Quad5Ny Posted May 5, 2011 Report Share Posted May 5, 2011 For whatever reason I was in resource monitor watching disk activity and for some reason uTorrent read into memory C:\Program Files (x86)\Whisper Technology\FTP Surfer\wtftpshx.dllNot only did it read the file, but apparently it's locked and using it for something. Because just for the hell of it I tried deleting the DLL and Windows is saying this file is in use by uTorrent.I'm not infected with anything, and both uTorrent and wtftpshx.dll come up clean with my antivirus and also on Virus Total.uTorrent.exe - http://www.virustotal.com/file-scan/report.html?id=74029804001289d20eb47578265ecc34bbe712f37e8d2af94dd0ab2c244e3e17-1304562211wtftpshx.dll - http://www.virustotal.com/file-scan/report.html?id=36a13e419e7e6997613f0b1e98eca4dfaa019dab0af203eca27dbd1e2b00bad3-1304562913EDIT: that DLL is registered as a COM object, with a CLSID {11C1D741-A95B-11d2-8A80-0080ADB32FF4}. Maybe uTorrent is expecting a different library under that ID?(I'm On Windows 7 x64 SP1) Link to comment Share on other sites More sharing options...
DreadWingKnight Posted May 5, 2011 Report Share Posted May 5, 2011 Hijackthis log. Link to comment Share on other sites More sharing options...
Quad5Ny Posted May 6, 2011 Author Report Share Posted May 6, 2011 Lol really, Hijackthis. We looking for malware? >_>.I think wtftpshx.dll is a shell extension for drag and drop support in FTP Surfer, but I'm not sure why uTorrent was loading it.Anyway I un-registered the object and uTorrent isn't accessing the DLL anymore. But if your really curious (which I doubt you are) I uploaded a copy of FTP Surfer that you can check out in a virtual machine or whatever. - http://www.2shared.com/file/yMqzmGZc/FTP_Surfer.html-Cheers, Quad :cool:Platform: Windows 7 SP1 (WinNT 6.00.3505)MSIE: Internet Explorer v9.00 (9.00.8112.16421)Boot mode: NormalRunning processes:Z:\Scratch\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htmR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: UserInit=userinit.exeO4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphicsO23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)O23 - Service: Software Protection (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) Link to comment Share on other sites More sharing options...
DreadWingKnight Posted May 6, 2011 Report Share Posted May 6, 2011 I think wtftpshx.dll is a shell extension for drag and drop support in FTP Surfer, but I'm not sure why uTorrent was loading it.Anyway I un-registered the object and uTorrent isn't accessing the DLL anymore. It was probably FTP Surfer loading that component into uT. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.