Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


XP Machine - Spyware Infected, hosts file read only - hijack this

Posted on 2008-09-30
Medium Priority
Last Modified: 2013-12-06
XP Media Center PC with core message ...
A popup box is displayed on startup ...
> MP2P servent main executable has encoutered a problem and needs to close. We are sorry for the inconvenience.
Three other popup boxes are displayed ...
> Softwrap file error
> Error Loading CTMBHA.DLL - a dynamic link library (DLL) initialization routine failed
> An unexpected error occurred. Error: 80070005
When I run hijack this, I get a message saying that the hosts file is read only. On examination, the hosts fiel is read only and contains a load of redirects
See attached hijackthis
Question by:simonrobs
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

xperttech earned 600 total points
ID: 22606979

My recommendation is that you try to get your system as stable as possible for a backup of your valued files. Then, re-install the OS. You may want to save your bookmarks, e-mail, address books, photos, documents, application settings, etc.

It's pretty hard to determine how much infected or modified your system is unless you had a program that monitored the system files for changes and can restore them back to the original state.

To prevent any zombie or spyware app from send more info (calling home) start by isolating the PC. Disconnect the network cable or disable your wireless card until you reinstall. Start by killing any suspicious application running: Use Task Manager. Edit your HOSTS file and remove the unwanted lines. Test rebooting and see if the apps run again or the HOSTS file loads back the garbash.

You may spend more time cleaning up the mess than starting fresh.

When these things happen, and hopefully you don't lose any files, we are faced with the question: How well are our valued files protected and backed up?

Hope this helps...

Good luck!

Expert Comment

ID: 22607580
try deleting host file and creating new one

Author Comment

ID: 22607638
This looks like this was caused by something called blubster
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.


Expert Comment

ID: 22608651
Blubster seems to be an MP3 coomunity file sharing software that also installs the "Dealio Toolbar". Possible privacy leak here...
Perhaps there is something else modifying your HOSTS file. I don't find reports of Blubster or Dealio doing this. Actually the "nuisance level" is reported as 3 out of 10.
LVL 20

Expert Comment

ID: 22609454
>>Error Loading CTMBHA.DLL - a dynamic link library (DLL) initialization routine failed<<

This has something to do with Creative soundcards. Do you have one? Try reloading the drivers for it.

The hosts file being read only is fine, actually a good idea. And those redirects were probably set by a security program like SpywareGuard or equ. ....not a problem.

Don't think this is a Malware issue.
LVL 47

Assisted Solution

rpggamergirl earned 400 total points
ID: 22610701

Google search shows;
>>> It is installed by the Creative Audigy line of sound cards. If you have a new PC with an Audigy sound card or an Audigy processor on your motherboard, there is a good chance that this file is running on startup.
The only information we have on what the CTMBHA.DLL file does is that it is the "Creative Filter AudioControlMB Module". To us, it sounds like it helps Windows control the audio on your motherboard.

The links below tells you about CTMBHA.DLL

The error could mean that "CTMBHA.DLL" is gone, or unregistered.
If there there is nothing wrong with the pc's audio device etc, the "CTMBHA.DLL" error will go away if you fix this entry below:
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon

>>> On examination, the hosts fiel is read only and contains a load of redirects <<<

Hijackthis log does not show any suspicious Hosts file entries, if you're not using a customized hosts file it could be those of Spybot's or from other security programs that add those redirects that you mentioned.

In Hijackthis Misc.Tools section you can click "Open hosts file manager" which open the Hosts file which can also be opened in notepad and show it to us.

These entries below I would fix to start with, I would uninstall "Search Settings" also.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb125\SearchSettings.dll
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (, the Zone Advisor for the Virus and …
Most PC repair technicians (if not all) always start their cleanup process by emptying the temp folders before running any removal tools. It makes sense because temp folders are common places for malware installers to lurk and removing all the junk …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question