yunix Posted July 20, 2008 Report Share Posted July 20, 2008 Hi,I'm about to tear my hair out. I've been using utorrent problem free for forever, but recently utorrent started to automatically start with windows. Then when I go to close the window, it automatically switches to the utorrent window. I cannot use my computer! Everytime I try to minimise or switch to mozilla or my computer or something, it automatically switches back to the utorrent window. And when I try to exit utorrent, it opens endless copies, as I speak in my task manager there are probably about 50 instances of utorrent open! Please help me, I don't know why its doing this. Core 2 DuoWindows XP ProI am NOT using ZA - I use the windows software firewallI use NOD32, but I have always used that so I don't think that is the problem. I can't even uninstall utorrent because multiple copies are always open. I've also noticed a 10281.exe running in taskmanager everytime a copy of utorrent starts.ThanksYunix Link to comment Share on other sites More sharing options...
Ultima Posted July 20, 2008 Report Share Posted July 20, 2008 Seems to me like you've got a piece of malware installed on your computer...a) get HijackThis from trendsecure.com, run it, view the log, and post the contents here get Process Explorer from sysinternals.com, run it, Ctrl+D (to show the lower DLL pane), select the µTorrent process from the list, Ctrl+S (and save the list somewhere you'll find easily -- like the Desktop), then post the contents of the saved process list in the .txt file here Link to comment Share on other sites More sharing options...
yunix Posted July 20, 2008 Author Report Share Posted July 20, 2008 Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:38:41 PM, on 20/07/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16674)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeC:\MatLab\webserver\bin\win32\matlabserver.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\WINDOWS\stsystra.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Dell\QuickSet\quickset.exeC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeC:\Program Files\Dell\Media Experience\DMXLauncher.exeC:\Program Files\DU Meter\DUMeter.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Eset\nod32krn.exeC:\Program Files\Eset\nod32kui.exeC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\ATI Technologies\ATI.ACE\cli.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\uTorrent\uTorrent.exeC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\Yun\Desktop\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row&channel=au&ibd=0060914R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.besttoolbars.net/R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com.au/ig/dell?hl=en&client=dell-row&channel=au&ibd=0060914R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLLO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNCO4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exeO4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -DelayO4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exeO4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exeO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICEO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /sO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\Yun\Application Data\Microsoft\dtsc\10281.exeO4 - Global Startup: Bluetooth.lnk = ?O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htmO9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htmO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://130.95.52.185/activex/AxisCamControl.cabO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLLO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeO23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MatLab\webserver\bin\win32\matlabserver.exeO23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeO23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exeO23 - Service: Win PPPe - Unknown owner - C:\WINDOWS\system32\winser.exe (file missing)--End of file - 8714 bytesFrom HijackThisAnd...Process PID CPU Description Company Namealg.exe 4028 Application Layer Gateway Service Microsoft CorporationAppleMobileDeviceService.exe 1956 Apple Mobile Device Service Apple, Inc.ati2evxx.exe 960 ATI External Event Utility EXE Module ATI Technologies Inc.ati2evxx.exe 1752 ATI External Event Utility EXE Module ATI Technologies Inc.BTTray.exe 3080 Bluetooth Tray