Jump to content

HotLLama problem

srt
 Share

Recommended Posts

srt

srt

Posted
Posted

I'm not sure what happened to my post from this morning but it seems to have disappeared or I did something wrong. Anyway here goes again!

I somehow infected my computer with a nasty malware/virus that keeps asking me to install HotLLama everytime I insert a DVD into the DVD burner. If I cancel the option it turns off and I cannot proceed further. Having sent an email to one of the moderators I was advised to download and run:

Spyboy Search & Destroy

Malwarebytes' Anti-Malware

PandaActive Scan, and finally

HiJack This!

Logs from all the last three program runs are attached herewith and any help would be much appreciated.

srt

Malwarebytes' Anti-Malware 1.12

Database version: 738

Scan type: Full Scan (C:\|)

Objects scanned: 229619

Time elapsed: 1 hour(s), 2 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 11

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 35

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\rotator.gizmo6 (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\rotator.gizmo6.1 (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{ab71e94e-3dc4-41eb-bbd5-31e82c9fd1d4} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ab71e94e-3dc4-41eb-bbd5-31e82c9fd1d4} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{1a86d7dc-d241-4136-af64-c5d241a07651} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{7a3dc573-7005-4a24-bb29-8aa47294391e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mp3tag (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\UpMedia (Adware.SmartShopper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\HID_Layer (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\qiawpbjj.msdn_hlp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\WINDOWS\system32\UpMedia (Adware.SmartShopper) -> Quarantined and deleted successfully.

Files Infected:

C:\Documents and Settings\owner\My Documents\My Downloads\Software\mp3tagv240setup.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Program Files\Mp3tag\Mp3tagUninstall.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\17PHolmes173.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\users_rating.gif (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\spy_away_header_small.gif (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\spy_away_header.gif (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\spy_away_box_small.jpg (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\secuity_center_logo.gif (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\protect.gif (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\perfect_cleaner_header_small.gif (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\perfect_cleaner_header.gif (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\perfect_cleaner_box_small.jpg (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\logo_bg.gif (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\icon_warning.gif (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\header_bg.gif (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\features.gif (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\download_btn.gif (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\close_icon.gif (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\buy_btn.gif (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\arrow.gif (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\alert_icon.gif (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\5_stars.gif (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\4_stars.gif (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\gtv_sd.bin (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\fuamfu32.ini (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\din.ip (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\detect.htm (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\pt.htm (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\s_detect.htm (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\spy_away_box.jpg (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\v.gif (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\x.gif (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\aconti.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

C:\WINDOWS\hotporn.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-05-11 08:17:12

PROTECTIONS: 3

MALWARE: 14

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Freedom Anti-Virus No No

Norton Internet Security 15.0.0.60 Yes Yes

Eset NOD32 antivirus system 2.51 2.51 Yes Yes

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00036016 adware/topmoxie Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{6685509E-B47B-4f47-8E16-9A5F3A62F683}

00039204 adware/cws Adware No 0 Yes No c:\documents and settings\owner\favorites\adult

00040376 adware/adblaster Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{e9147a0a-a866-4214-b47c-da821891240f}

00040376 adware/adblaster Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}

00047327 adware/adsincontext Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{029E02F0-A0E5-4B19-B958-7BF2DB29FB13}

00132710 dialer.xd Dialers No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{54645654-2225-4455-44A1-9F4543D34546}

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Cookies\owner@tribalfusion[1].txt

00162900 Cookie/MediaTickets TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\9zh9qc1o.default\cookies.txt[.kinghost.com/]

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Cookies\owner@com[1].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Cookies\owner@ad.yieldmanager[2].txt

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Cookies\owner@serving-sys[1].txt

00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\owner\Cookies\owner@bs.serving-sys[1].txt

00218901 adware/adbars Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{51641EF3-8A7A-4D84-8659-B0911E947CC8}

00260701 adware/vog Adware No 1 Yes No c:\program files\internet explorer\winbrume.dat

02559104 Adware/SecurityError Adware No 0 Yes No C:\System Volume Information\_restore{008B42F0-35EB-4774-9CDD-66CB64DF5DF2}\RP10\A0001132.dll

