comp keeps timing out.

1. Gmail addresses cannot be used to Register. There was reference to this
in the error message you got when your Registration failed.

2. Once you've successfully Registered using another email address*, start
here: http://aumha.net/viewtopic.php?t=4075

After taking care of all requested Preliminaries in the above thread, please
begin a new thread in Malware Removal forum
(http://aumha.net/viewforum.php?f=30).

=============
* You will have to use a link in the received confirmation email to complete
Registration. Make certain that messages FROM aumha RemoveThis @aumha.org are NOT being
filtered from your inbox by any anti-spam measures.
--
~Robear Dyer (PA Bear)
AumHa Forums Admin, Moderator & VSOP
MS MVP-IE, Mail, Security, Windows Client - since 2002
www.banthecheck.com


square/circle wrote:
<snip>
> Have just come from AumHa site where I proceeded to fill out the
> registration form for access, but, it wont accept my email address?
> It says:: "The email address you entered is not allowed to be used", why
> is this..... any ideas? Is it because it is a gmail address?

MEB wrote:

....snip...
> Franc's got this modem stuff, just a little addition to what he
> posted, and I did look at your stuff...
>
> Pa Bear is here, ask him for some links to the HJT forums {while he's
> awake} in the discussion
> - <ping> PCR

I see he has arrived & is communicating with S/C. A footprint study
shows his cave is somewhere in Antarctica. An expedition must be formed
to seal it before he gets back in!


--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp.DeleteThis@netzero.net

PCR wrote:
> MEB wrote:
>
> ...snip...
>> Franc's got this modem stuff, just a little addition to what he
>> posted, and I did look at your stuff...
>>
>> Pa Bear is here, ask him for some links to the HJT forums {while he's
>> awake} in the discussion
>> - <ping> PCR
>
> I see he has arrived & is communicating with S/C. A footprint study
> shows his cave is somewhere in Antarctica. An expedition must be formed
> to seal it before he gets back in!

Yes... but it is not all good news. I went to aumHa and found it
didnt accept my gmail address, buuut, I have a bigger problem there::
I read a sort of Intro page and it is so strict that it seems I dont
even fit the criteria to the extent that they will simply remove my
post. One of the rules is that a machine 'must' be fully patched and
updated, unfortunately mine isnt, and hence they would not only ignore
my post, but would remove it forthwith.
So, I am now at 'Tom Coyotes' site and reading to see if they will let
me post a HJT log. I had a look at a lot of O/P's posts while I was
there, and their hjt logs were huge, whereas mine only has minimal
information.

If I recall, during my early days of finding this n/g and lurking, there
was someone offering a cd with all the updates for 98, and only
charges for the price of the cd and postage.... is he/she still around
and doing that?

S/C

ps,, anyone seen Franc?

square/circle wrote:
> PCR wrote:
>> MEB wrote:
>>
>> ...snip...
>>> Franc's got this modem stuff, just a little addition to what he
>>> posted, and I did look at your stuff...
>>>
>>> Pa Bear is here, ask him for some links to the HJT forums {while
>>> he's awake} in the discussion
>>> - <ping> PCR
>>
>> I see he has arrived & is communicating with S/C. A footprint study
>> shows his cave is somewhere in Antarctica. An expedition must be
>> formed to seal it before he gets back in!
>
> Yes... but it is not all good news. I went to aumHa and found it
> didnt accept my gmail address, buuut, I have a bigger problem there::
> I read a sort of Intro page and it is so strict that it seems I dont
> even fit the criteria to the extent that they will simply remove my
> post. One of the rules is that a machine 'must' be fully patched and
> updated, unfortunately mine isnt, and hence they would not only ignore
> my post, but would remove it forthwith.
> So, I am now at 'Tom Coyotes' site and reading to see if they will let
> me post a HJT log. I had a look at a lot of O/P's posts while I was
> there, and their hjt logs were huge, whereas mine only has minimal
> information.

If it's small, go ahead & post it here. If you've been
downloading/installing a bunch of stuff lately, someone may spot
something in your HJT report that might bear investigation-- especially
something installed or updated about the time the problem began. I
remember back when I had Internet connectivity problems like yours, it
turned out to be a McAfee scan engine that went bad. I had to revert to
an earlier version of it or turn off the auto-system scan. My modem log
was saying something like "Remote modem hung up". I see yours is saying
worse, but Zabcar had you turn on error messages.

I still say you should go through SpyBot's settings & temporarily turn
off stuff that might apply to connectivity. Get avast!'s settings right
at that "Update (connections)" screen too.

> If I recall, during my early days of finding this n/g and lurking,
> there was someone offering a cd with all the updates for 98, and
> only
> charges for the price of the cd and postage.... is he/she still
> around and doing that?

That was Terhune. He became ornery & left, but was very helpful for a
long while. I don't see it anymore at his site. You can still get them
from Windows Update...
http://v4.windowsupdate.microsoft.com/en/default.asp

> S/C
>
> ps,, anyone seen Franc?

I doubt he's been puzzled by your modem log; he must just be busy.

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp DeleteThis @netzero.net

square/circle wrote:
>> and hence they would not only ignore
>> >> my post, but would remove it forthwith.
>> >> So, I am now at 'Tom Coyotes' site and reading to see if they
>> >> will let me post a HJT log. I had a look at a lot of O/P's posts
>> >> while I was there, and their hjt logs were huge, whereas mine
>> >> only has minimal information.
>> > If it's small, go ahead & post it here.
>>
>> You have no idea how happy you have just made me; not sure
>> whether I should do as attachment or place it within this post,
>> I'll go with
>> gut feeling after finished answering here.

OK.

>> If you've been
>> > downloading/installing a bunch of stuff lately, someone may spot
>> > something in your HJT report that might bear investigation--
>> > especially something installed or updated about the time the
>> > problem began.
>>
>>
>> I don't see it anymore at his site. You can still get them
>> > from Windows Update...
>> > http://v4.windowsupdate.microsoft.com/en/default.asp
>>
>> Excellent, I will scarper over there next. (am a little confused
>> though, I thought they werent available)

They are still there. The site will offer the ones that apply to your
OS, i.e., you go with a Win98 for those.

>> >> S/C
>> >>
>> >> ps,, anyone seen Franc?
>> >
>> > I doubt he's been puzzled by your modem log; he must just be busy.
>>
>> Yes, that is why I havent bugged him;; is a pain though, because I
>> have been booted off twice more since I posted to Franc; in fact, got
>> booted after 40 minutes tonight, and had to reconnect just to come in
>> here.(costs money too, price of a ph call, optus are loving it)
>>
>> S/C
>>
>> ps, I chose 'attach', and it can be opened in notepad or the-gun etc.
>> pps, Will go do what you said with SpyBot too.

OK. IE6 has deemed it safe to go ahead & open it, itself, & include it
at the bottom of your post...

>> Logfile of HijackThis v1.99.1
>> Scan saved at 9:54:14 PM, on 9/1/09
>> Platform: Windows 98 SE (Win9x 4.10.2222A)
>> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>>
>> Running processes:
>> C:\WINDOWS\SYSTEM\KERNEL32.DLL
>> C:\WINDOWS\SYSTEM\MSGSRV32.EXE
>> C:\WINDOWS\SYSTEM\MPREXE.EXE
>> C:\WINDOWS\SYSTEM\mmtask.tsk

Those all look normal.

>> C:\WINDOWS\SYSTEM\MSTASK.EXE

That is the Task Scheduler. I've prevented mine from starting
automatically. Do you have something in there you really use? Anything
in there look strange? To prevent it from starting at boot, you may need
first to uninstall the auto-Windows Update check. That's useless now,
anyhow, once you get fully updated especially.

>> C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
>> C:\WINDOWS\EXPLORER.EXE
>> C:\WINDOWS\TASKMON.EXE
>> C:\WINDOWS\SYSTEM\SYSTRAY.EXE
>> C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
>> C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE

I doubt it's avast! causing your connectivity problem, because it
predates the problem. Even your program update to the v.4.8.1351 --
which I have yet to do but I swear I will -- postdates your problem.
Still -- really -- you should reconsider the settings change I suggested
in that other thread. If you've never activated IE, maybe make a better
choice at that "Update (connections)" screen.

