.105.68 hot-searches.com
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - (no file)
Let us know how it goes....
Logfile of HijackThis v1.98.0
Scan saved at 10:53:42 AM, on 7/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\pctspk.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\program files\HP OfficeJet 570\bin\ktchnsnk.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\America Online 7.0\waol.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mecha.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [HP OfficeJet Series 500] "c:\program files\HP OfficeJet 570\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 500\Install"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk.disabled
O4 - Global Startup: America Online 9.0 Tray Icon.lnk.disabled
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\AIMCrap\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1ABCE534-5013-40B7-891E-A895134B1FC5}: NameServer = 198.6.1.194 198.6.100.194
O17 - HKLM\System\CCS\Services\Tcpip\..\{7AB1709F-37BE-46B5-BF95-E766CE75C13C}: NameServer = 205.188.146.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{1ABCE534-5013-40B7-891E-A895134B1FC5}: NameServer = 198.6.1.194 198.6.100.194
Thanks for your help! I think I'll go join the folding team now.
Thanks for joining the folding team! That's awesome!