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:22:58 AM, on 5/11/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe

C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe

C:\Program Files\Reg1Aid\rfagent.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe

C:\Program Files\Windows Home Server\WHSConnector.exe

C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe

C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe

C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local

O2 - BHO: (no name) - {026B5895-3E8E-49A9-8EEE-B52A326DA962} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: BrowserHelper Class - {9A065C65-4EE7-4DDD-9918-F129089A894A} - C:\Program Files\Windows Home Server\WHSDeskBands.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll

O3 - Toolbar: Home Server Banner - {D73E76A3-F902-45BD-8FC8-95AE8E014671} - C:\Program Files\Windows Home Server\WHSDeskBands.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [rfagent] "C:\Program Files\Reg1Aid\rfagent.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\system32\shdocvw.dll (HKCU)

O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.epost.ca/printing/smsx.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: ddfffcadfdbae - C:\WINDOWS\

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe

O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe

O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--

End of file - 12173 bytes

mbam_log_5_10_2008__14_37_36_.txt

ActiveScan.txt

hijackthis_log.txt

mbam_log_5_10_2008__14_37_36_.txt

ActiveScan.txt

hijackthis_log.txt

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Okay first off it shows you have the Spybot Search & Destroy TEA TIMER running.

This needs to be disabled in order to repair items. When done you can re-enable it.

Instructions on how to disable the Spybot Search & Destroy Tea Timer

Disable Spybot Search & Destroys' TEA TIMER:

  1. Run Spybot-S&D in Advanced Mode.
  2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
  3. On the left hand side, Click on Tools
  4. Then click on the Resident Icon in the List
  5. Uncheck "Resident TeaTimer" and OK any prompts.
  6. Restart your computer.
    Now run this tool to remove temporary files that could be harboring Malware.
  • Follow these instructions carefully.
  • Download ATF-Cleaner from Snapfiles.com to remove un-needed temporary files from your computer that may contain malware.
  • You can also download it from Majorgeeks.com
  • When you run ATF-Cleaner, check the items as shown below for Main.
  • For FireFox, be sure to click on the FireFox tab on top and check the items as shown below for FireFox
  • NOTE: If you don't have FireFox or Opera installed then they will be grayed out and can be ignored
  • Then click on "Empty Selected".

atf-cleaner01.gif

.
atf-cleaner02.gif

Then when done with that do this

Start HiJackThis and do a SCAN ONLY and place a check mark on this item

O2 - BHO: (no name) - {026B5895-3E8E-49A9-8EEE-B52A326DA962} - (no file)

Then click on the "Fix selected"

You have a very old installation of Java which could be how some Malware got on your system.

Go into your Control Panel and then Add/Remove and uninstall all versions of Java found.

Then after a reboot go here and get an update Java Runtime Environment (JRE) 6 Update 6

It should be about half way down the page.

You should also ensure you have the latest versions of Flash and QuickTime which have also had some Malware targeted at these older versions as well.

Then run Malwarebytes and go to the UPDATE tab and check for updates. Then do a Quick Scan.

After that run another HiJackThis and do a Scan Only and post back both logs so we can see how the system is doing.

.

Link to post
Share on other sites
srt

srt

Posted
  • Author
Posted
Okay first off it shows you have the Spybot Search & Destroy TEA TIMER running.

This needs to be disabled in order to repair items. When done you can re-enable it.

Instructions on how to disable the Spybot Search & Destroy Tea Timer

Disable Spybot Search & Destroys' TEA TIMER:

  1. Run Spybot-S&D in Advanced Mode.

  2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"

  3. On the left hand side, Click on Tools

  4. Then click on the Resident Icon in the List

  5. Uncheck "Resident TeaTimer" and OK any prompts.

  6. Restart your computer.

  • Now run this tool to remove temporary files that could be harboring Malware.

  • Follow these instructions carefully.

  • Download ATF-Cleaner from Snapfiles.com to remove un-needed temporary files from your computer that may contain malware.

  • You can also download it from Majorgeeks.com

  • When you run ATF-Cleaner, check the items as shown below for Main.

