Computer Hope Process Log Tool

Computer Hope hijackthis log overview (created Fri, Jul 02, 8:32:56 PM MST):
Unique found: 62 - Unknown: 7 - Total: 69
Processes / services not required: 53 (that are not hardware / security: 25) - Potential threats: 11
OS: Windows XP SP3 (winnt 5.01.2600) - Directory: \windows\
>> Skip to cleaning steps

Path	Process	Description
	No Firewall	We could not detect a firewall process running on this computer. If no firewall is running on the computer we strongly suggest enabling the Windows Firewall if not already enabled or installing another firewall. Note: The Windows XP firewall only filters inbound Internet traffic by default.
	No Antivirus	We did not detect any antivirus on this computer. We suggest installing a free Antivirus and/or one of the programs listed in document CH000514.
$o4 - hkcu\..\run: [ocaqalo] rundll32.exe "h:\windows\nfgpeas.dll",startup >>>$	nfgpeas.dll	Although unknown nfgpeas.dll is suspicious since many legitimate unknown files do not run from the windows path. Click here to open Google search for this file.
$o4 - hklm\..\run: [sfiqudafugaho] rundll32.exe "h:\windows\utasizebazobifuy.dll",startup >>>$	utasizebazobifuy.dll	Although unknown utasizebazobifuy.dll is suspicious since many legitimate unknown files do not run from the windows path. Click here to open Google search for this file.
$h:\docume~1\shawnk~1\locals~1\temp\esentutl64.exe >>>$	esentutl64.exe	Although unknown esentutl64.exe is suspicious since many legitimate unknown files do not run from the temp path. Click here to open Google search for this file.
$h:\docume~1\shawnk~1\locals~1\temp\wscsvc32.exe$	wscsvc32.exe	Known Malware file.
$o18 - protocol: bwfile-8876480 - {9462a756-7b47-47bc-8c80-c34b9b80b32b} - h:\program files\logitech\desktop messenger\8876480\program\gaplugprotocol-8876480.dll$	gaplugprotocol-88764...	Backweb utility included with some Logitech hardware and included with some OEM computers. Some have declared this as spyware since the utility can monitor the computer keyboard and mouse to determine when it's appropriate to check for software updates and sends information about your system to a third-party server. Although we've classified this as hardware it's been reported that it can be removed with no issues and should be removed if you're concerned about your privacy DLL file.
$o18 - protocol: bwfile-8876480 - {9462a756-7b47-47bc-8c80-c34b9b80b32b} - h:\program files\logitech\desktop messenger\8876480\program\gaplugprotocol-8876480.dll$	hijackthis	Detected potential protocol hijack (protocol: bwfile-8876480 - {9462a756-7b47-47bc-8c80-c34b9b80b32b} - h:\program files\logitech\desktop messenger\8876480\program\gaplugprotocol-8876480.dll). Unless you recognize or want this change we suggest it be fixed.
	Missing	o2 - bho: (no name) - {5c255c8a-e604-49b4-9d64-90988571cecb} - (no file) Although not a threat to the computer it may cause errors.
	MSIE	You're running Microsoft Internet Explorer version 6, which is notoriously insecure. It's highly recommend you upgrade or consider not using it and trying an alternative browser.
	MSIE	Your Microsoft Internet Explorer version "6" is not ie v8.00 or later, which can be a security risk while on the Internet. Additional information about updating your Windows computer can be found on document CH000545.
$h:\windows\system32\svchost.exe$	svchost.exe	Microsoft Service Host Process that should be located in the C:\Windows\System32 directory.
$h:\windows\explorer.exe$	explorer.exe	Microsoft Windows Explorer file.
$h:\windows\system32\rundll32.exe$	rundll32.exe	Microsoft Windows process that handles handling.dll files that should be located in the C:\Windows\System32 directory.
