infection?

pc loads up slow on normal mode. I’m in safe mode right now

also these process where on start-up:

z4f2i7
fmnupd32
zquosys32

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:25 PM, on 6/14/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: C:\WINDOWS\System32\gsf83iujid.dll - {B2C7B2A1-00F3-42BD-F434-00AABA2C8952} - C:\WINDOWS\System32\gsf83iujid.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: __c00A8DC6 - C:\WINDOWS\System32__c00A8DC6.dat (file missing)
O22 - SharedTaskScheduler: gsf87hfunf98398jd - {C6C7B2A1-00F3-42BD-F434-00AABA2C8953} - C:\WINDOWS\System32\yhafd78auhd.dll (file missing)
O22 - SharedTaskScheduler: hs837hiudjgfo9s8gjio4gfd - {B2C7B2A1-00F3-42BD-F434-00AABA2C8952} - C:\WINDOWS\System32\gsf83iujid.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Dhcp server (DhcpSrv) - Unknown owner - C:\WINDOWS\DLL\RUNDLL32.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


End of file - 2673 bytes

roadhawk1, Windows XP SP 2 has been out for almost 5 years and SP3 for a year its best you go to Windows Update in IE and update Windows:
http://www.microsoft.com/downloads/details.aspx?familyid=049c9dbe-3b8e-4f30-8245-9e368d3cdb5a&displaylang=en

Hi roadhawk1,

The following analysis of your hjt logfile:

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) The version (6.00.2800.1106) is out of date. Check Windowsupdate to update the Internet Explorer.

Check this at virustotal.com
O2 - BHO: C:\WINDOWS\System32\gsf83iujid.dll - {B2C7B2A1-00F3-42BD-F434-00AABA2C8952} - C:\WINDOWS\System32\gsf83iujid.dll Malicious, so fix

O22 - SharedTaskScheduler: gsf87hfunf98398jd - {C6C7B2A1-00F3-42BD-F434-00AABA2C8953} - C:\WINDOWS\System32\yhafd78auhd.dll (file missing) Visitor’s assessment Analyzerdetails Unknown
Can be malicious, update to virustotal, part of dynamic link library

O22 - SharedTaskScheduler: hs837hiudjgfo9s8gjio4gfd - {B2C7B2A1-00F3-42BD-F434-00AABA2C8952} - C:\WINDOWS\System32\gsf83iujid.dll  

O23 - Service: Dhcp server (DhcpSrv) - Unknown owner - C:\WINDOWS\DLL\RUNDLL32.exe
This entry is not running from the System32 folder, so it is probably nasty. This service (RUNDLL32.exe) seems to be nasty.
This process is not running from the System32 folder as it is supposed to be.
Command: C:\WINDOWS\dll\rundll32.exe
Description: Added by the Backdoor.Ranky backdoor Trojan. This infection should not be confused with the legitimate C:\Windows\System32\rundll32.exe.
File Location: C:\WINDOWS\dll\rundll32.exe
Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.
HijackThis Category: Fix this entry if flagged at virustotal.com

polonus

The HJT log in safe mode isn’t very helpful unfortunately.

It shows that your OS is way out of date XP SP1 when XP SP3 has been out over a year, this leaves you more vulnerable it also limits the ability to update your Browser, further weakening your security.

I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.

Even with the limited same mode log your system has previously been infected.

Fix:
O20 - Winlogon Notify: __c00A8DC6 - C:\WINDOWS\System32__c00A8DC6.dat (file missing)
O22 - SharedTaskScheduler: gsf87hfunf98398jd - {C6C7B2A1-00F3-42BD-F434-00AABA2C8953} - C:\WINDOWS\System32\yhafd78auhd.dll (file missing)

Suspect, check file names as below and fix:
O2 - BHO: C:\WINDOWS\System32\gsf83iujid.dll - {B2C7B2A1-00F3-42BD-F434-00AABA2C8952} - C:\WINDOWS\System32\gsf83iujid.dll
O22 - SharedTaskScheduler: hs837hiudjgfo9s8gjio4gfd - {B2C7B2A1-00F3-42BD-F434-00AABA2C8952} - C:\WINDOWS\System32\gsf83iujid.dll
O23 - Service: Dhcp server (DhcpSrv) - Unknown owner - C:\WINDOWS\DLL\RUNDLL32.exe

HJT ACTIONS
Suspect: Upload the file/s to VirusTotal, Send a sample to avast if multiple detections at VT and Fix in HJT (see below)

Check the suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here in the topic, the URL in the Address bar of the VT results page. If multiple scanners find these infected send the samples to avast for analysis and inclusion in the virus database.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a reference to this topic (give URL) and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

Run HJT again (close any other windows except HJT), tick the box to the left of the suspect entry you wish to fix, click the Fix Selected Button.

:slight_smile: Hi :

Should NOT be “upgrading” your Operating System UNLESS you are reasonably
sure your computer is malware-free . Your Log implies the ONLY security program
you have is Avast, which is NOT enough in today’s world . IF at all possible, you
should try downloading, then installing, then updating the FREE Version of BOTH
“Malwarebytes’ Anti-Malware” from www.malwarebytes.org/mbam.php AND
“SUPERAntiSpyware” from www.superantispyware.com . Hopefully, these 2
programs will remove WHAT is slowing down your computer .

NOTE : Posting a HijackThis log using the “Safe Mode” scan is of very little help .