TVM.EXE - another way to erase it.

I was infected with the TV MEDIA/tvm.exe hijacker, and because my computer is 2000 professional, for some reason I could not get into SAFE mode. So I went into COMMAND PROMPT mode by hitting START, ACCESSORIES, COMMAND PROMPT. Then I used the commands to change the directory to C: program files\tv media. Then I clicked ctl-alt-del and selected PROCESSES, then EXPLORER, and stopped it. I then went back to the command prompt and was able to erase the tvm.exe and its DLLs. (If you don't know how to use the commands, hit START, then HELP, then enter commands and hit LIST OF COMMANDS. They are basically DOS commands.)

Then I rebooted, ran HIJACK THIS to remove the R3 URLSearchHook, then ran Startup Inspector and deleted the TV media entries. Then I went into the Program files directory and deleted the TV Media directory.

Rebooted, and it was gone! Everything seems to be working ok now.

How exactly do you use Hijack This and Startup inspector to delete the TVMedia crap? I tried using the help command and tried using the command prompt to no avail. Anyway, here's my log:

Logfile of HijackThis v1.97.7
Scan saved at 11:03:38 AM, on 8/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Version 6.000

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Stop-the-Pop-Up Demo\stopthepop.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\WINDOWS\SMSS.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Common Files\PSD Tools\ChannelUp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\iMesh\Client\iMeshClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cidaemon.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\STEPHE~1\LOCALS~1\Temp\Rar$EX00.384\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://auto.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://static.vpptechnologies.com/playfulsearch/landing.html?s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://static.vpptechnologies.com/playfulsearch/landing.html?s=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://static.vpptechnologies.com/playfulsearch/landing.html?s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://static.vpptechnologies.com/playfulsearch/landing.html?s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: (no name) - {000277A3-7D84-406a-9799-D12A81594693} - C:\WINDOWS\srchfst.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: (no name) - {08442457-929D-4522-AE24-9D3E4664A0C1} - C:\Program Files\IE URL Spoofing Patch\IEWorkaround3.dll
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_30.dll
O2 - BHO: Core Library - {6CDF3C49-20E6-48d7-811B-9F5DD17F1D90} - C:\WINDOWS\System32\sfg1ee4.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: C:\WINDOWS\lbbho.dll - {F4F93E99-446B-42A6-AECF-568F6554660C} - C:\WINDOWS\lbbho.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up Demo\stopthepop.exe" -minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\System32\gxphfuu.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [Debug ] C:\WINDOWS\SMSS.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINDOWS\srchupdt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [PSD Tools Channel] C:\Program Files\Common Files\PSD Tools\ChannelUp.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: http://pub208.ezboard.com
O15 - Trusted Zone: http://*.lipstickfetish.org
O15 - Trusted Zone: http://webmail.optonline.net
O15 - Trusted Zone: http://*.smokingpalace.com
O15 - Trusted Zone: http://*.thehun.net
O15 - Trusted Zone: http://*.theplace.ru
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1073412124822
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopSwatterInitialSetup1.0.0.8.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/OAS/ActiveX/winrep.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553560000} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Just to let anyone else who reads this there is a simpler way.
1. Open My Computer
2. ctrl+alt+del click the proccesses tab
3. stop explorer.exe
4. go to the tv media folder (c: program files\tv media and delete it
5. go back to the task manager
6. click file-new task type explorer.exe
7. depending on what OS your running go to start-run then type regedit
8. click edit-find then type tvm.exe
9. delete what you find
10. go back to edit-find then click find next. do this till it says none found.

i didnt even have to restart. i have xp pro

-----------------------------------------------------------
Now, I looked in almost all Forums with many solutions. But nothing functioned. I tried with secure boot (msconfig) but when I want to start my pc without services, then I'll see in the systemstart register that only the tvm's are checked and all others are unchecked. There are two of them: one with path to HKCU/software/microsoft/windows/currentversion/run and one with HKLM/software/microsoft/windows/currentversion/run??! When I try to delete all entries in the Registry with regedit and a little bit later, all of them are on the same place. I also tried HijackThis without any solution. When I del them, at the next scan they are there again!
Now I have no ideas to delete this damned folder! Is there someone, who knows something to delete TV Media folder? I need help, otherwise I gone stupid!

Nearly the same problem with:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLL SZ mad.dll

This mad.dll can be found in %systemroot%/system32/mad.dll.

I can't delete this "mad.dll" neither with regsvr32 nor in the Registry with regedit! Knows anyone what this dll is for? How can I delete or change it?

Thanks a lot for all, who knows a new idea or can help me.

Hi EthanHawk,

Please start a new topic and post a HijackThis log.

Download HijackThis (link below). Make sure you install HijackThis to a permanent folder such as C:\HJT as it creates backups of what we will fix. Run the program, press Scan, after a brief pause... press Save log. Notepad will open, copy and paste the entire log into your post. Do not fix anything yet, most of what's in the log is needed!

Tom

After studying the design of the total velocity program, I developed a sure fire way to delete the spyware and it's associated loaders.

The problem is that the program is self protecting and runs EVEN IN SAFE MODE. You can remove all it's regitry entries but it will put them back in before you can close the registry editor.

FIX IT FOR SURE:

Its a chore and I have a step by step guide to get it out of your computer.

read the document at:
ftp://www.wizardnco.com/pub/Docs/RemoveTVM/

or download it at:
ftp://www.wizardnco.com/pub/Docs/RemoveTVM/How%20to%20Properly%20Remove%20TVM.doc

late note: It appears that there are still a couple of registry entries to remove. After following the steps, download and use spybot to take them out. I will try and document a better way to remove them.


-wiz

wiz,

Why not post your fix here? Why is it available only via: FTP?

MS has a removal tool:

Adware T.V. Media Removal Tool (KB 886590)

http://www.microsoft.com/downloads/details.aspx?FamilyID=f94e8b27-b656-45cd-9668-73134a18231b&DisplayLang=en

Adaware seems to be removing it also...

Tom

you are great, easy fix Thank You!

One additional thing, it started when I got the TVM, Virtual Bouncer etc thing. I open my explorer to a blank site. There is now in the main pane (where there should be nothing) a little y with two dots above it. Any thoughts?

Hi Jborer,

Please start a new thread and post a HijackThis log:

Download HijackThis. Make sure you install HijackThis to a permanent folder such as C:\HJT as it creates backups of what we will fix. Run the program, press Scan, after a brief pause... press Save log. Notepad will open, copy and paste the entire log into your post. Do not fix anything yet, most of what's in the log is needed!

http://www.majorgeeks.com/download3155.html

Tom