$h:\windows\system32\winlogon.exe$	winlogon.exe	Microsoft Windows Logon Process that should be located in the C:\Windows\System32 directory or C:\Windows directory.
$h:\windows\system32\smss.exe$	smss.exe	Microsoft Windows Session Manager Subsystem process that should be located in the C:\Windows\System32 directory.
$h:\windows\system32\lsass.exe$	lsass.exe	Microsoft Windows security authority process that should be located in the C:\Windows\System32 directory.
$h:\windows\system32\spoolsv.exe$	spoolsv.exe	Microsoft Windows Spooler SubSystem App that should be located in the C:\Windows\System32 directory.
$h:\windows\system32\services.exe$	services.exe	Microsoft Windows Service Controller that should be located in the C:\Windows\System32 directory.
	gp.cab	Adobe GetPlus CAB file.
$o4 - hklm\..\run: [nwiz] nwiz.exe /install$	nwiz.exe	NVidia nView Wizard video card process that should be in the C:\program files directory or C:\Windows\System32 directory. If you do not have an Nvidia video card this is likely malware.
$h:\windows\system32\nvsvc32.exe >>> o23 - service: nvidia display driver service (nvsvc) - nvidia corporation - h:\windows\system32\nvsvc32.exe$	nvsvc32.exe	NVIDIA video driver process that should be in the C:\Windows\System32 directory.
$h:\program files\itunes\ituneshelper.exe >>> o4 - hklm\..\run: [ituneshelper] "h:\program files\itunes\ituneshelper.exe"$	ituneshelper.exe	Apple iTunes helper file.
$h:\program files\ipod\bin\ipodservice.exe >>> o23 - service: ipod service - apple inc. - h:\program files\ipod\bin\ipodservice.exe$	ipodservice.exe	Apple iTunes iPod service monitor file.
$h:\program files\bonjour\mdnsresponder.exe >>> o23 - service: bonjour service - apple inc. - h:\program files\bonjour\mdnsresponder.exe$	mdnsresponder.exe	Apple Bonjour for Windows file.
$h:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe >>> o23 - service: apple mobile device - apple inc. - h:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe$	applemobiledeviceser...	Apple iTunes Mobile Device file.
$h:\program files\adobe\acrobat 6.0\distillr\acrotray.exe >>> o4 - global startup: acrobat assistant.lnk = h:\program files\adobe\acrobat 6.0\distillr\acrotray.exe$	acrotray.exe	Adobe Acrobat Systray file.
$h:\program files\trend micro\hijackthis\hijackthis.exe$	hijackthis.exe	HijackThis program file.
$o4 - hklm\..\run: [nerofiltercheck] h:\windows\system32\nerocheck.exe$	nerocheck.exe	Ahead Nero nerocd2k.sys driver check.
$h:\program files\symantec\liveupdate\aluschedulersvc.exe >>> o23 - service: automatic liveupdate scheduler - symantec corporation - h:\program files\symantec\liveupdate\aluschedulersvc.exe$	aluschedulersvc.exe	Symantec Norton LiveUpdate file.
$h:\windows\system32\wuauclt.exe$	wuauclt.exe	Microsoft Windows update process that should be located in the C:\Windows\System32 directory.
$o9 - extra button: messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - h:\program files\messenger\msmsgs.exe >>> o9 - extra 'tools' menuitem: windows messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - h:\program files\messenger\msmsgs.exe$	msmsgs.exe	Microsoft MSN Messenger file.
$h:\program files\windows live\messenger\msnmsgr.exe >>> o4 - hkcu\..\run: [msnmsgr] "h:\program files\windows live\messenger\msnmsgr.exe" /background$	msnmsgr.exe	Microsoft MSN Messenger file.
$h:\windows\rthdcpl.exe >>> o4 - hklm\..\run: [rthdcpl] rthdcpl.exe$	rthdcpl.exe	Realtek HD audio driver file.
$h:\program files\java\jre6\bin\jqs.exe >>> o23 - service: java quick starter (javaquickstarterservice) - sun microsystems, inc. - h:\program files\java\jre6\bin\jqs.exe$	jqs.exe	Sun Microsystems Java platform file.
$h:\program files\logitech\setpoint\khalmnpr.exe$	khalmnpr.exe	Logitech Bluetooth mouse file.