  • For FireFox, be sure to click on the FireFox tab on top and check the items as shown below for FireFox

  • NOTE: If you don't have FireFox or Opera installed then they will be grayed out and can be ignored

  • Then click on "Empty Selected".

atf-cleaner01.gif

.
atf-cleaner02.gif

Then when done with that do this

Start HiJackThis and do a SCAN ONLY and place a check mark on this item

O2 - BHO: (no name) - {026B5895-3E8E-49A9-8EEE-B52A326DA962} - (no file)

Then click on the "Fix selected"

You have a very old installation of Java which could be how some Malware got on your system.

Go into your Control Panel and then Add/Remove and uninstall all versions of Java found.

Then after a reboot go here and get an update Java Runtime Environment (JRE) 6 Update 6

It should be about half way down the page.

You should also ensure you have the latest versions of Flash and QuickTime which have also had some Malware targeted at these older versions as well.

Then run Malwarebytes and go to the UPDATE tab and check for updates. Then do a Quick Scan.

After that run another HiJackThis and do a Scan Only and post back both logs so we can see how the system is doing.

.

Hello "AdvancedSetup" and thank you for your quick response.

I followed your instructions to the end with the following exceptions:

After uninstalling all older versions of Java, I also uninstalled (removed) the older versions of Flash and Quicktime and then ran Registry First Aid and Disk cleanup and then restarted the computer.

Then I downloaded and installed the latest version of Java as instructed by you and also a new version of Quicktime. I already had a new version of Adobe Flash player installed.

Then when I tried to run Malwarebytes I get the following error: "Error loading database. Line: #0. ."

I uninstalled Malwarebytes and reinstalled it and after finishing installation it still gives the same error when trying to launch the program. As a result I cannot update or run a quick scan. I did however run HiJack This and here is the log from the scan.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:20:45 AM, on 5/12/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Reg1Aid\rfagent.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe

C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe

C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe

C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe

C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe

C:\Program Files\Windows Home Server\WHSConnector.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE

C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: BrowserHelper Class - {9A065C65-4EE7-4DDD-9918-F129089A894A} - C:\Program Files\Windows Home Server\WHSDeskBands.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll

O3 - Toolbar: Home Server Banner - {D73E76A3-F902-45BD-8FC8-95AE8E014671} - C:\Program Files\Windows Home Server\WHSDeskBands.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [rfagent] "C:\Program Files\Reg1Aid\rfagent.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\system32\shdocvw.dll (HKCU)

O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.epost.ca/printing/smsx.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: ddfffcadfdbae - C:\WINDOWS\

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe

O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe

O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--

End of file - 12321 bytes

Sorry I deviated from your instructions but thought it would be harmless to run Registry First Aid.

Anxiously awaiting further instructions.

By the way, I tried a commercial DVD and it still brings up the HotLLama window!!

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Okay well it is up to you but I would not use Registry First Aid or any other Registry cleaning utilities as they often remove things they should not touch and can cause more damage than they claim to repair. There are many stories where users have had to reinstall their operating system from damage caused by Registry Cleaners, so you I would suggest not using it anymore.

Start HJT and do a Scan Only and place a check mark on these entries.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O20 - Winlogon Notify: ddfffcadfdbae - C:\WINDOWS\

Then click on "Fix selected"

Go into your Control Panel then to Add/Remove and see if you can locate the HotLLama player for removal.

Then uninstall Malwarebytes and reboot your computer. Then after the reboot download a new copy from here

Malwarebytes 1.12

Then install it and let me know if you're still having problems running MB. Update it and run a new scan please.

.

Link to post
Share on other sites
srt

srt

Posted
  • Author
Posted
Okay well it is up to you but I would not use Registry First Aid or any other Registry cleaning utilities as they often remove things they should not touch and can cause more damage than they claim to repair. There are many stories where users have had to reinstall their operating system from damage caused by Registry Cleaners, so you I would suggest not using it anymore.

