# Hotllama Hell



## gliotta500 (Jul 14, 2005)

I am only 16 so be patient. 
Does anyone know how to delete HOTLLAMA media player? It keeps trying to re-install itself.


----------



## Cheeseball81 (Mar 3, 2004)

Hi and welcome to TSG 

First you should edit your post and remove your email address. 
You don't wanna get spammed!

See if you can uninstall *HOTLLAMA * from Add/Remove Programs.

Click here to download Hijack This: http://thespykiller.co.uk/files/hijackthis_sfx.exe

Let it extract to *C:\Program Files*

Close out any open browsers
Launch the program
Hit "do a system scan only"
When that finishes, hit "save log"
The log will open in Notepad
Copy & paste that log into this thread

*Do not fix anything yet*


----------



## gliotta500 (Jul 14, 2005)

CHEESEBALL 81 thank you for your help. I've done as you instructed,here is the log.

Logfile of HijackThis v1.99.1
Scan saved at 12:50:02 PM, on 7/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PackethSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\wmconnecta\wmtray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\WMCONN~3\wwm.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wmconnect.com/menu/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKCU\..\Run: [ModemOnHold] C:\PROGRA~1\DELLMO~1\moh.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Startup: HOTLLAMA Update Check.lnk = C:\Program Files\HOTLLAMA MEDIA\Player\WiseUpdt.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Wal-Mart Connect Tray Icon.lnk = C:\Program Files\wmconnecta\wmtray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: https.member.compuserve.com
O15 - Trusted Zone: http://member.compuserve.com
O15 - Trusted Zone: http://portal.compuserve.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn2004/installers/default/ErrorNukerInstaller.exe
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095872895062
O17 - HKLM\System\CCS\Services\Tcpip\..\{6070EF85-6A1E-4A7D-9E33-22743FB4CA04}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{6070EF85-6A1E-4A7D-9E33-22743FB4CA04}: NameServer = 205.188.146.145
O17 - HKLM\System\CS2\Services\Tcpip\..\{6070EF85-6A1E-4A7D-9E33-22743FB4CA04}: NameServer = 205.188.146.145
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\system32\PackethSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


----------



## gliotta500 (Jul 14, 2005)

Cheeseball81 I did delete HOTLLAMA MEDIA PLAYER form the Add/remove but when you put in a DVD it wants to reinstall itself. Soooo I reinstalled it ,so it would show up on the log you requested. gliotta500


----------



## Cheeseball81 (Mar 3, 2004)

With IE closed, run Hijack This again. 
Put a checkmark on these entries and hit "fix checked":

*O4 - Startup: HOTLLAMA Update Check.lnk = C:\Program Files\HOTLLAMA MEDIA\Player\WiseUpdt.exe

O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s.work4sure.com/c/ge/w4sgeen9.exe*

Boot into *Safe Mode* (start tapping the *F8 * key at Startup, before the Windows logo screen)

Because XP will not always show you hidden files and folders by default, 
Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. 
Go to Tools > Folder Options. 
Click on the View tab and make sure that "Show hidden files and folders" is checked. 
Also uncheck "Hide protected operating system files" and "Hide extensions for known file types." 
Now click "Apply to all folders"
Click "Apply" then "OK"

Find and delete this folder: *C:\Program Files\HOTLLAMA MEDIA*

Also in safe mode navigate to the C:\Windows\Temp folder. 
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type *%temp%* in the Run box. 
The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. 
On the General tab under "Temporary Internet Files" Click "Delete Files". 
Put a check by "Delete Offline Content" and click OK. 
Click on the Programs tab then click the "Reset Web Settings" button. 
Click Apply then OK.

Empty the Recycle Bin.

Reboot, post a new log.


----------



## gliotta500 (Jul 14, 2005)

Thank You cheeseball81


gliotta500


----------



## Cheeseball81 (Mar 3, 2004)

You're welcome.

Is the problem resolved? Don't forget to post a new log.


----------



## gliotta500 (Jul 14, 2005)

Cheeseball81

Thanks for the fix. Llama from hell is gone. I found out from Llama that some DVD come with hotllama on them. How nice of them! Once again thank you!

gliotta500


----------



## Cheeseball81 (Mar 3, 2004)

You're welcome! 

You can mark your thread "Solved" from the Thread Tools drop down menu.


----------



## SurferJoe46 (Jun 20, 2006)

I rented a dvd this past week...a recent movie too! 

It had Hotllama on it and I found it quite by accident while typing " c:\ " into my Firefox browser...and there it was in all it's nasty glory.

I took it into Spybot S&D's shredder and destroyed it completely. 

So far, so good.....it's gone and not a lot of work either...

BTW: HJT didn't see it nor did just scanning with AVG or Spybot S&D. 

The date of this post is Jan 16th, 2007, so I want everyone to know that it's back!


----------