$h:\program files\logitech\desktop messenger\8876480\program\logitechdesktopmessenger.exe >>> o4 - global startup: logitech desktop messenger.lnk = h:\program files\logitech\desktop messenger\8876480\program\logitechdesktopmessenger.exe$	logitechdesktopmesse...	Logitech Desktop Messenger file.
$o8 - extra context menu item: e&xport to microsoft excel - res://h:\program files\micros~2\office10\excel.exe/3000$	excel.exe	Microsoft Excel file.
$o9 - extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - h:\windows\network diagnostic\xpnetdiag.exe >>> o9 - extra 'tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - h:\windows\network diagnostic\xpnetdiag.exe$	xpnetdiag.exe	Microsoft Windows XP network diagnostics tool file.
$o4 - hklm\..\run: [alcmtr] alcmtr.exe$	alcmtr.exe	Realtek AC97 sound card audio monitor file.
$o2 - bho: acroiehlprobj class - {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - h:\program files\adobe\acrobat 6.0\acrobat\activex\acroiehelper.dll$	acroiehelper.dll	Adobe Acrobat Internet Explorer helper DLL file.
$o2 - bho: java(tm) plug-in 2 ssv helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - h:\program files\java\jre6\bin\jp2ssv.dll$	jp2ssv.dll	Sun Java browser plugin DLL file.
$o20 - winlogon notify: !saswinlogon - h:\program files\superantispyware\saswinlo.dll$	saswinlo.dll	SUPERAntiSpyware DLL file.
$h:\program files\citrix\gotomypc\g2comm.exe$	g2comm.exe	Citrix GoToMyPC file.
$h:\program files\citrix\gotomypc\g2pre.exe$	g2pre.exe	Citrix GoToMyPC file.
$h:\program files\citrix\gotomypc\g2svc.exe >>> o23 - service: gotomypc - citrix online, a division of citrix systems, inc. - h:\program files\citrix\gotomypc\g2svc.exe$	g2svc.exe	Citrix GoToMyPC host file.
$h:\program files\citrix\gotomypc\g2tray.exe$	g2tray.exe	Citrix GoToMyPC systray file.
$o2 - bho: windows live sign-in helper - {9030d464-4c02-4abf-8ecc-5164760863c6} - h:\program files\common files\microsoft shared\windows live\windowslivelogin.dll$	windowslivelogin.dll	Microsoft Windows Live Messenger login DLL file.
$o2 - bho: jqsiestartdetectorimpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - h:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll$	jqs_plugin.dll	Sun Java quickstarter file.
$o23 - service: liveupdate - symantec corporation - h:\program files\symantec\liveup~1\lucoms~1.exe$	lucoms~1.exe	Symantec Liveupdate process that should be located in the C:\program files\symantec directory. If in a Windows directory could be the w32.beagle trojan.
$o4 - global startup: microsoft office.lnk = h:\program files\microsoft office\office10\osa.exe$	osa.exe	Microsoft Office startup assistant file.
$o2 - bho: acroietoolbarhelper class - {ae7cd045-e861-484f-8273-0445ee161910} - h:\program files\adobe\acrobat 6.0\acrobat\acroiefavclient.dll >>> o3 - toolbar: adobe pdf - {47833539-d0c5-4125-9fa8-0819e2eaac93} - h:\program files\adobe\acrobat 6.0\acrobat\acroiefavclient.dll$	acroiefavclient.dll	Adobe Acrobat Internet Explorer client DLL file.
$o16 - dpf: {0cca191d-13a6-4e29-b746-314dee697d83} (facebook photo uploader 5 control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/facebookphotouploader5.cab$	facebookphotouploade...	Facebook Photo uploader CAB file.
	myspaceuploader1006....	MySpace uploader CAB file.
$o4 - hklm\..\run: [nvcpldaemon] rundll32.exe h:\windows\system32\nvcpl.dll,nvstartup$	nvcpl.dll	NVidia video card control panel DLL file.
	facebookphotouploade...	Facebook.com photo uploader CAB file.
$o4 - hklm\..\run: [nvmediacenter] rundll32.exe h:\windows\system32\nvmctray.dll,nvtaskbarinit$	nvmctray.dll	Nvidia video card display driver DLL file.