Start HJT and do a Scan Only and place a check mark on these entries.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O20 - Winlogon Notify: ddfffcadfdbae - C:\WINDOWS\

Then click on "Fix selected"

Go into your Control Panel then to Add/Remove and see if you can locate the HotLLama player for removal.

Then uninstall Malwarebytes and reboot your computer. Then after the reboot download a new copy from here

Malwarebytes 1.12

Then install it and let me know if you're still having problems running MB. Update it and run a new scan please.

.

OK....that worked well. I did excatly what you suggested and was successful in installing Malwarebytes 1.12, updating it and running a scan (see results below). I also then re-ran HiJack This and saved the log (also see below). Unfortunately, the HotLLama problem persists B)

Malwarebytes' Anti-Malware 1.12

Database version: 743

Scan type: Full Scan (C:\|)

Objects scanned: 228106

Time elapsed: 59 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:49:40 PM, on 5/12/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Reg1Aid\rfagent.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe

C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe

C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe

C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe

C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe

C:\Program Files\Windows Home Server\WHSConnector.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: BrowserHelper Class - {9A065C65-4EE7-4DDD-9918-F129089A894A} - C:\Program Files\Windows Home Server\WHSDeskBands.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll

O3 - Toolbar: Home Server Banner - {D73E76A3-F902-45BD-8FC8-95AE8E014671} - C:\Program Files\Windows Home Server\WHSDeskBands.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [rfagent] "C:\Program Files\Reg1Aid\rfagent.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\system32\shdocvw.dll (HKCU)

O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.epost.ca/printing/smsx.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLCapSvc.exe

O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\ATI\Catalyst Media Center\Kernel\TV\CLSched.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\ATI\Catalyst Media Center\Kernel\CLML_NTService\CLMLServer.exe

O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--

End of file - 11785 bytes

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

You didn't say whether or not you found the HOTLLAMA Player in the Add/Remove applet.

I would uninstall the Registry Aide or at least stop it from auto loading

Run HJT and put a check on this

O4 - HKLM\..\Run: [rfagent] "C:\Program Files\Reg1Aid\rfagent.exe"

Then select "Fix selected"

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: HOTLLAMA Player

If you look in Windows Explorer do you see this folder?

C:\Program Files\HOTLLAMA Media

If you do then delete the folder HOTLLAMA Media

However - it is very likley that the DVD you're using is installing the HOTLLAMA Player as it comes with many retail DVDs and is not considered Malware - perhaps something you don't want though.

Try another DVD and see if it also tries to bring up the HOTLLAMA Player.

Link to post
Share on other sites
srt

srt

Posted
  • Author
Posted
You didn't say whether or not you found the HOTLLAMA Player in the Add/Remove applet.

I would uninstall the Registry Aide or at least stop it from auto loading

Run HJT and put a check on this

O4 - HKLM\..\Run: [rfagent] "C:\Program Files\Reg1Aid\rfagent.exe"

Then select "Fix selected"

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: HOTLLAMA Player

If you look in Windows Explorer do you see this folder?

C:\Program Files\HOTLLAMA Media

If you do then delete the folder HOTLLAMA Media

However - it is very likley that the DVD you're using is installing the HOTLLAMA Player as it comes with many retail DVDs and is not considered Malware - perhaps something you don't want though.

Try another DVD and see if it also tries to bring up the HOTLLAMA Player.

Sorry, but I forgot to mention it the last time - HotLLama Player does not appear in the Add/Remove applet. This is probably because I never answered "yes" when it asked to be installed.

Anyway, I followed your recommendations about Registry First Aid and decided to uninstall it completely from my computer. I then opened windows and deleted the Registry First Aid folder under Program Files. Therefore, when I ran HiJack This, I did not see O4 - HKLM\..\Run: [rfagent] "C:\Program Files\Reg1Aid\rfagent.exe" so there was nothing to "fix". Also there is no folder named HOTLLAMA Media.

What is interesting though is that after deleting the Registry First Aid folder under program files, when I tried to empty the Trash bucket, it asked me if I was sure I wanted to delete WINDOWS. Obviously I said no and left it alone. I then ran Disk Cleanup and re-booted the computer and when it came up again I noticed that the Trash bucket was empty!!