>> C:\WINDOWS\SYSTEM\USBMONIT.EXE

I don't have that. A Google search says it has to do with checking
whether a Sandisk flashdrive has been plugged in. Unless the problem
started about when you installed or updated this, I guess it isn't
responsible. I see nothing on the first few Google pages about a problem
with it.

>> C:\WINDOWS\RUNDLL32.EXE
>> C:\WINDOWS\SYSTEM\WMIEXE.EXE
>> C:\WINDOWS\RUNDLL32.EXE
>> C:\WINDOWS\SYSTEM\RPCSS.EXE
>> C:\WINDOWS\SYSTEM\SPOOL32.EXE
>> C:\WINDOWS\SYSTEM\TAPISRV.EXE

Those are all normal to have. RPCSS.EXE sets up a port to the NET, which
I have used Kerio to block. Definitely, incoming packets attempt to
communicate with it...

Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port
1027 owned by 'Distributed COM Services' on your computer.

Someone from 24.64.8.158, port 32089 wants to send UDP datagram to
port 1027 owned by 'Distributed COM Services' on your computer

Someone from 24.64.85.35, port 34996 wants to send UDP datagram to
port 1027 owned by 'Distributed COM Services' on your computer

....But I can't say I've ever had connectivity problem due to it when I
allowed it to connect. I decided from something glee wrote that I
shouldn't disable RPCSS.EXE altogether. It came installed on the
machine; it's an MS app. I've detected no problem from disallowing it to
communicate with the NET. Here was the thread on that...
http://ms-os.com/windows-98/83225-who-are-24-64-9-177-and-24-64-8-158-etc-2.html
Zabkar had something to say about it.

>> C:\WINDOWS\NOTEPAD.EXE
>> C:\WINDOWS\NOTEPAD.EXE
>> C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE

I use IE6. I'm sure you've looked through all of FF's menus for anything
that may apply.

>> C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
>> C:\WINDOWS\SYSTEM\RNAAPP.EXE

RNAAPP.EXE also sets up a port which I have used Kerio to block in both
directions. I can't quite recall whether it me who did it or it was an
imported expert's rule.

>> C:\WINDOWS\NOTEPAD.EXE
>> C:\PROGRAM FILES\MOZILLA THUNDERBIRD\THUNDERBIRD.EXE

Is that part of FireFox?

>> E:\UTILITIES\HIJACKTHIS\HIJACKTHIS.EXE
>>
>> O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} -
>> E:\UTILIT~1\STARDL~1\STARDO~1\SDIEINT.DLL

Is that a Browser Helper Object you have consciously installed? Maybe
turn it off temporarily to see whether the problem goes away.

>> O2 - BHO: AcroIEHlprObj Class -
>> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
>> E:\UTILITIES\ADOBE\READER\ACTIVEX\ACROIEHELPER.OCX

Same with this one. Try temporarily shutting it down to see whether
connectivity improves.

>> O3 - Toolbar:
>> &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
>> C:\WINDOWS\SYSTEM\MSDXM.OCX

I've got that one too in my own HJT report. That's a Windows Media
Player 2 ActiveX Control & I believe it allows WMP to integrate into IE.

>> O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
>> O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
>> O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
>> powrprof.dll,LoadCurrentPwrScheme

Those are normal Windows apps & have nothing to do with the NET. Taskmon
I believe is maintaining C:\WINDOWS\APPLOG for use during Defrag when
optimizing. After a Defrag with optimization, OPTLOG.TXT has a list of
everything that has run at least twice-- could be worth a look in there
or at least at the names of the files in APPLOG for anything strange!

>> O4 - HKLM\..\Run: [avast! Web Scanner]
>> C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
>> O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe

Those are part of avast!.

>> O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

I don't use TweakUI. Have you used it for anything NET related?

>> O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
>> O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

Going by Google,...
http://www.google.com/search?q=nwiz.exe&btnG=Search&hl=en&sa=2
....that is a part of an NVidia graphics driver generating about 314,000
Google hits. It may have to do with multiple monitors. Best look into
it...
http://winhlp.com/node/188
Something not nice about nwiz.exe.

>> O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe
>> NvMCTray.dll,NvTaskbarInit

That probably starts one of your BHOs.

