Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DELDIR0.EXE


  • Please log in to reply
1 reply to this topic

#1 Jopp

Jopp

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 14 February 2005 - 06:07 AM

Hello, am looking for the expert advise. I am running XPSP2 on an HP, with McAfee Internet Suite6, Intermute Subtract, CWS, Lavasoft Adware, apparently clean. The herewith HJT log is after running updated virus scan and the other antispyware programs.
I am a bit concerned by this two facts,
-Under R1 it appears the IP adress “http://srch-sp3wis.com/” , which is not the adress for the Google initial page I have selected.
-Under O4 it appears the program DELDIR0, (last char is zero). Have checked with McAfee, that confirms is NOT a Mc Afee program. This contradicts some Google information found in SpywareInfo , assigning this same program to Network Affiliates.
Do not have special problems except for:

-Errors in explorer.exe when performing file searches. Screen clears to blue, then appears the explorer.exe error message, warning explorer exe will close and the desk refreshes. No rebooting , everything continues OK.
-Windows Update problems, page freezes at v5.microsoft.com ,the page showing this text “Checking for your Windows version…” Automatic updating performs ok.

Do not see other symptoms for the virus or spyware, however am suspicious by this DELDIR0.EXE program, and don´t know what to do about it. Any help on the subject will be appreciated.

HJT LOG,
Logfile of HijackThis v1.99.0
Scan saved at 21:18:00, on 23/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\McAfee\McAfee Privacy Service\GUARDDOG.EXE
C:\WINDOWS\System32\cisvc.exe
c:\ARCHIV~1\mcafee.com\vso\mcvsrte.exe
C:\ARCHIV~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\ARCHIV~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\McAfee\McAfee Privacy Service\GUARDDOG.EXE
C:\ARCHIV~1\mcafee.com\vso\mcvsshld.exe
C:\Archivos de programa\Java\j2re1.4.2_06\bin\jusched.exe
C:\Archivos de programa\QuickTime\qttask.exe
c:\archiv~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\pctspk.exe
C:\ARCHIV~1\McAfee\SPAMKI~1\MskAgent.exe
C:\ARCHIV~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Archivos de programa\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
c:\archivos de programa\mcafee.com\agent\mcagent.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\ARCHIV~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Archivos de programa\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Archivos de programa\Telefonica\KitAIM\AimMon.exe
C:\ARCHIV~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\archiv~1\mcafee.com\vso\mcvsftsn.exe
c:\ARCHIV~1\mcafee.com\vso\mcshield.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Propietario\Mis documentos\Docs_Joe\Informat\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-sp3.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sp3.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sp3.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: McAfee Privacy Service - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Archivos de programa\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\archiv~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\ARCHIV~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\ARCHIV~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MSKDetectorExe] C:\ARCHIV~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\ARCHIV~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MPFTray] C:\ARCHIV~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPFExe] C:\ARCHIV~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\ARCHIV~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\ARCHIV~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [McAfee Guardian] C:\Archivos de programa\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AgenteADSL_15] C:\Archivos de programa\Telefonica\KitAIM\AimExDll.exe AimGestA.dll 8
O4 - HKLM\..\Run: [Camera Detector] C:\ARCHIV~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\PROPIE~1\CONFIG~1\Temp\DELDIR0.EXE" "C:\Archivos de programa\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [Software Web Segura FNMT-RCM Recovery] C:\Archivos de programa\Entrust\Direct\etdirrcv.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: hp center.lnk = C:\Archivos de programa\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Barra de privacidad - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Archivos de programa\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...74/mcinsctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{36E39D70-B498-4B2A-B617-DE93038472C1}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{36E39D70-B498-4B2A-B617-DE93038472C1}: NameServer = 80.58.61.250,80.58.61.254
O23 - Service: Servicio del administrador de discos lógicos - Unknown - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Fax - Unknown - C:\WINDOWS\system32\fxssvc.exe
O23 - Service: McAfee Privacy Service - Network Associates, Inc. - C:\Archivos de programa\McAfee\McAfee Privacy Service\GUARDDOG.EXE
O23 - Service: Servicio COM de grabación de CD de IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
O23 - Service: McAfee.com McShield - Unknown - c:\ARCHIV~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\ARCHIV~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\ARCHIV~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Escritorio remoto compartido de NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\ARCHIV~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server - Networks Associates Technology. Inc. - C:\ARCHIV~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Plug and Play - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto - Unknown - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Registros y alertas de rendimiento - Unknown - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen - Unknown - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe
--------
thanks for your advise.
jopp

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:25 PM

Posted 15 February 2005 - 06:14 PM

Nothing here is bad, but some is not needed either. Lets see if this looks better to you after you fix it. You will have to change your page back to google after though:

Fix these in hijackthis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-sp3.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sp3.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sp3.hpwis.com/
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\PROPIE~1\CONFIG~1\Temp\DELDIR0.EXE" "C:\Archivos de programa\McAfee\McAfee Shared Components\Guardian\"
O4 - Global Startup: hp center.lnk = C:\Archivos de programa\hp center\137903\Program\BackWeb-137903.exe


Reboot and let us know




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users