Application Broadcom Corporation.btwdins.exe 2000 Bluetooth Support Server Broadcom Corporation.CLI.exe 332 CLI Application (Command Line Interface) ATI Technologies Inc.CLI.exe 3800 CLI Application (Command Line Interface) ATI Technologies Inc.csrss.exe 720 0.75 Client Server Runtime Process Microsoft Corporationctfmon.exe 2532 CTF Loader Microsoft CorporationDMXLauncher.exe 380 DPCs n/a Deferred Procedure Calls DUMeter.exe 464 DU Meter Hagel Technologiesexplorer.exe 1876 Windows Explorer Microsoft Corporationfirefox.exe 3116 0.75 Firefox Mozilla CorporationGrooveMonitor.exe 2220 GrooveMonitor Utility Microsoft CorporationInterrupts n/a Hardware Interrupts iPodService.exe 1832 iPodService Module Apple Inc.iTunesHelper.exe 672 iTunesHelper Module Apple Inc.jusched.exe 264 Java Platform SE binary Sun Microsystems, Inc.lsass.exe 804 LSA Shell (Export Version) Microsoft CorporationMATLAB.exe 488 MATLAB The MathWorks Inc.matlabserver.exe 172 MDM.EXE 300 Machine Debug Manager Microsoft CorporationmDNSResponder.exe 1988 Bonjour Service Apple Computer, Inc.NicConfigSvc.exe 372 Internal Network Card Power Management Service Dell Inc.nod32krn.exe 580 NOD32 Kernel Service Eset nod32kui.exe 596 NOD32 Control Center GUI Eset PDVDServ.exe 1148 PowerDVD RC Service Cyberlink Corp.procexp.exe 3840 2.24 Sysinternals Process Explorer Sysinternals - www.sysinternals.comquickset.exe 304 QuickSet Dell Incservices.exe 792 0.75 Services and Controller app Microsoft Corporationsmss.exe 660 Windows NT Session Manager Microsoft Corporationspoolsv.exe 1564 Spooler SubSystem App Microsoft Corporationstsystra.exe 292 Sigmatel Audio system tray application SigmaTel, Inc.svchost.exe 976 Generic Host Process for Win32 Services Microsoft Corporationsvchost.exe 1068 Generic Host Process for Win32 Services Microsoft Corporationsvchost.exe 1120 Generic Host Process for Win32 Services Microsoft Corporationsvchost.exe 1160 Generic Host Process for Win32 Services Microsoft Corporationsvchost.exe 1212 Generic Host Process for Win32 Services Microsoft Corporationsvchost.exe 1272 Generic Host Process for Win32 Services Microsoft Corporationsvchost.exe 688 Generic Host Process for Win32 Services Microsoft CorporationSynTPEnh.exe 576 Synaptics TouchPad Enhancements Synaptics, Inc.System 4 System Idle Process 0 94.78 uTorrent.exe 952 0.75 µTorrent BitTorrent, Inc.winlogon.exe 748 Windows NT Logon Application Microsoft Corporationwmiprvse.exe 3844 WMI Microsoft Corporationwuauclt.exe 4052 Windows Update Automatic Updates Microsoft CorporationProcess: uTorrent.exe Pid: 952Name Description Company Name VersionACTIVEDS.dll ADs Router Layer DLL Microsoft Corporation 5.01.2600.2180adsldpc.dll ADs LDAP Provider C DLL Microsoft Corporation 5.01.2600.2180ADVAPI32.dll Advanced Windows 32 Base API Microsoft Corporation 5.01.2600.2180apphelp.dll Application Compatibility Client Library Microsoft Corporation 5.01.2600.2180ATL.DLL ATL Module for Windows XP (Unicode) Microsoft Corporation 3.05.2284.0000CLBCATQ.DLL Microsoft Corporation 2001.12.4414.0308COMCTL32.dll User Experience Controls Library Microsoft Corporation 6.00.2900.2982comdlg32.dll Common Dialogs DLL Microsoft Corporation 6.00.2900.2180COMRes.dll Microsoft Corporation 2001.12.4414.0258credui.dll Credential Manager User Interface Microsoft Corporation 5.01.2600.2180ctype.nls DNSAPI.dll DNS Client API DLL Microsoft Corporation 5.01.2600.3394GDI32.dll GDI Client DLL Microsoft Corporation 5.01.2600.3316hnetcfg.dll Home Networking Configuration Manager Microsoft Corporation 5.01.2600.2180IMM32.DLL Windows XP IMM32 API Client DLL Microsoft Corporation 5.01.2600.2180imon.dll NOD32 IMON - Internet scanning support Eset 2.51.0030.0000Iphlpapi.dll IP Helper API Microsoft Corporation 5.01.2600.2912kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation 5.01.2600.3119locale.nls LPK.DLL Language Pack Microsoft Corporation 5.01.2600.2180mdnsNSP.dll Bonjour Namespace Provider Apple Computer, Inc. 1.00.0003.0001MPRAPI.dll Windows NT MP Router Administration DLL Microsoft Corporation 5.01.2600.2180MSCTF.dll MSCTF Server DLL Microsoft Corporation 5.01.2600.3319msctfime.ime Microsoft Text Frame Work Service IME Microsoft Corporation 5.01.2600.2180mslbui.dll LangageBar Add In Microsoft Corporation 5.01.2600.2180msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.00.2600.2180mswsock.dll Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation 5.01.2600.3394NETAPI32.dll