XP Machine - Spyware Infected, hosts file read only - hijack this

Posted on 2008-09-30
Last Modified: 2013-12-06
XP Media Center PC with core message ...
A popup box is displayed on startup ...
> MP2P servent main executable has encoutered a problem and needs to close. We are sorry for the inconvenience.
Three other popup boxes are displayed ...
> Softwrap file error
> Error Loading CTMBHA.DLL - a dynamic link library (DLL) initialization routine failed
> An unexpected error occurred. Error: 80070005
When I run hijack this, I get a message saying that the hosts file is read only. On examination, the hosts fiel is read only and contains a load of redirects
See attached hijackthis
Question by:simonrobs

Accepted Solution

xperttech earned 150 total points
ID: 22606979

My recommendation is that you try to get your system as stable as possible for a backup of your valued files. Then, re-install the OS. You may want to save your bookmarks, e-mail, address books, photos, documents, application settings, etc.

It's pretty hard to determine how much infected or modified your system is unless you had a program that monitored the system files for changes and can restore them back to the original state.

To prevent any zombie or spyware app from send more info (calling home) start by isolating the PC. Disconnect the network cable or disable your wireless card until you reinstall. Start by killing any suspicious application running: Use Task Manager. Edit your HOSTS file and remove the unwanted lines. Test rebooting and see if the apps run again or the HOSTS file loads back the garbash.

You may spend more time cleaning up the mess than starting fresh.

When these things happen, and hopefully you don't lose any files, we are faced with the question: How well are our valued files protected and backed up?

Hope this helps...

Good luck!

Expert Comment

ID: 22607580
try deleting host file and creating new one

Author Comment

ID: 22607638
This looks like this was caused by something called blubster
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.


Expert Comment

ID: 22608651
Blubster seems to be an MP3 coomunity file sharing software that also installs the "Dealio Toolbar". Possible privacy leak here...
Perhaps there is something else modifying your HOSTS file. I don't find reports of Blubster or Dealio doing this. Actually the "nuisance level" is reported as 3 out of 10.
LVL 20

Expert Comment

ID: 22609454
>>Error Loading CTMBHA.DLL - a dynamic link library (DLL) initialization routine failed<<

This has something to do with Creative soundcards. Do you have one? Try reloading the drivers for it.

The hosts file being read only is fine, actually a good idea. And those redirects were probably set by a security program like SpywareGuard or equ. ....not a problem.

Don't think this is a Malware issue.
LVL 47

Assisted Solution

rpggamergirl earned 100 total points
ID: 22610701

Google search shows;
>>> It is installed by the Creative Audigy line of sound cards. If you have a new PC with an Audigy sound card or an Audigy processor on your motherboard, there is a good chance that this file is running on startup.
The only information we have on what the CTMBHA.DLL file does is that it is the "Creative Filter AudioControlMB Module". To us, it sounds like it helps Windows control the audio on your motherboard.

The links below tells you about CTMBHA.DLL

The error could mean that "CTMBHA.DLL" is gone, or unregistered.
If there there is nothing wrong with the pc's audio device etc, the "CTMBHA.DLL" error will go away if you fix this entry below:
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon

>>> On examination, the hosts fiel is read only and contains a load of redirects <<<

Hijackthis log does not show any suspicious Hosts file entries, if you're not using a customized hosts file it could be those of Spybot's or from other security programs that add those redirects that you mentioned.

In Hijackthis Misc.Tools section you can click "Open hosts file manager" which open the Hosts file which can also be opened in notepad and show it to us.

These entries below I would fix to start with, I would uninstall "Search Settings" also.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb125\SearchSettings.dll
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Malware seems to be getting smarter and smarter. If you are having trouble being able to launch your malware removal tools such as (and recommended): MalwareBytes, HiJackThis, ComboFix, etc. you can try some of the workarounds listed below. 1. Ma…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question