[theused17]

so what would u suggest now?

[evilfantasy]

Open HijackThis and select "Do a system scan only"
Place a check mark next to these entries.
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com
Close all windows including this one and click "Fix checked"

==========================================

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting. You may want print out these instructions as you will not be able to see this page in safe mode. Or copy these instructions to notepad and save it to your desktop so you can open and read it in safe mode.

Please reboot your computer in Safe Mode by tapping the F8 key just before Windows starts to load and selecting Safe Mode.
If you are having trouble starting the computer into Safe Mode : Starting your computer in Safe mode

Open the SmitfraudFix Folder on your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.

WARNING Running this option on a non infected computer will remove the desktop background. So only run it once!

Please post a fresh HijackThis log in your next reply.

Also let me know how things are now.

[evilfantasy]

Everything going OK?

[theused17]

yeahh, everythings fine, i just read it really carefully over and over so i wouldnt mess anything up lol thats what was taking so long. That message isnt popping up anymore! here's that rapport file thing u wanted me to post, is everything fine now? Or is there more?

SmitFraudFix v2.221
Scan done at 22:35:37.05, 07/09/2007
Run from C:\Documents and Settings\Dave\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
"{903902a8-0691-460e-8351-24df3d425e9c}"="apdu"
[HKEY_CLASSES_ROOT\CLSID\{903902a8-0691-460e-8351-24df3d425e9c}\InProcServer32]
@="C:\WINDOWS\System32\gkymhk.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{903902a 8-0691-460e-8351-24df3d425e9c}\InProcServer32]
@="C:\WINDOWS\System32\gkymhk.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
C:\WINDOWS\System32\gkymhk.dll -> Hoax.Win32.Renos.gen.o
C:\WINDOWS\System32\gkymhk.dll -> Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\Tasks\At?.job Deleted
C:\WINDOWS\Tasks\At??.job Deleted
C:\DOCUME~1\Dave\STARTM~1\VirusProtectPro 3.7.lnk Deleted
C:\DOCUME~1\Dave\STARTM~1\Programs\VirusProtectPro 3.7 Deleted
C:\DOCUME~1\Dave\Desktop\VirusProtectPro 3.7.lnk Deleted
C:\DOCUME~1\Dave\FAVORI~1\Online Security Test.url Deleted
»»»»»»»»»»»»»»»»»»»»»»»» DNS

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

[evilfantasy]

Almost there. These steps are VERY important.

Go into add/remove programs and uninstall jre1.6.0_01
Then go to C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe and delete that file.
Next go to www.java.com and install the latest version of java. 1.6.0.2
Outdated java is an entry point for malware.


Next:
Please download ATF Cleaner by Atribune. ATF Cleaner.exe This program does not require an installation. The executable actually runs the program.

NOTE: ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.

If you use Firefox browser
* Click Firefox at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
* Click Opera at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Next:
Go to www.windowsupdate.microsoft.com and get the latest updates.
You have SP1 and SP2 has been out for a while. This is leaving you very vulnerable to malware.

Last please post a fresh HijackThis log so we can be sure nothing is left over.

[theused17]

When I try to uninstall that jre thing, its not there..? And when i try to go to programs, java, and then pull the folder from there and delete it..it wont let me..it says access denied

[evilfantasy]

Are you using the admin. account?

For the C:\ file try this. Unlocker.
It will remove locked files.

[theused17]

sorry about yesterday, i was soo tired, i had to go to bed, but anyway...
I tried to do that, but it won't let me delete ONE program in that jre folder, its called jusched or something? Is that necissary for me to delete that in order for my comp to work properly? or how do i delete it?

[evilfantasy]

No problem I had run out of steam last night also.

Jusched is part of the java control panel. It supposedly checks for updates for java but is totally un-necessary. Java does not update very often. Just try to update to the newest version of java and we will remove that with the next HijackThis log.

[theused17]

okkay, it worked..i deleted that file, i downloaded the newest version of java, and cleaned everything but when i go to do the microsoft update, this is what it says to me(keep in mind its a loan laptop from a friend until i pay him for a real computer)

This copy of Windows did not pass genuine validation.

The product key found on this computer is a Volume License Key (VLK) that has been blocked.
The product key is a unique identifier assigned by Microsoft only to genuine Windows software. If this key is missing or incorrect, it may indicate the presence of counterfeit software and your computer may be at risk.
The Windows product key installed on this computer is a Volume License Key (VLK) that has been blocked. A VLK is typically licensed to organizations that want to use multiple copies of Windows. However, if a VLK is reported as stolen or leaked, it is blocked from passing validation and is not considered genuine.
You or your organization may be a victim of software counterfeiting if:

• You received a computer with a VLK, but you do not have a Volume License Agreement with Microsoft, or
• Your organization purchased a VLK from a 3rd party but does not have a Volume License Agreement with Microsoft.

If you do have a Volume License Agreement with Microsoft, you believe you are using the appropriate VLK assigned to your organization, and your VLK has not been reported as stolen or lost, contact your system administrator, Large Account Reseller (LAR), or Enterprise Software Advisor (ESA) to report the problem.

View details Understanding common validation failure scenarios

Steps You Can Take

• Find out if you can update your product key without purchasing a new copy of Windows
• Request technical support from Microsoft.
• Visit the Microsoft Genuine Advantage Forum (English only)
• Determine if you qualify for a complimentary Windows Genuine Advantage Kit.