Solved

XP Machine - Spyware Infected, hosts file read only - hijack this

Posted on 2008-09-30
6
2,137 Views
Last Modified: 2013-12-06
XP Media Center PC with core message ...
A popup box is displayed on startup ...
> MP2P servent main executable has encoutered a problem and needs to close. We are sorry for the inconvenience.
Three other popup boxes are displayed ...
> Softwrap file error
> Error Loading CTMBHA.DLL - a dynamic link library (DLL) initialization routine failed
> An unexpected error occurred. Error: 80070005
When I run hijack this, I get a message saying that the hosts file is read only. On examination, the hosts fiel is read only and contains a load of 127.0.0.1 redirects
See attached hijackthis
hijackthis.log
0
Comment
Question by:simonrobs
6 Comments
 
LVL 5

Accepted Solution

by:
xperttech earned 150 total points
ID: 22606979
Simonrobs:

My recommendation is that you try to get your system as stable as possible for a backup of your valued files. Then, re-install the OS. You may want to save your bookmarks, e-mail, address books, photos, documents, application settings, etc.

It's pretty hard to determine how much infected or modified your system is unless you had a program that monitored the system files for changes and can restore them back to the original state.

To prevent any zombie or spyware app from send more info (calling home) start by isolating the PC. Disconnect the network cable or disable your wireless card until you reinstall. Start by killing any suspicious application running: Use Task Manager. Edit your HOSTS file and remove the unwanted lines. Test rebooting and see if the apps run again or the HOSTS file loads back the garbash.

You may spend more time cleaning up the mess than starting fresh.

When these things happen, and hopefully you don't lose any files, we are faced with the question: How well are our valued files protected and backed up?

Hope this helps...

Good luck!
0
 
LVL 8

Expert Comment

by:morsun
ID: 22607580
try deleting host file and creating new one
0
 

Author Comment

by:simonrobs
ID: 22607638
This looks like this was caused by something called blubster
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 5

Expert Comment

by:xperttech
ID: 22608651
Blubster seems to be an MP3 coomunity file sharing software that also installs the "Dealio Toolbar". Possible privacy leak here...
Perhaps there is something else modifying your HOSTS file. I don't find reports of Blubster or Dealio doing this. Actually the "nuisance level" is reported as 3 out of 10.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 22609454
>>Error Loading CTMBHA.DLL - a dynamic link library (DLL) initialization routine failed<<

This has something to do with Creative soundcards. Do you have one? Try reloading the drivers for it.

The hosts file being read only is fine, actually a good idea. And those redirects were probably set by a security program like SpywareGuard or equ. ....not a problem.

Don't think this is a Malware issue.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 100 total points
ID: 22610701

Google search shows;
>>> It is installed by the Creative Audigy line of sound cards. If you have a new PC with an Audigy sound card or an Audigy processor on your motherboard, there is a good chance that this file is running on startup.
The only information we have on what the CTMBHA.DLL file does is that it is the "Creative Filter AudioControlMB Module". To us, it sounds like it helps Windows control the audio on your motherboard.
<<<


The links below tells you about CTMBHA.DLL
http://www.help2go.com/Tutorials/Spyware_Information/What_is_CTMBHA.DLL_and_should_I_remove_it?.html
http://www.castlecops.com/startuplist-12915.html


The error could mean that "CTMBHA.DLL" is gone, or unregistered.
If there there is nothing wrong with the pc's audio device etc, the "CTMBHA.DLL" error will go away if you fix this entry below:
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon


>>> On examination, the hosts fiel is read only and contains a load of 127.0.0.1 redirects <<<

Hijackthis log does not show any suspicious Hosts file entries, if you're not using a customized hosts file it could be those of Spybot's or from other security programs that add those redirects that you mentioned.

In Hijackthis Misc.Tools section you can click "Open hosts file manager" which open the Hosts file which can also be opened in notepad and show it to us.

These entries below I would fix to start with, I would uninstall "Search Settings" also.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb125\SearchSettings.dll
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Some of the most commonly posted questions in the "Virus & Malware" Zones are related to the family of rogue malware with the date "2012" somewhere in the title. Examples: XP Antispyware 2012 XP Antivirus 2012 XP Security 2012   XP Home Sec…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now