Computer Hope Process Log Tool
Computer Hope hijackthis log overview (created Fri, Jul 02, 8:32:56 PM MST):Unique found: 62 - Unknown: 7 - Total: 69
Processes / services not required: 53 (that are not hardware / security: 25) - Potential threats: 11
OS: Windows XP SP3 (winnt 5.01.2600) - Directory: \windows\
>> Skip to cleaning steps
Path | Process | Description | |||
---|---|---|---|---|---|
No Firewall | We could not detect a firewall process running on this computer. If no firewall is running on the computer we strongly suggest enabling the Windows Firewall if not already enabled or installing another firewall. Note: The Windows XP firewall only filters inbound Internet traffic by default. | ||||
No Antivirus | We did not detect any antivirus on this computer. We suggest installing a free Antivirus and/or one of the programs listed in document CH000514. | ||||
nfgpeas.dll | Although unknown nfgpeas.dll is suspicious since many legitimate unknown files do not run from the windows path. Click here to open Google search for this file. | ||||
utasizebazobifuy.dll | Although unknown utasizebazobifuy.dll is suspicious since many legitimate unknown files do not run from the windows path. Click here to open Google search for this file. | ||||
esentutl64.exe | Although unknown esentutl64.exe is suspicious since many legitimate unknown files do not run from the temp path. Click here to open Google search for this file. | ||||
wscsvc32.exe | Known Malware file. | ||||
gaplugprotocol-88764... | Backweb utility included with some Logitech hardware and included with some OEM computers. Some have declared this as spyware since the utility can monitor the computer keyboard and mouse to determine when it's appropriate to check for software updates and sends information about your system to a third-party server. Although we've classified this as hardware it's been reported that it can be removed with no issues and should be removed if you're concerned about your privacy DLL file. | ||||
hijackthis | Detected potential protocol hijack (protocol: bwfile-8876480 - {9462a756-7b47-47bc-8c80-c34b9b80b32b} - h:\program files\logitech\desktop messenger\8876480\program\gaplugprotocol-8876480.dll). Unless you recognize or want this change we suggest it be fixed. | ||||
Missing | o2 - bho: (no name) - {5c255c8a-e604-49b4-9d64-90988571cecb} - (no file) Although not a threat to the computer it may cause errors. | ||||
MSIE | You're running Microsoft Internet Explorer version 6, which is notoriously insecure. It's highly recommend you upgrade or consider not using it and trying an alternative browser. | ||||
MSIE | Your Microsoft Internet Explorer version "6" is not ie v8.00 or later, which can be a security risk while on the Internet. Additional information about updating your Windows computer can be found on document CH000545. | ||||
svchost.exe | Microsoft Service Host Process that should be located in the C:\Windows\System32 directory. | ||||
explorer.exe | Microsoft Windows Explorer file. | ||||
rundll32.exe | Microsoft Windows process that handles handling.dll files that should be located in the C:\Windows\System32 directory. | ||||
winlogon.exe | Microsoft Windows Logon Process that should be located in the C:\Windows\System32 directory or C:\Windows directory. | ||||
smss.exe | Microsoft Windows Session Manager Subsystem process that should be located in the C:\Windows\System32 directory. | ||||
lsass.exe | Microsoft Windows security authority process that should be located in the C:\Windows\System32 directory. | ||||
spoolsv.exe | Microsoft Windows Spooler SubSystem App that should be located in the C:\Windows\System32 directory. | ||||
services.exe | Microsoft Windows Service Controller that should be located in the C:\Windows\System32 directory. | ||||
gp.cab | Adobe GetPlus CAB file. | ||||
nwiz.exe | NVidia nView Wizard video card process that should be in the C:\program files directory or C:\Windows\System32 directory. If you do not have an Nvidia video card this is likely malware. | ||||
