Jump to content

PLEASE HELP ME! I can't close utorrent. It opens endless copies!


yunix

Recommended Posts

Hi,

I'm about to tear my hair out. I've been using utorrent problem free for forever, but recently utorrent started to automatically start with windows. Then when I go to close the window, it automatically switches to the utorrent window. I cannot use my computer! Everytime I try to minimise or switch to mozilla or my computer or something, it automatically switches back to the utorrent window. And when I try to exit utorrent, it opens endless copies, as I speak in my task manager there are probably about 50 instances of utorrent open! Please help me, I don't know why its doing this.

Core 2 Duo

Windows XP Pro

I am NOT using ZA - I use the windows software firewall

I use NOD32, but I have always used that so I don't think that is the problem.

I can't even uninstall utorrent because multiple copies are always open.

I've also noticed a 10281.exe running in taskmanager everytime a copy of utorrent starts.

Thanks

Yunix

Link to comment
Share on other sites

Seems to me like you've got a piece of malware installed on your computer...

a) get HijackThis from trendsecure.com, run it, view the log, and post the contents here

B) get Process Explorer from sysinternals.com, run it, Ctrl+D (to show the lower DLL pane), select the µTorrent process from the list, Ctrl+S (and save the list somewhere you'll find easily -- like the Desktop), then post the contents of the saved process list in the .txt file here

Link to comment
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:38:41 PM, on 20/07/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\MatLab\webserver\bin\win32\matlabserver.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\Program Files\DU Meter\DUMeter.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Eset\nod32krn.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Yun\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row&channel=au&ibd=0060914

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.besttoolbars.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row&channel=au&ibd=0060914

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\Yun\Application Data\Microsoft\dtsc\10281.exe

O4 - Global Startup: Bluetooth.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://130.95.52.185/activex/AxisCamControl.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MatLab\webserver\bin\win32\matlabserver.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: Win PPPe - Unknown owner - C:\WINDOWS\system32\winser.exe (file missing)

--

End of file - 8714 bytes

From HijackThis

And...

Process PID CPU Description Company Name

alg.exe 4028 Application Layer Gateway Service Microsoft Corporation

AppleMobileDeviceService.exe 1956 Apple Mobile Device Service Apple, Inc.

ati2evxx.exe 960 ATI External Event Utility EXE Module ATI Technologies Inc.

ati2evxx.exe 1752 ATI External Event Utility EXE Module ATI Technologies Inc.

BTTray.exe 3080 Bluetooth Tray Application Broadcom Corporation.

btwdins.exe 2000 Bluetooth Support Server Broadcom Corporation.

CLI.exe 332 CLI Application (Command Line Interface) ATI Technologies Inc.

CLI.exe 3800 CLI Application (Command Line Interface) ATI Technologies Inc.

csrss.exe 720 0.75 Client Server Runtime Process Microsoft Corporation

ctfmon.exe 2532 CTF Loader Microsoft Corporation

DMXLauncher.exe 380

DPCs n/a Deferred Procedure Calls

DUMeter.exe 464 DU Meter Hagel Technologies

explorer.exe 1876 Windows Explorer Microsoft Corporation

firefox.exe 3116 0.75 Firefox Mozilla Corporation

GrooveMonitor.exe 2220 GrooveMonitor Utility Microsoft Corporation

Interrupts n/a Hardware Interrupts

iPodService.exe 1832 iPodService Module Apple Inc.

iTunesHelper.exe 672 iTunesHelper Module Apple Inc.

jusched.exe 264 Java Platform SE binary Sun Microsystems, Inc.

lsass.exe 804 LSA Shell (Export Version) Microsoft Corporation

MATLAB.exe 488 MATLAB The MathWorks Inc.

matlabserver.exe 172

MDM.EXE 300 Machine Debug Manager Microsoft Corporation

mDNSResponder.exe 1988 Bonjour Service Apple Computer, Inc.

NicConfigSvc.exe 372 Internal Network Card Power Management Service Dell Inc.

nod32krn.exe 580 NOD32 Kernel Service Eset

nod32kui.exe 596 NOD32 Control Center GUI Eset

PDVDServ.exe 1148 PowerDVD RC Service Cyberlink Corp.

procexp.exe 3840 2.24 Sysinternals Process Explorer Sysinternals - www.sysinternals.com

quickset.exe 304 QuickSet Dell Inc

services.exe 792 0.75 Services and Controller app Microsoft Corporation

smss.exe 660 Windows NT Session Manager Microsoft Corporation

spoolsv.exe 1564 Spooler SubSystem App Microsoft Corporation

stsystra.exe 292 Sigmatel Audio system tray application SigmaTel, Inc.

svchost.exe 976 Generic Host Process for Win32 Services Microsoft Corporation

svchost.exe 1068 Generic Host Process for Win32 Services Microsoft Corporation

svchost.exe 1120 Generic Host Process for Win32 Services Microsoft Corporation

svchost.exe 1160 Generic Host Process for Win32 Services Microsoft Corporation

svchost.exe 1212 Generic Host Process for Win32 Services Microsoft Corporation

svchost.exe 1272 Generic Host Process for Win32 Services Microsoft Corporation

svchost.exe 688 Generic Host Process for Win32 Services Microsoft Corporation

SynTPEnh.exe 576 Synaptics TouchPad Enhancements Synaptics, Inc.

System 4

System Idle Process 0 94.78

uTorrent.exe 952 0.75 µTorrent BitTorrent, Inc.

winlogon.exe 748 Windows NT Logon Application Microsoft Corporation

wmiprvse.exe 3844 WMI Microsoft Corporation

wuauclt.exe 4052 Windows Update Automatic Updates Microsoft Corporation

Process: uTorrent.exe Pid: 952

Name Description Company Name Version

ACTIVEDS.dll ADs Router Layer DLL Microsoft Corporation 5.01.2600.2180

adsldpc.dll ADs LDAP Provider C DLL Microsoft Corporation 5.01.2600.2180

ADVAPI32.dll Advanced Windows 32 Base API Microsoft Corporation 5.01.2600.2180

apphelp.dll Application Compatibility Client Library Microsoft Corporation 5.01.2600.2180

ATL.DLL ATL Module for Windows XP (Unicode) Microsoft Corporation 3.05.2284.0000

CLBCATQ.DLL Microsoft Corporation 2001.12.4414.0308

COMCTL32.dll User Experience Controls Library Microsoft Corporation 6.00.2900.2982

comdlg32.dll Common Dialogs DLL Microsoft Corporation 6.00.2900.2180

COMRes.dll Microsoft Corporation 2001.12.4414.0258

credui.dll Credential Manager User Interface Microsoft Corporation 5.01.2600.2180

ctype.nls

DNSAPI.dll DNS Client API DLL Microsoft Corporation 5.01.2600.3394

GDI32.dll GDI Client DLL Microsoft Corporation 5.01.2600.3316

hnetcfg.dll Home Networking Configuration Manager Microsoft Corporation 5.01.2600.2180

IMM32.DLL Windows XP IMM32 API Client DLL Microsoft Corporation 5.01.2600.2180

imon.dll NOD32 IMON - Internet scanning support Eset 2.51.0030.0000

Iphlpapi.dll IP Helper API Microsoft Corporation 5.01.2600.2912

kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation 5.01.2600.3119

locale.nls

LPK.DLL Language Pack Microsoft Corporation 5.01.2600.2180

mdnsNSP.dll Bonjour Namespace Provider Apple Computer, Inc. 1.00.0003.0001

MPRAPI.dll Windows NT MP Router Administration DLL Microsoft Corporation 5.01.2600.2180

MSCTF.dll MSCTF Server DLL Microsoft Corporation 5.01.2600.3319

msctfime.ime Microsoft Text Frame Work Service IME Microsoft Corporation 5.01.2600.2180

mslbui.dll LangageBar Add In Microsoft Corporation 5.01.2600.2180

msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.00.2600.2180

mswsock.dll Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation 5.01.2600.3394

NETAPI32.dll Net Win32 API DLL Microsoft Corporation 5.01.2600.2976

NETSHELL.dll Network Connections Shell Microsoft Corporation 5.01.2600.2180

ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.2180

NTMARTA.DLL Windows NT MARTA provider Microsoft Corporation 5.01.2600.2180

ole32.dll Microsoft OLE for Windows Microsoft Corporation 5.01.2600.2726

OLEAUT32.dll Microsoft Corporation 5.01.2600.3266

rasadhlp.dll Remote Access AutoDial Helper Microsoft Corporation 5.01.2600.2938

RPCRT4.dll Remote Procedure Call Runtime Microsoft Corporation 5.01.2600.3173

rtutils.dll Routing Utilities Microsoft Corporation 5.01.2600.2180

SAMLIB.dll SAM Library DLL Microsoft Corporation 5.01.2600.2180

SETUPAPI.dll Windows Setup API Microsoft Corporation 5.01.2600.2180

SHELL32.dll Windows Shell Common Dll Microsoft Corporation 6.00.2900.3241

shfolder.dll Shell Folder Service Microsoft Corporation 6.00.2900.2180

SHLWAPI.dll Shell Light-weight Utility Library Microsoft Corporation 6.00.2900.2995

sortkey.nls

sorttbls.nls

unicode.nls

USER32.dll Windows XP USER API Client DLL Microsoft Corporation 5.01.2600.3099

USP10.dll Uniscribe Unicode script processor Microsoft Corporation 1.420.2600.2180

uTorrent.exe µTorrent BitTorrent, Inc. 1.08.0000.11468

uxtheme.dll Microsoft UxTheme Library Microsoft Corporation 6.00.2900.2180

VERSION.dll Version Checking and File Installation Libraries Microsoft Corporation 5.01.2600.2180

WLDAP32.dll Win32 LDAP API DLL Microsoft Corporation 5.01.2600.2180

WS2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation 5.01.2600.2180

WS2HELP.dll Windows Socket 2.0 Helper for Windows NT Microsoft Corporation 5.01.2600.2180

wshtcpip.dll Windows Sockets Helper DLL Microsoft Corporation 5.01.2600.2180

WSOCK32.dll Windows Socket 32-Bit DLL Microsoft Corporation 5.01.2600.2180

xpsp2res.dll Service Pack 2 Messages Microsoft Corporation 5.01.2600.2180

From Process Explorer

Thanks

Link to comment
Share on other sites

Missing files are generally a sign of improperly uninstalled software or malware (viruses, trojans, worms, etc):

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O23 - Service: Win PPPe - Unknown owner - C:\WINDOWS\system32\winser.exe (file missing)

NOD32 may be acting up, can you try uninstalling it and testing uTorrent without it?

You might also want to try uTorrent with this uninstalled:

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

Link to comment
Share on other sites

So far, I've scanned my computer with Ad-Aware, Ewido, NOD32 and Windows Malicious Removal Tool. None of them have found anything except for a couple of tracking cookies.

I've also found that this happens to both version 1.7.7 and 1.8, haven't tried older versions yet. It does not happen for Vuze/Azureus, but that program sucks so I refuse to use it.

I've uninstalled WinPCap and NOD32, it still happens. I'm going to try BitDefender now. Any other suggestions?

I'm determined to solve this without having to format.

.................

I'VE FOUND THE PROBLEM.

In process explorer I noticed this 10281.exe that keeps running several instances and seems to open just before a copy of utorrent opens. The location of the file was C:/Documents and Settings/"Me"/Application Data/Microsoft/dtsc/10281.exe. There were also some other dodgy looking programs in there like t.exe. I deleted them all and the stopped straight away. Might be a bit of a challenge to do that though, you have to time it so that you kill the process and delete it before it restarts itself.

Hope this helps, as I've noticed a few other people experiencing this problem. Not sure why none of the AV or malware removal software can find this.

Link to comment
Share on other sites

Which is why generic "show everything" programs like HijackThis! and Process Explorer are sometimes more powerful than "the best" antivirus software. :P

I lost a LOT of faith in antivirus software years ago.

Been hit by a couple zero-day viruses.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...