Solved

XP Machine - Spyware Infected, hosts file read only - hijack this

Posted on 2008-09-30
6
2,142 Views
Last Modified: 2013-12-06
XP Media Center PC with core message ...
A popup box is displayed on startup ...
> MP2P servent main executable has encoutered a problem and needs to close. We are sorry for the inconvenience.
Three other popup boxes are displayed ...
> Softwrap file error
> Error Loading CTMBHA.DLL - a dynamic link library (DLL) initialization routine failed
> An unexpected error occurred. Error: 80070005
When I run hijack this, I get a message saying that the hosts file is read only. On examination, the hosts fiel is read only and contains a load of 127.0.0.1 redirects
See attached hijackthis
hijackthis.log
0
Comment
Question by:simonrobs
6 Comments
 
LVL 5

Accepted Solution

by:
xperttech earned 150 total points
ID: 22606979
Simonrobs:

My recommendation is that you try to get your system as stable as possible for a backup of your valued files. Then, re-install the OS. You may want to save your bookmarks, e-mail, address books, photos, documents, application settings, etc.

It's pretty hard to determine how much infected or modified your system is unless you had a program that monitored the system files for changes and can restore them back to the original state.

To prevent any zombie or spyware app from send more info (calling home) start by isolating the PC. Disconnect the network cable or disable your wireless card until you reinstall. Start by killing any suspicious application running: Use Task Manager. Edit your HOSTS file and remove the unwanted lines. Test rebooting and see if the apps run again or the HOSTS file loads back the garbash.

You may spend more time cleaning up the mess than starting fresh.

When these things happen, and hopefully you don't lose any files, we are faced with the question: How well are our valued files protected and backed up?

Hope this helps...

Good luck!
0
 
LVL 8

Expert Comment

by:morsun
ID: 22607580
try deleting host file and creating new one
0
 

Author Comment

by:simonrobs
ID: 22607638
This looks like this was caused by something called blubster
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 5

Expert Comment

by:xperttech
ID: 22608651
Blubster seems to be an MP3 coomunity file sharing software that also installs the "Dealio Toolbar". Possible privacy leak here...
Perhaps there is something else modifying your HOSTS file. I don't find reports of Blubster or Dealio doing this. Actually the "nuisance level" is reported as 3 out of 10.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22609454
>>Error Loading CTMBHA.DLL - a dynamic link library (DLL) initialization routine failed<<

This has something to do with Creative soundcards. Do you have one? Try reloading the drivers for it.

The hosts file being read only is fine, actually a good idea. And those redirects were probably set by a security program like SpywareGuard or equ. ....not a problem.

Don't think this is a Malware issue.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 100 total points
ID: 22610701

Google search shows;
>>> It is installed by the Creative Audigy line of sound cards. If you have a new PC with an Audigy sound card or an Audigy processor on your motherboard, there is a good chance that this file is running on startup.
The only information we have on what the CTMBHA.DLL file does is that it is the "Creative Filter AudioControlMB Module". To us, it sounds like it helps Windows control the audio on your motherboard.
<<< 


The links below tells you about CTMBHA.DLL
http://www.help2go.com/Tutorials/Spyware_Information/What_is_CTMBHA.DLL_and_should_I_remove_it?.html
http://www.castlecops.com/startuplist-12915.html


The error could mean that "CTMBHA.DLL" is gone, or unregistered.
If there there is nothing wrong with the pc's audio device etc, the "CTMBHA.DLL" error will go away if you fix this entry below:
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon


>>> On examination, the hosts fiel is read only and contains a load of 127.0.0.1 redirects <<<

Hijackthis log does not show any suspicious Hosts file entries, if you're not using a customized hosts file it could be those of Spybot's or from other security programs that add those redirects that you mentioned.

In Hijackthis Misc.Tools section you can click "Open hosts file manager" which open the Hosts file which can also be opened in notepad and show it to us.

These entries below I would fix to start with, I would uninstall "Search Settings" also.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb125\SearchSettings.dll
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…
Delivering innovative fully-managed cloud services for mission-critical applications requires expertise in multiple areas plus vision and commitment. Meet a few of the people behind the quality services of Concerto.

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now