I then inserted a 2nd commercially purchased DVD and the Power DVD player by CyberLink came ON WITHOUT the HotLLama warning, but the DVD still would not pay and instead I got an error message as follows: "Error Code 80040216 - An object or name was not found".

So I tried to play the DVD with Real Player and got another error message - "The DVD cannot be played. Key exchange for DVD copy protection failed"

Finally, I opened up VLC Media Player and played the DVD and it playes just fine! B)

I then inserted a 3rd commercially purchased DVD and obtained the same results as above.

To conclude the tests, I reinserted the 1st commercially purchased DVD and Lo & behold the HotLLama window pop's up again!

When I use explorer to view the contents of the the DVD Drive (D drive), I get the following strange tree (see below) and I cannot delete the undesirable folders. So the question is how could HotLLama have written onto a commercially purchased DVD??

Unfortnately I cannot insert a jpg of the actual explorer view so here goes:

Llama Icon then THE_DAY_AFTER_TOMORROW_4X3 (D:)

Folder ASSETS

Sub Folder HOTLLAMA

Folder ICONS

Folder SCREENS

Folder SKINS

Sub Folder DAY AFTER TOMORROW

Folder VIDEO_TS

I finally ran regedit and found the following:

HKEY_USERS\S-1-5-21-1275210071-1993962763-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{de23ce31-6633-11d9-b24c-806d6172696f}

HKEY_USERS\S-1-5-21-1275210071-1993962763-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{de23ce31-6633-11d9-b24c-806d6172696f}\_Autorun

HKEY_USERS\S-1-5-21-1275210071-1993962763-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{de23ce31-6633-11d9-b24c-806d6172696f}\_Autorun\DefaultIcon

The value data of this last entry is - D:\DVDROM\Icons\hotLlamamedia_red.ico

Thanks for your patience!

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

The HotLLama did not write back to the DVD - it is there on purpose. The author of many Retail DVDs place the application on the DVD in order to "enhance" features they want you show when it's inserted in a PC.

I would reinstall your CyberLink DVD player and that should correct the DVD playing issues you had.

Let me know if anything else comes up, but it looks like your system should be clean now and the HotLLama application ironed out.

.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Well since your system appears to now be clean from Malware you should disable system restore to remove old restore points that could contain Malware.

Then re-enable it and make a new restore point in case you need it in the future.

How to turn off and turn on System Restore in Windows XP

Link to post
Share on other sites
srt

srt

Posted
  • Author
Posted
Well since your system appears to now be clean from Malware you should disable system restore to remove old restore points that could contain Malware.

Then re-enable it and make a new restore point in case you need it in the future.

How to turn off and turn on System Restore in Windows XP

Hello AdvancedSetup and Thank You for your help.

I uninstalled the Cyberlink DVD software and all of its components and then rebooted the computer and re-installed it again and the problem has gone away i.e. now when I insert any DVD it plays normally.

Out of curiosity I looked at the windows explorer (Drive D) when commercially purchased DVD's # 2 and # 3 from my previous postings and they appear as I would normally expect to see them i.e. the Title of the DVD and the two sub folders (Audio_TS and Video_TS), however when I insert the first DVD (The Day After Tomorrow), it once again shows what I had described earlier. This is most annoying - any suggestions on how to get rid of this??

As suggested by you I have also re-enabled System Restore on my computer.

Finally, do you recommend deleting any references to HotLLama in the registry?

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted
Finally, do you recommend deleting any references to HotLLama in the registry?

Well it won't really matter - the next time you put a DVD into your computer that has HotLLama it will recreate that.

The only way to stop that from happening is to prevent the Auto Load of the DVD.

Once you place the DVD in the drive, press and hold the SHIFT key for probably at least 10 seconds. Then open your Cyberlink DVD software and choose open DVD to play the movie.

This HotLLama software is added to many DVD titles so it always has the potential to start up unless you either temporarily disable the Auto Load / Auto Play by holding down the SHIFT key, or by modifying your system to completely disable Auto Play - which I don't recommend.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

This topic will be closed to prevent other from posting into it.

Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept