I've been hijacked!

Welcome to Majorgeeks!

You have a Wareout infection!

Look in Add/Remove programs for UnSpyPC and uninstall if found.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

• Save it to your desktop and then run it by double clicking on it. It creates a folder named c:\fixwareout.
• Click Next, then Install.
• Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.
• The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
• Your system may take longer than usual to load; this is normal.
• When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items if they still exist:

R3 - URLSearchHook: (no name) - {BC86EBA6-A9B9-F637-F834-DB90202DDC47} - mozilla-text.dll (file missing)
O4 - HKCU\..\Run: [killall] MSTCPDLL.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{080E84DF-154E-4CF6-A7DE-104DE586AB27}: NameServer = 85.255.116.37,85.255.112.184
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C95559F-868B-4B4B-BCC0-E2FD7D06E944}: NameServer = 85.255.116.37,85.255.112.184
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6E06F45-2817-4455-8048-34F70E2D5408}: NameServer = 85.255.116.37,85.255.112.184
O17 - HKLM\System\CS1\Services\Tcpip\..\{080E84DF-154E-4CF6-A7DE-104DE586AB27}: NameServer = 85.255.116.37,85.255.112.184
O17 - HKLM\System\CS2\Services\Tcpip\..\{080E84DF-154E-4CF6-A7DE-104DE586AB27}: NameServer = 85.255.116.37,85.255.112.184

After clicking Fix Checked, close HijackThis, and click OK to proceed.

At the end of the fix, reboot into safe mode and use Windows Explorer to double check for the below files and delete if found:

C:\c002.chm
C:\WINDOWS\Help\SPAlert.chm
C:\WINDOWS\rdt.ini
C:\WINDOWS\system32\MSTCPDLL.exe
C:\Program Files\UnSpyPC <--- delete the whole folder if found

Now reboot into normal mode and please attach the contents of the logfile C:\fixwareout\report.txt

There could be additional cleanup to do from Wareout and it the log will let us know.

Also attach a new HijackThis log.

 

You passwords are probably okay, but if you want to feel more secure then change them.

We have one more file to delete. Locate below file and delete it:
C:\WINDOWS\System32\CSYNF.EXE


Now I'm also suspicious of the below line in your HJT log.
O4 - HKLM\..\Run: [vdrdpup] C:\WINDOWS\system32\rundll32 C:\WINDOWS\system32\vdrdpup.dll,RegisterVirtualChannel

Do you know what this file is for?

 

No sites provide positive identification on what the file really is. I think they all just removed it because it seems suspicious. Just like I find it suspicious. But that does not always mean something is bad.

Does anything at the following sites ring a bell:
http://80.161.249.153/EOL-Universal-Printer-Driver/docs/Tech.-Info
http://www.amtsoft.com/universalprint/

Please put the vdrdpup.dll file into a zip file and upload it here as an attachment. Also goto the below site and have it do a filescan on the vdrdpup.dll file and report the findings.

http://virusscan.jotti.org/


Also, how is your PC currently running?

 

You did not attach anything but don't worry about it. It seems my intuition on it being related to those links was correct and it is not a problem.

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:


How to Protect yourself from malware!

The above link also discusses firewalls!

 

You're welcome. Surf Safely!