Re: adware delete? in use?

From: it_exprt (it_exprt.1hacm1_at_mail.mcse.ms)
Date: 12/15/04 

Date: Tue, 14 Dec 2004 21:05:14 -0600

DESCRIPTION

TVMedia is adware from Total Velocity (totalvelocity.com).
------------------------------------------------------------
VARIANTS

TVMedia/TVMD, TVMedia/TVTMD, TVMedia/MSMGT: single .exe files dropped
in the Windows folder.

TVMedia/Jeired: an Internet Explorer Browser Helper Object called
jeired.dll replaces the .exe.

TVMedia/BHO: moves to a folder in Program Files, adds executable run at
start-time which works with the BHO to make the software difficult to
remove.
------------------------------------------------------------
ALSO KNOWN AS

CleverIEHooker (Jeired variant), after internal search hook name. MS
T-Media Display, after uninstaller name in some variants.
Adware-TVelocity, by McAfee anti-virus. Troj/Achum-A (MSMGT variant),
by Sophos anti-virus.
------------------------------------------------------------
DISTRIBUTION

Bundled with zSearch, SpeedBlaster and MemoryBlaster, pointlessware
distributed by Total Velocity in ActiveX drive-by-downloads in pop-up
adverts.

Also silently installed by the BookedSpace parasite.
------------------------------------------------------------
WHAT IT DOES

ADVERTISING

Yes, opens periodic pop-up advertisements from ads.centralmedia.ws.

PRIVACY VIOLATION

Suspected. It is not currently clear what information is passed back to
the centralmedia server.

SECURITY ISSUES

Yes. Can download and install arbitrary unsigned code from its
controlling server at c.centralmedia.ws.

STABILITY PROBLEMS

None known.
------------------------------------------------------------
REMOVAL

There is an entry in the Control Panel's ‘Add/Remove Programs’ feature
for ‘TV Media’, ‘TV Media Displayࢋ or ‘MS T-Media Display’.
Unfortunately it does nothing.

The ‘Add/Remove Programs’ entries for the bundling applications
zSearch, MemoryMeter and SpeedBlaster should work. If you received
TVMedia this way you should also delete the entry for it in ’Downloaded
Program Files’ in the Windows folder.

MANUAL REMOVAL

BHO variant
TVMedia/BHO cannot be removed whilst the Windows shell (explorer.exe)
is running.

One way to avoid this is to boot to Safe Mode (hammer the F8 key whilst
booting to get the menu that leads to Safe Mode) then delete the ‘TV
Media’ folder in Program Files.

In Windows NT/2000/XP/2003 there is a slightly quicker way. Open a DOS
command prompt window (from ‘Accessories’ in the ‘Programs’ menu in
‘Start’). Then open the Task Manager (from the System Tray menu or
pressing Ctrl-Alt-Delete), select the explorer.exe process and kill it.
(Any Internet Explorer windows should also be closed.)

In the command prompt window, enter:

cd "\Program Files"
del "TV Media"
Then start a new task from the Task Manager menu and enter 'explorer'
to get the shell back.

Next, to clean up, open the Registry (click ‘Start’, choose ‘Run’,
enter ‘regedit’), and delete the ‘TV Media’ entry from the
Software\Microsoft\Windows\CurrentVersion\RunOnce subkeys of both the
HKEY_LOCAL_MACHINE and HKEY_CURRENT_USERS trees. You can also delete
the entry or key named {707E6F76-9FFB-4920-A976-EA101271BC25} from the
keys HKEY_CLASSES_ROOT\CLSID,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\UrlSearchHooks.

Jeired variant

Open a DOS command prompt window (from ‘Accessories’ in the ‘Programs’
menu in ‘Start’) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u "..\jeired.dll"
Reboot and you should be able to delete the jeired.dll file inside the
Windows folder.

TVMD, TVTMD, MSMGT variants

Open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and
find the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
Delete the TVMD, TVTMD or MSMGT entry.

Reboot and you should be able to delete the TVMD.exe, TVTMD.exe or
MSMGT.exe files from the Windows folder. 

--
it_exprt
------------------------------------------------------------------------
Posted via http://www.mcse.ms
------------------------------------------------------------------------
View this thread: http://www.mcse.ms/message1282167.html

Relevant Pages

  • Re: Add Drivers to OS desing
    ... windows folder in this way and I've found them.... ... if you are sure the driver is in your kernel (so you can see the files ... or you have a problem with your USB host driver. ...
    (microsoft.public.windowsce.platbuilder)
  • Re: XP SP3 disaster
    ... Sorry I didn't make it clear that the Windows folder was previously located ... on a seperate partition due to space restrictions on the root partition when ... the Windows folder on a seperate partition which the SP3 installation advised ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: low disk space
    ... music files you download, all of the pron you download all take up space, ... Although even with a fresh one, the minute you put it on, it's full of crap. ... In all the versions of Windows I've used, never has any been a bigger ... The Windows folder has more than DOUBLED in ...
    (microsoft.public.windows.vista.general)
  • Re: Access to the Windows folder on a mapped drive
    ... drive of a Windows XP Professional SP2 machine acting ... host machine need to read files in the Windows folder of that machine. ... Everything is OK except that access to the Windows folder is denied. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Stop 0x000000CA
    ... us which variant you are encountering. ... Disable automatic restart on system failure. ... We have discovered a problem with Windows XP SP2. ...
    (microsoft.public.windowsxp.help_and_support)