>> O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
>> powrprof.dll,LoadCurrentPwrScheme
>> O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
>> O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil
>> Software\Avast4\ashServ.exe

Those are all normal.

>> O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
>> Office\Office\OSA9.EXE

http://www.google.com/search?hl=en&q=OSA9.EXE&btnG=Search&aq=f&oq=&aqi=
Google has about 90,600 for OSA9.EXE. I don't have Office, only MSWorks.

>> O8 - Extra context menu item: Download with Star Downloader -
>> E:\UTILITIES\STARDLOAD\STAR DOWNLOADER\sdie.htm
>> O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
>> O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer =
>> 85.255.115.4,85.255.112.14
>> O20 - Winlogon Notify: !SASWinLogon - E:\SUPAANTI\SASWINLO.DLL

Best Google those 4 to see whether there were any reported problems. I
don't have any of them & must hit the sack again soon.


--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp RemoveThis @netzero.net

PCR wrote:
> square/circle wrote:
>>> and hence they would not only ignore
>>>>> my post, but would remove it forthwith.
>>>>> So, I am now at 'Tom Coyotes' site and reading to see if they
>>>>> will let me post a HJT log. I had a look at a lot of O/P's posts
>>>>> while I was there, and their hjt logs were huge, whereas mine
>>>>> only has minimal information.
>>>> If it's small, go ahead & post it here.
>>> You have no idea how happy you have just made me; not sure
>>> whether I should do as attachment or place it within this post,
>>> I'll go with
>>> gut feeling after finished answering here.
>
> OK.
>
>>> If you've been
>>>> downloading/installing a bunch of stuff lately, someone may spot
>>>> something in your HJT report that might bear investigation--
>>>> especially something installed or updated about the time the
>>>> problem began.
>>>
>>> I don't see it anymore at his site. You can still get them
>>>> from Windows Update...
>>>> http://v4.windowsupdate.microsoft.com/en/default.asp
>>> Excellent, I will scarper over there next. (am a little confused
>>> though, I thought they werent available)
>
> They are still there. The site will offer the ones that apply to your
> OS, i.e., you go with a Win98 for those.
>
>>>>> S/C
>>>>>
>>>>> ps,, anyone seen Franc?
>>>> I doubt he's been puzzled by your modem log; he must just be busy.
>>> Yes, that is why I havent bugged him;; is a pain though, because I
>>> have been booted off twice more since I posted to Franc; in fact, got
>>> booted after 40 minutes tonight, and had to reconnect just to come in
>>> here.(costs money too, price of a ph call, optus are loving it)
>>>
>>> S/C
>>>
>>> ps, I chose 'attach', and it can be opened in notepad or the-gun etc.
>>> pps, Will go do what you said with SpyBot too.
>
> OK. IE6 has deemed it safe to go ahead & open it, itself, & include it
> at the bottom of your post...
>
>>> Logfile of HijackThis v1.99.1
>>> Scan saved at 9:54:14 PM, on 9/1/09
>>> Platform: Windows 98 SE (Win9x 4.10.2222A)
>>> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>>>
>>> Running processes:
>>> C:\WINDOWS\SYSTEM\KERNEL32.DLL
>>> C:\WINDOWS\SYSTEM\MSGSRV32.EXE
>>> C:\WINDOWS\SYSTEM\MPREXE.EXE
>>> C:\WINDOWS\SYSTEM\mmtask.tsk
>
> Those all look normal.
>
>>> C:\WINDOWS\SYSTEM\MSTASK.EXE
>
> That is the Task Scheduler. I've prevented mine from starting
> automatically. Do you have something in there you really use? Anything
> in there look strange? To prevent it from starting at boot, you may need
> first to uninstall the auto-Windows Update check. That's useless now,
> anyhow, once you get fully updated especially.
>
>>> C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
>>> C:\WINDOWS\EXPLORER.EXE
>>> C:\WINDOWS\TASKMON.EXE
>>> C:\WINDOWS\SYSTEM\SYSTRAY.EXE
>>> C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
>>> C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
>
> I doubt it's avast! causing your connectivity problem, because it
> predates the problem. Even your program update to the v.4.8.1351 --
> which I have yet to do but I swear I will -- postdates your problem.
> Still -- really -- you should reconsider the settings change I suggested
> in that other thread. If you've never activated IE, maybe make a better
> choice at that "Update (connections)" screen.
>
>>> C:\WINDOWS\SYSTEM\USBMONIT.EXE
>
> I don't have that. A Google search says it has to do with checking
> whether a Sandisk flashdrive has been plugged in. Unless the problem
> started about when you installed or updated this, I guess it isn't
> responsible. I see nothing on the first few Google pages about a problem
> with it.
--------------

It was from a very old flash stick I had... is not important. I'll
un-tick it in MsConfig.