nvsvc32.exe | NVIDIA video driver process that should be in the C:\Windows\System32 directory. | ||||
ituneshelper.exe | Apple iTunes helper file. | ||||
ipodservice.exe | Apple iTunes iPod service monitor file. | ||||
mdnsresponder.exe | Apple Bonjour for Windows file. | ||||
applemobiledeviceser... | Apple iTunes Mobile Device file. | ||||
acrotray.exe | Adobe Acrobat Systray file. | ||||
hijackthis.exe | HijackThis program file. | ||||
nerocheck.exe | Ahead Nero nerocd2k.sys driver check. | ||||
aluschedulersvc.exe | Symantec Norton LiveUpdate file. | ||||
wuauclt.exe | Microsoft Windows update process that should be located in the C:\Windows\System32 directory. | ||||
msmsgs.exe | Microsoft MSN Messenger file. | ||||
msnmsgr.exe | Microsoft MSN Messenger file. | ||||
rthdcpl.exe | Realtek HD audio driver file. | ||||
jqs.exe | Sun Microsystems Java platform file. | ||||
khalmnpr.exe | Logitech Bluetooth mouse file. | ||||
logitechdesktopmesse... | Logitech Desktop Messenger file. | ||||
excel.exe | Microsoft Excel file. | ||||
xpnetdiag.exe | Microsoft Windows XP network diagnostics tool file. | ||||
alcmtr.exe | Realtek AC97 sound card audio monitor file. | ||||
acroiehelper.dll | Adobe Acrobat Internet Explorer helper DLL file. | ||||
jp2ssv.dll | Sun Java browser plugin DLL file. | ||||
saswinlo.dll | SUPERAntiSpyware DLL file. | ||||
g2comm.exe | Citrix GoToMyPC file. | ||||
g2pre.exe | Citrix GoToMyPC file. | ||||
g2svc.exe | Citrix GoToMyPC host file. | ||||
g2tray.exe | Citrix GoToMyPC systray file. | ||||
windowslivelogin.dll | Microsoft Windows Live Messenger login DLL file. | ||||
jqs_plugin.dll | Sun Java quickstarter file. | ||||
lucoms~1.exe | Symantec Liveupdate process that should be located in the C:\program files\symantec directory. If in a Windows directory could be the w32.beagle trojan. | ||||
osa.exe | Microsoft Office startup assistant file. | ||||
acroiefavclient.dll | Adobe Acrobat Internet Explorer client DLL file. | ||||
facebookphotouploade... | Facebook Photo uploader CAB file. | ||||
myspaceuploader1006.... | MySpace uploader CAB file. | ||||
nvcpl.dll | NVidia video card control panel DLL file. | ||||
facebookphotouploade... | Facebook.com photo uploader CAB file. | ||||
nvmctray.dll | Nvidia video card display driver DLL file. | ||||
mccitrayapp.exe | Bell South Internet Motive connection diagnostic systray file. | ||||
xpsp3res.dll | Microsoft Windows XP service pack 3 (SP3) network diagnostics DLL file. | ||||
messengerstatspaclie... | MSN Messenger status client CAB file. | ||||
opwarese2.exe | OmniPage SE OCR application file. | ||||
mccicmservice.exe | Motive.com Communications McciCMService. | ||||
seaport.exe | Microsoft search enchancement pack file. | ||||
wltcore.dll | Windows Live toolbar Browser Helper Object (BHO) DLL file. | ||||
ekij5000mui.exe | Kodak printer driver file. | ||||
kodaksvc.exe | Kodak printer file. | ||||
wltuser.exe | Windows Live toolbar file. | ||||
sepsearchhelperie.dl... | Windows Live Toolbar Search Enhancement DLL file. | ||||
facebookphotouploade... | Facebook file uploader CAB file. | ||||
jusched.exe | Sun Microsystems Java Update scheduler file. | ||||
flashutil10c.exe | Adobe Flash player helper file. | ||||
kem.exe | Unknown - Click here to open Google search for this file. | ||||
360share pro.exe | Unknown - Click here to open Google search for this file. | ||||
tsa.exe | Unknown - Click here to open Google search for this file. | ||||
wahelper.exe | Unknown - Click here to open Google search for this file. |
Getting your system clean
Notice: This tool is currently being developed and is in the beta stage of testing, by following these steps you agree that you're doing this at your own risk.Verify your IE settings:
Verify the below links correctly correspond to the web pages you want to be using. If these links are not recognizable it's possible your browser has been hijacked. To fix these settings check the corrisponding boxes in the R0-R4 section.
Your Internet Explorer internet settings,proxyoverride: *.local
Your Internet Explorer search assistant: http://search.live.com/sphome.aspx
Your Internet Explorer search page: http://search.live.com
Your Internet Explorer search bar: http://search.live.com/sphome.aspx
What to do in HijackThis
1. Open HijackThis.
2. Click Do a system scan only
3. Check the boxes that correspond to the below lines.
- o2 - bho: (no name) - {5c255c8a-e604-49b4-9d64-90988571cecb} - (no file)
- o4 - hklm\..\run: [sfiqudafugaho] rundll32.exe "h:\windows\utasizebazobifuy.dll",startup
- o4 - hkcu\..\run: [ocaqalo] rundll32.exe "h:\windows\nfgpeas.dll",startup
- o18 - protocol: bwfile-8876480 - {9462a756-7b47-47bc-8c80-c34b9b80b32b} - h:\program files\logitech\desktop messenger\8876480\program\gaplugprotocol-8876480.dll ***
*** This could be a valid entry for your Internet Service provider, School network, and/or an online scanner. If you recognize all of this line it's suggested that it not be fixed.
4. Once the above have been checked click the Fix checked button.
5. After fixed close HijackThis and reboot the computer.
We've also detected runonce lines that are often left over lines associated with programs that have been installed / uninstalled. If this is something you recognize as being uninstalled in the past or you reboot the computer and get a new hijackthis log and it's still present in the log we suggest fixing the lines mentioned below.
- o4 - hkcu\..\runonce: [flashplayerupdate] h:\windows\system32\macromed\flash\flashutil10c.exe
Delete files
Delete the following files if found on the computer. If you're unable to delete the files because they're in use you'll need to boot the computer into Safe Mode.
h:\program files\logitech\desktop messenger\8876480\program\gaplugprotocol-8876480.dll **
h:\docume~1\shawnk~1\locals~1\temp\wscsvc32.exe ***
h:\docume~1\shawnk~1\locals~1\temp\esentutl64.exe * ***
h:\windows\utasizebazobifuy.dll *
h:\windows\nfgpeas.dll *
* This file could be a legitimate file. Make sure you're positive this is not a valid file by reading the suggestions in the above chart before deleting it. If you're not comfortable deleting the file just leave it alone.
** Files found in the program files directory can often be uninstalled through the Add/Remove programs in the Control Panel. Try locating this program in there before simply deleting this file.
*** It looks as if there are malicious files in a temporary directory. We also suggest running a Disk Cleanup and cleaning out all tempoary and temporary internet files.
Additional malware scans
Because potential threats were found in the HijackThis log we also suggest you reboot the computer after completing the above steps and install and run the free Malwarebytes' Anti-Malware utility on this computer. If this scanner is having issues cleaning your computer in Normal mode we suggest running it from Safe Mode.
Verify browser plugins up-to-date
Reboot the computer into Normal Windows mode make sure you're browser has all the latest plugins installed by viewing the each of the plugins installed on your computer through our System Information tool.
Install Antivirus
We highly recommend you install an antivirus program on your computer. We suggest installing a free antivirus and/or one of the programs listed in document CH000514. Once an antivirus has been installed we suggest running a full system scan on the computer.
Install Firewall protection
We could not detect a firewall process running on this computer. If no firewall is running on the computer we strongly suggest either enabling the Windows Firewall or installing another firewall.
Install WOT (Web Of Trust)
We could not detect WOT on your computer, this great free add-on to help warn you of potentially dangerous sites as you're browsing the web. Consider downloading and installing this application.
Suggested updates
Once your system has been cleaned we suggest you update Windows to have all latest updates. Additional information about updating your Windows computer can be found on document CH000545.
Re-check
If you've followed any of the above steps reboot the computer, let it boot as normal, re-run HijackThis, and generate a new log to be analyzed.
A big thanks to CBMatt and Evilfantasy for their malware specialist assistance and everyone else in the Computer Hope community who has contributed to the development and testing of this tool. An ongoing discussion about this tool is found here.
Back to Computer Hope