Solved

XP Machine - Spyware Infected, hosts file read only - hijack this

Posted on 2008-09-30
6
2,149 Views
Last Modified: 2013-12-06
XP Media Center PC with core message ...
A popup box is displayed on startup ...
> MP2P servent main executable has encoutered a problem and needs to close. We are sorry for the inconvenience.
Three other popup boxes are displayed ...
> Softwrap file error
> Error Loading CTMBHA.DLL - a dynamic link library (DLL) initialization routine failed
> An unexpected error occurred. Error: 80070005
When I run hijack this, I get a message saying that the hosts file is read only. On examination, the hosts fiel is read only and contains a load of 127.0.0.1 redirects
See attached hijackthis
hijackthis.log
0
Comment
Question by:simonrobs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 5

Accepted Solution

by:
xperttech earned 150 total points
ID: 22606979
Simonrobs:

My recommendation is that you try to get your system as stable as possible for a backup of your valued files. Then, re-install the OS. You may want to save your bookmarks, e-mail, address books, photos, documents, application settings, etc.

It's pretty hard to determine how much infected or modified your system is unless you had a program that monitored the system files for changes and can restore them back to the original state.

To prevent any zombie or spyware app from send more info (calling home) start by isolating the PC. Disconnect the network cable or disable your wireless card until you reinstall. Start by killing any suspicious application running: Use Task Manager. Edit your HOSTS file and remove the unwanted lines. Test rebooting and see if the apps run again or the HOSTS file loads back the garbash.

You may spend more time cleaning up the mess than starting fresh.

When these things happen, and hopefully you don't lose any files, we are faced with the question: How well are our valued files protected and backed up?

Hope this helps...

Good luck!
0
 
LVL 8

Expert Comment

by:morsun
ID: 22607580
try deleting host file and creating new one
0
 

Author Comment

by:simonrobs
ID: 22607638
This looks like this was caused by something called blubster
0
Business Impact of IT Communications

What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.

 
LVL 5

Expert Comment

by:xperttech
ID: 22608651
Blubster seems to be an MP3 coomunity file sharing software that also installs the "Dealio Toolbar". Possible privacy leak here...
Perhaps there is something else modifying your HOSTS file. I don't find reports of Blubster or Dealio doing this. Actually the "nuisance level" is reported as 3 out of 10.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22609454
>>Error Loading CTMBHA.DLL - a dynamic link library (DLL) initialization routine failed<<

This has something to do with Creative soundcards. Do you have one? Try reloading the drivers for it.

The hosts file being read only is fine, actually a good idea. And those redirects were probably set by a security program like SpywareGuard or equ. ....not a problem.

Don't think this is a Malware issue.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 100 total points
ID: 22610701

Google search shows;
>>> It is installed by the Creative Audigy line of sound cards. If you have a new PC with an Audigy sound card or an Audigy processor on your motherboard, there is a good chance that this file is running on startup.
The only information we have on what the CTMBHA.DLL file does is that it is the "Creative Filter AudioControlMB Module". To us, it sounds like it helps Windows control the audio on your motherboard.
<<< 


The links below tells you about CTMBHA.DLL
http://www.help2go.com/Tutorials/Spyware_Information/What_is_CTMBHA.DLL_and_should_I_remove_it?.html
http://www.castlecops.com/startuplist-12915.html


The error could mean that "CTMBHA.DLL" is gone, or unregistered.
If there there is nothing wrong with the pc's audio device etc, the "CTMBHA.DLL" error will go away if you fix this entry below:
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon


>>> On examination, the hosts fiel is read only and contains a load of 127.0.0.1 redirects <<<

Hijackthis log does not show any suspicious Hosts file entries, if you're not using a customized hosts file it could be those of Spybot's or from other security programs that add those redirects that you mentioned.

In Hijackthis Misc.Tools section you can click "Open hosts file manager" which open the Hosts file which can also be opened in notepad and show it to us.

These entries below I would fix to start with, I would uninstall "Search Settings" also.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb125\SearchSettings.dll
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Ransome Ware Question 10 184
systemdown@india.com and McAfee 3 157
anti virus for Blackberry 6 121
Email attachment when clicked erased Inbox : what to advise customer 3 86
It started not too long ago. It was at first annoying. My keystrokes seemed to be randomly generated, not the ones I typed on the keyboard. For some reason this only happened in certain applications (especially browsers such as IE11, Firefox and Chr…
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question