Net Win32 API DLL Microsoft Corporation 5.01.2600.2976NETSHELL.dll Network Connections Shell Microsoft Corporation 5.01.2600.2180ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.2180NTMARTA.DLL Windows NT MARTA provider Microsoft Corporation 5.01.2600.2180ole32.dll Microsoft OLE for Windows Microsoft Corporation 5.01.2600.2726OLEAUT32.dll Microsoft Corporation 5.01.2600.3266rasadhlp.dll Remote Access AutoDial Helper Microsoft Corporation 5.01.2600.2938RPCRT4.dll Remote Procedure Call Runtime Microsoft Corporation 5.01.2600.3173rtutils.dll Routing Utilities Microsoft Corporation 5.01.2600.2180SAMLIB.dll SAM Library DLL Microsoft Corporation 5.01.2600.2180SETUPAPI.dll Windows Setup API Microsoft Corporation 5.01.2600.2180SHELL32.dll Windows Shell Common Dll Microsoft Corporation 6.00.2900.3241shfolder.dll Shell Folder Service Microsoft Corporation 6.00.2900.2180SHLWAPI.dll Shell Light-weight Utility Library Microsoft Corporation 6.00.2900.2995sortkey.nls sorttbls.nls unicode.nls USER32.dll Windows XP USER API Client DLL Microsoft Corporation 5.01.2600.3099USP10.dll Uniscribe Unicode script processor Microsoft Corporation 1.420.2600.2180uTorrent.exe µTorrent BitTorrent, Inc. 1.08.0000.11468uxtheme.dll Microsoft UxTheme Library Microsoft Corporation 6.00.2900.2180VERSION.dll Version Checking and File Installation Libraries Microsoft Corporation 5.01.2600.2180WLDAP32.dll Win32 LDAP API DLL Microsoft Corporation 5.01.2600.2180WS2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation 5.01.2600.2180WS2HELP.dll Windows Socket 2.0 Helper for Windows NT Microsoft Corporation 5.01.2600.2180wshtcpip.dll Windows Sockets Helper DLL Microsoft Corporation 5.01.2600.2180WSOCK32.dll Windows Socket 32-Bit DLL Microsoft Corporation 5.01.2600.2180xpsp2res.dll Service Pack 2 Messages Microsoft Corporation 5.01.2600.2180From Process ExplorerThanks Link to comment Share on other sites More sharing options...
Switeck Posted July 20, 2008 Report Share Posted July 20, 2008 Missing files are generally a sign of improperly uninstalled software or malware (viruses, trojans, worms, etc):O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O23 - Service: Win PPPe - Unknown owner - C:\WINDOWS\system32\winser.exe (file missing)NOD32 may be acting up, can you try uninstalling it and testing uTorrent without it?You might also want to try uTorrent with this uninstalled:O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe Link to comment Share on other sites More sharing options...
yunix Posted July 21, 2008 Author Report Share Posted July 21, 2008 So far, I've scanned my computer with Ad-Aware, Ewido, NOD32 and Windows Malicious Removal Tool. None of them have found anything except for a couple of tracking cookies. I've also found that this happens to both version 1.7.7 and 1.8, haven't tried older versions yet. It does not happen for Vuze/Azureus, but that program sucks so I refuse to use it. I've uninstalled WinPCap and NOD32, it still happens. I'm going to try BitDefender now. Any other suggestions?I'm determined to solve this without having to format..................I'VE FOUND THE PROBLEM.In process explorer I noticed this 10281.exe that keeps running several instances and seems to open just before a copy of utorrent opens. The location of the file was C:/Documents and Settings/"Me"/Application Data/Microsoft/dtsc/10281.exe. There were also some other dodgy looking programs in there like t.exe. I deleted them all and the stopped straight away. Might be a bit of a challenge to do that though, you have to time it so that you kill the process and delete it before it restarts itself. Hope this helps, as I've noticed a few other people experiencing this problem. Not sure why none of the AV or malware removal software can find this. Link to comment Share on other sites More sharing options...
Switeck Posted July 21, 2008 Report Share Posted July 21, 2008 Which is why generic "show everything" programs like HijackThis! and Process Explorer are sometimes more powerful than "the best" antivirus software. I lost a LOT of faith in antivirus software years ago.Been hit by a couple zero-day viruses. Link to comment Share on other sites More sharing options...
xx7enderxx Posted July 24, 2008 Report Share Posted July 24, 2008 I've been trying to get rid of this for weeks. Then I read this. I love you guys. Thanks a ton. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.