Limited Time!
Totally FREE Web Design!
Click here!

Parasite: TVMedia

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

TVMedia is adware from Total Velocity (totalvelocity.com).

Variants

TVMedia/TVMD, TVMedia/TVTMD, TVMedia/MSMGT: single .exe files dropped in the Windows folder.

TVMedia/Jeired: an Internet Explorer Browser Helper Object called jeired.dll replaces the .exe.

TVMedia/BHO: moves to a folder in Program Files, adds Tvm.exe executable run at start-time which works with the TvmBHO.dll file to make the software difficult to remove. Despite the name, it is not actually a IE Browser Helper Object (BHO), but a URLSearchHook.

TVMedia/SSK: marketed as ‘Surf SideKick’ under the name Blue Tide Software (bluetidesoftware.com). Works as BHO variant, but uses different filenames/IDs.

Also known as

CleverIEHooker (Jeired variant), after internal search hook name. MS T-Media Display, after uninstaller name in some variants. Adware-TVelocity, by McAfee anti-virus. Troj/Achum-A (MSMGT variant), by Sophos anti-virus.

Distribution

Bundled with zSearch, SpeedBlaster and MemoryBlaster, pointless software distributed by Total Velocity in ActiveX drive-by-downloads in pop-up adverts.

Also silently installed by the BookedSpace and Skyhorn parasites, and the SSK variant by the EasySearchBar and TopConverting parasites.

What it does

Advertising

Yes, opens periodic pop-up advertisements from ads.centralmedia.ws.

Privacy violation

Suspected. It is not currently clear what information is passed back to the centralmedia server.

Security issues

Yes. Can download and install arbitrary unsigned code from its controlling server at c.centralmedia.ws.

Stability problems

The BHO variant can cause Windows to blue-screen on startup after XP Service Pack 2 is installed.

Removal

There is an entry in the Control Panel’s ‘Add/Remove Programs’ feature for ‘TV Media’, ‘TV Media Display᾿ or ‘MS T-Media Display’. Unfortunately it does nothing.

The ‘Add/Remove Programs’ entries for the bundling applications zSearch, MemoryMeter and SpeedBlaster should work. If you received TVMedia this way you should also delete the entry for it in ’Downloaded Program Files’ in the Windows folder.

Because of TVMedia/BHO’s habit of breaking XP Service Pack 2, Microsoft also provide their own uninstaller. See the Microsoft info on TVMedia.

Manual removal

BHO and SSK variants

TVMedia/BHO and its variant SSK cannot be removed whilst the Windows shell (explorer.exe) is running.

One way to avoid this is to boot to Safe Mode (hammer the F8 key whilst booting to get the menu that leads to Safe Mode) then delete the ‘TV Media’ or ‘SurfSideKick 2’ folder in Program Files.

In Windows NT/2000/XP/2003 there is a slightly quicker way. Open a DOS command prompt window (from ‘Accessories’ in the ‘Programs’ menu in ‘Start’). Then open the Task Manager (from the System Tray menu or pressing Ctrl-Alt-Delete), select the explorer.exe process and end it. The task bar and other Windows shell elements will disappear.

In the command prompt window, enter, for the BHO variant:

del "\Program Files\TV Media"
explorer

Or, for the SSK variant:

del "\Program Files\SurfSideKick 2"
explorer

Next, to clean up, open the Registry (click ‘Start’, choose ‘Run’, enter ‘regedit’), and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce (BHO variant) or just ...\Run (SSK variant). Delete the entry ‘TV Media’ pointing to Tvm.exe (BHO variant) or ‘SurfSideKick 2’ (SSK variant). Now do the same in the tree HKEY_CURRENT_USER instead of HKEY_LOCAL_MACHINE.

You can also delete the key/entry named {707E6F76-9FFB-4920-A976-EA101271BC25} (BHO variant) or {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} (SSK variant) from the keys HKEY_CLASSES_ROOT\CLSID and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks.

Jeired variant

Open a DOS command prompt window (from ‘Accessories’ in the ‘Programs’ menu in ‘Start’) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u "..\jeired.dll"

Reboot and you should be able to delete the jeired.dll file inside the Windows folder.

TVMD, TVTMD, MSMGT variants

Open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the TVMD, TVTMD or MSMGT entry.

Reboot and you should be able to delete the TVMD.exe, TVTMD.exe or MSMGT.exe files from the Windows folder.