TV Media Adware and Restore

[Guest]

Recently, I accidentally installed the TV Media adware, which is apparently
particularly troublesome because it interferes with Windows Update in Windows
XP. (This is the reason for critical update KB885523, issued this October.)
Microsoft also issued a removal tool:

http://support.microsoft.com/kb/886590

However, I was not aware of that and tried to delete the adware manually.
In the process, I deleted winupdt.exe (Is that Windows Update? If so, it was
apparently modified by the adware download.) and possibly some other Windows
system files, with the result being that Windows Explorer and Internet
Explorer (and quite possibly other programs) didn't work. (I'd get a message
saying, "_____ has encountered a problem and needs to close.)

At this point, I used the system restore feature to restore to before I
installed the adware. Now there is no obvious evidence that it was ever on
my computer, but I can no longer connect to the internet. I have verified
that my internet connection is good (works for my other computer) and in fact
shows that I am connected with data transfer on the affected computer, but
every page gives me a "Cannot find server" error; setting up the internet
connection over again did not help. I think there is a problem with Windows,
but a system diagnostic shows that all Windows files are where expected.

At this point I am not sure if my problem is being caused by the adware
download having some effect that was not erased by the restore or by the
restore itself.

I notice there is a similar problem that was fixed in SP2 (which I don't
have; I have SP1):

http://support.microsoft.com/?kbid=329441

However, I don't have the same symptoms; I can see the network connections
and supposedly make new ones; they just don't work. (However, I can get ping
to work.)

I wonder if there could be some problem with my registry. Anyone have any
idea what I could do now?? Go back to before the restore? (If there are
missing Windows system files, will there be a way to fix that without
reinstalling Windows?)Try to use the TV Media deletion utility now? I don't
know if I can even successfully do updates now since I don't have an internet
connection, but I really hesitate to go back to before the restore since at
least now the adware is gone, and the computer seems to be working completely
normally except for the lack of internet access. Any other ideas?

 

[Wesley Vogel]

winupdt.exe is not Windows Update, it's...

WORM_RBOT.ABD
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.ABD

Update yiur antivirus software and run a full system scan.

To help with your connection problem..
Get WinSock XP Fix here...

Repair/Reset Winsock settings (Links)
http://windowsxp.mvps.org/winsock.htm

And LSP-Fix here...

LSP-Fix
Repairs Winsock 2 settings, caused by buggy or improperly-removed Internet
software, that result in loss of Internet access
http://www.cexx.org/lspfix.htm

Direct download
http://www.cexx.org/lspfix.zip

Using LSP-Fix to remove Spyware & Hijackers
http://www.bleepingcomputer.com/for...1d96fc6470ca665f6f4e2a77&showtutorial=59#conc

 

[Guest]

This sounded so promising, but none of it has worked.

Apparently, the worm is no longer on my computer--I cannot find it in the
registry or on the filesystem (except in the Recycle Bin). Actually, it's
odd that after restoring to November 22, the recycle bin contains files
deleted on November 29. I also didn't lose email I received after the 22,
but there were some other files (notably the adware files I was trying to
delete) that vanished after the restore. Could I have gotten an incomplete
restore, even though it said it was successful?

The Winsock XP fix didn't work. I also followed the instructions to remove
the WinSock and WinSock2 registry subkeys manually and reinstall TCP/IP, but
that didn't work, either. I also tried LSP-Fix, but that didn't work, either
(at least without specifically removing anything.)

Not sure if there's anything I'd want to remove here:
mwsock.dll Tcpip
winrnr.dll NTDS
nwprovau.dll NWLink IPX/SPX/NetBIOS ...
rsvpsp.dll (Protocol handler)

Initially, when using regedit, I saw entries that looked like they might
correspond to the adware, but now I don't. I notice
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices (from which the instructions told me to
delete an entry) was not present at all.

All these actions have left me in the same place: I have an internet
connection but cannot access it for some unknown reason.

"Update yiur antivirus software and run a full system scan."

I don't know how I would update my virus definitions without an internet
connection. I did run a full scan with the current definitions, but I found
nothing. I am almost positive the worm came on my computer with the TV Media
adware. Shouldn't that be illegal? I am sitting here typing this on my old
computer, which has been running Windows 98 since 1998 with no problems. It
seems like XP is much more vulnerable, but maybe it's just that the demands
of the computing age are greater.

 

[Comp Tech]

Go to www.google.com, type in TVMedia and look for a removal tool, I am sure
you didn't get all of it out of the computer. It is a real rascal to remove.
Been there and done that!

 

[Wesley Vogel]

Did you download and run this tool?

[[Important Microsoft recommends that you uninstall any application,
including Memory Meter or Speed Blaster from Total Velocity, that was
bundled with T.V. Media before using this removal tool or installing Windows
XP SP2.]]
Adware T.V. Media Program Removal Tool
http://support.microsoft.com/kb/886590

----

Go here, read the instructions and download and copy to 3½" disk to your 98
machine and run it on your other machine.

McAfee AVERT Stinger
[[Stinger is a stand-alone utility used to detect and remove specific
viruses. It is not a substitute for full anti-virus protection, but rather a
tool to assist administrators and users when dealing with an infected
system.]]
http://vil.nai.com/vil/stinger/

----

mwsock.dll is not an XP file. Did you mean mswsock.dll?
mswsock.dll = Microsoft Windows Sockets 2.0 Service Provider
C:\WINDOWS\system32
C:\WINDOWS\system32\dllcache

winrnr.dll = LDAP RnR Provider DLL
C:\WINDOWS\system32
C:\WINDOWS\system32\dllcache

nwprovau.dll = Client Service for NetWare Provider and Authentication
Package DLL
C:\WINDOWS\system32
C:\WINDOWS\system32\dllcache

rsvpsp.dll = Microsoft Windows Rsvp 1.0 Service Provider
C:\WINDOWS\system32
C:\WINDOWS\system32\dllcache
----

I don't have this key either...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

Try...
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
Or...
HKEY_USERS\SID #\Software\Microsoft\Windows\CurrentVersion\RunServices
----

Maybe it's time to do a backup of your data and a Repair Install.

How to Perform a Windows XP Repair Install
http://www.michaelstevenstech.com/XPrepairinstall.htm

Backup Of Data On Your PC
http://www.delanet.com/~pparish/pc-bckup.htm

Or a Clean Install.

Clean Install Windows XP
http://www.michaelstevenstech.com/cleanxpinstall.html