$h:\program files\telus\telus support centre\bin\mccitrayapp.exe >>> h:\program files\telus\telus wireless connection manager\mccitrayapp.exe >>> o4 - hklm\..\run: [telus_mccitrayapp] h:\program files\telus\telus support centre\bin\mccitrayapp.exe >>> o4 - hklm\..\run: [teluswcc_mccitrayapp] h:\program files\telus\telus wireless connection manager\mccitrayapp.exe$	mccitrayapp.exe	Bell South Internet Motive connection diagnostic systray file.
$o9 - extra 'tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - h:\windows\network diagnostic\xpnetdiag.exe$	xpsp3res.dll	Microsoft Windows XP service pack 3 (SP3) network diagnostics DLL file.
	messengerstatspaclie...	MSN Messenger status client CAB file.
$h:\program files\scansoft\omnipagese2.0\opwarese2.exe >>> o4 - hklm\..\run: [opwarese2] "h:\program files\scansoft\omnipagese2.0\opwarese2.exe"$	opwarese2.exe	OmniPage SE OCR application file.
$h:\program files\common files\motive\mccicmservice.exe >>> o23 - service: mccicmservice - motive communications, inc. - h:\program files\common files\motive\mccicmservice.exe$	mccicmservice.exe	Motive.com Communications McciCMService.
$h:\program files\microsoft\search enhancement pack\seaport\seaport.exe$	seaport.exe	Microsoft search enchancement pack file.
$o2 - bho: windows live toolbar helper - {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - h:\program files\windows live\toolbar\wltcore.dll >>> o3 - toolbar: &windows live toolbar - {21fa44ef-376d-4d53-9b0f-8a89d3229068} - h:\program files\windows live\toolbar\wltcore.dll$	wltcore.dll	Windows Live toolbar Browser Helper Object (BHO) DLL file.
$h:\windows\system32\spool\drivers\w32x86\3\ekij5000mui.exe >>> o4 - hklm\..\run: [ekij5000statusmonitor] h:\windows\system32\spool\drivers\w32x86\3\ekij5000mui.exe$	ekij5000mui.exe	Kodak printer driver file.
$h:\program files\kodak\printer\center\kodaksvc.exe >>> o23 - service: kodak aio device service (kodaksvc) - eastman kodak company - h:\program files\kodak\printer\center\kodaksvc.exe$	kodaksvc.exe	Kodak printer file.
$h:\program files\windows live\toolbar\wltuser.exe$	wltuser.exe	Windows Live toolbar file.
$o2 - bho: search helper - {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - h:\program files\microsoft\search enhancement pack\search helper\sepsearchhelperie.dll$	sepsearchhelperie.dl...	Windows Live Toolbar Search Enhancement DLL file.
$o16 - dpf: {8100d56a-5661-482c-bee8-afece305d968} (facebook photo uploader 5 control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/facebookphotouploader55.cab$	facebookphotouploade...	Facebook file uploader CAB file.
$h:\program files\java\jre6\bin\jusched.exe >>> o4 - hklm\..\run: [sunjavaupdatesched] "h:\program files\java\jre6\bin\jusched.exe"$	jusched.exe	Sun Microsystems Java Update scheduler file.
$o4 - hkcu\..\runonce: [flashplayerupdate] h:\windows\system32\macromed\flash\flashutil10c.exe$	flashutil10c.exe	Adobe Flash player helper file.
$h:\program files\logitech\setpoint\kem.exe >>> o4 - global startup: logitech setpoint.lnk = h:\program files\logitech\setpoint\kem.exe >>>$	kem.exe	Unknown - Click here to open Google search for this file.
$o4 - startup: 360share pro on startup.lnk = h:\program files\360share pro\gui\360share pro.exe >>>$	360share pro.exe	Unknown - Click here to open Google search for this file.
$h:\program files\telus\telus security advisor\tsa.exe >>> o4 - hklm\..\run: [tsa.exe] "h:\program files\telus\telus security advisor\tsa.exe" /autorun >>>$	tsa.exe	Unknown - Click here to open Google search for this file.
$h:\program files\sierra wireless inc\watcher\wahelper.exe >>> o4 - hklm\..\run: [watcherhelper] "h:\program files\sierra wireless inc\watcher\wahelper.exe" >>>$	wahelper.exe	Unknown - Click here to open Google search for this file.

Getting your system clean

Notice: This tool is currently being developed and is in the beta stage of testing, by following these steps you agree that you're doing this at your own risk.

Verify your IE settings:

Verify the below links correctly correspond to the web pages you want to be using. If these links are not recognizable it's possible your browser has been hijacked. To fix these settings check the corrisponding boxes in the R0-R4 section.

Your Internet Explorer internet settings,proxyoverride: *.local
Your Internet Explorer search assistant: http://search.live.com/sphome.aspx
Your Internet Explorer search page: http://search.live.com
Your Internet Explorer search bar: http://search.live.com/sphome.aspx

What to do in HijackThis

1. Open HijackThis.
2. Click Do a system scan only
3. Check the boxes that correspond to the below lines.

o2 - bho: (no name) - {5c255c8a-e604-49b4-9d64-90988571cecb} - (no file)
o4 - hklm\..\run: [sfiqudafugaho] rundll32.exe "h:\windows\utasizebazobifuy.dll",startup
o4 - hkcu\..\run: [ocaqalo] rundll32.exe "h:\windows\nfgpeas.dll",startup
o18 - protocol: bwfile-8876480 - {9462a756-7b47-47bc-8c80-c34b9b80b32b} - h:\program files\logitech\desktop messenger\8876480\program\gaplugprotocol-8876480.dll ***

*** This could be a valid entry for your Internet Service provider, School network, and/or an online scanner. If you recognize all of this line it's suggested that it not be fixed.

4. Once the above have been checked click the Fix checked button.
5. After fixed close HijackThis and reboot the computer.

We've also detected runonce lines that are often left over lines associated with programs that have been installed / uninstalled. If this is something you recognize as being uninstalled in the past or you reboot the computer and get a new hijackthis log and it's still present in the log we suggest fixing the lines mentioned below.

o4 - hkcu\..\runonce: [flashplayerupdate] h:\windows\system32\macromed\flash\flashutil10c.exe

Delete files

Delete the following files if found on the computer. If you're unable to delete the files because they're in use you'll need to boot the computer into Safe Mode.

h:\program files\logitech\desktop messenger\8876480\program\gaplugprotocol-8876480.dll **
h:\docume~1\shawnk~1\locals~1\temp\wscsvc32.exe ***
h:\docume~1\shawnk~1\locals~1\temp\esentutl64.exe * ***
h:\windows\utasizebazobifuy.dll *
h:\windows\nfgpeas.dll *

* This file could be a legitimate file. Make sure you're positive this is not a valid file by reading the suggestions in the above chart before deleting it. If you're not comfortable deleting the file just leave it alone.
** Files found in the program files directory can often be uninstalled through the Add/Remove programs in the Control Panel. Try locating this program in there before simply deleting this file.
*** It looks as if there are malicious files in a temporary directory. We also suggest running a Disk Cleanup and cleaning out all tempoary and temporary internet files.

Additional malware scans

Because potential threats were found in the HijackThis log we also suggest you reboot the computer after completing the above steps and install and run the free Malwarebytes' Anti-Malware utility on this computer. If this scanner is having issues cleaning your computer in Normal mode we suggest running it from Safe Mode.

Verify browser plugins up-to-date

Reboot the computer into Normal Windows mode make sure you're browser has all the latest plugins installed by viewing the each of the plugins installed on your computer through our System Information tool.

Install Antivirus

We highly recommend you install an antivirus program on your computer. We suggest installing a free antivirus and/or one of the programs listed in document CH000514. Once an antivirus has been installed we suggest running a full system scan on the computer.

Install Firewall protection

We could not detect a firewall process running on this computer. If no firewall is running on the computer we strongly suggest either enabling the Windows Firewall or installing another firewall.

Install WOT (Web Of Trust)

We could not detect WOT on your computer, this great free add-on to help warn you of potentially dangerous sites as you're browsing the web. Consider downloading and installing this application.

Suggested updates

Once your system has been cleaned we suggest you update Windows to have all latest updates. Additional information about updating your Windows computer can be found on document CH000545.

Re-check

If you've followed any of the above steps reboot the computer, let it boot as normal, re-run HijackThis, and generate a new log to be analyzed.

Over 33,103,713 processes and files have been examined

A big thanks to CBMatt and Evilfantasy for their malware specialist assistance and everyone else in the Computer Hope community who has contributed to the development and testing of this tool. An ongoing discussion about this tool is found here.

Back to Computer Hope