----------------
>
>>> C:\WINDOWS\RUNDLL32.EXE
>>> C:\WINDOWS\SYSTEM\WMIEXE.EXE
>>> C:\WINDOWS\RUNDLL32.EXE
>>> C:\WINDOWS\SYSTEM\RPCSS.EXE
>>> C:\WINDOWS\SYSTEM\SPOOL32.EXE
>>> C:\WINDOWS\SYSTEM\TAPISRV.EXE
>
> Those are all normal to have. RPCSS.EXE sets up a port to the NET, which
> I have used Kerio to block. Definitely, incoming packets attempt to
> communicate with it...
>
> Someone from 24.64.9.177, port 3222 wants to send UDP datagram to port
> 1027 owned by 'Distributed COM Services' on your computer.
>
> Someone from 24.64.8.158, port 32089 wants to send UDP datagram to
> port 1027 owned by 'Distributed COM Services' on your computer
>
> Someone from 24.64.85.35, port 34996 wants to send UDP datagram to
> port 1027 owned by 'Distributed COM Services' on your computer
>
> ...But I can't say I've ever had connectivity problem due to it when I
> allowed it to connect. I decided from something glee wrote that I
> shouldn't disable RPCSS.EXE altogether. It came installed on the
> machine; it's an MS app. I've detected no problem from disallowing it to
> communicate with the NET. Here was the thread on that...
------------

Ditto, mine came with instal too. been there for ages.

-----------
> http://ms-os.com/windows-98/83225-who-are-24-64-9-177-and-24-64-8-158-etc-2.html
> Zabkar had something to say about it.
>
>>> C:\WINDOWS\NOTEPAD.EXE
>>> C:\WINDOWS\NOTEPAD.EXE
>>> C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
>
> I use IE6. I'm sure you've looked through all of FF's menus for anything
> that may apply.
-----------

Yes, no problems there.

--------------
>
>>> C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
>>> C:\WINDOWS\SYSTEM\RNAAPP.EXE
>
> RNAAPP.EXE also sets up a port which I have used Kerio to block in both
> directions. I can't quite recall whether it me who did it or it was an
> imported expert's rule.
>
>>> C:\WINDOWS\NOTEPAD.EXE
>>> C:\PROGRAM FILES\MOZILLA THUNDERBIRD\THUNDERBIRD.EXE
>
> Is that part of FireFox?
---------------

Yes, it is Mozillas newsreader and is the one I have used to post all
posts to this n/g

--------------
>
>>> E:\UTILITIES\HIJACKTHIS\HIJACKTHIS.EXE
>>>
>>> O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} -
>>> E:\UTILIT~1\STARDL~1\STARDO~1\SDIEINT.DLL
>
> Is that a Browser Helper Object you have consciously installed? Maybe
> turn it off temporarily to see whether the problem goes away.
-------------------

It is part of my DownLoad Manager,,, 'StarDownloader', all is fine.

----------------
>
>>> O2 - BHO: AcroIEHlprObj Class -
>>> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
>>> E:\UTILITIES\ADOBE\READER\ACTIVEX\ACROIEHELPER.OCX
>
> Same with this one. Try temporarily shutting it down to see whether
> connectivity improves.
------------

Been there since day dot... is not a prob PCR

-----------
>
>>> O3 - Toolbar:
>>> &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
>>> C:\WINDOWS\SYSTEM\MSDXM.OCX
>
> I've got that one too in my own HJT report. That's a Windows Media
> Player 2 ActiveX Control & I believe it allows WMP to integrate into IE.
-----------

I have never used IE once on this computer, dont even have a shortcut to
it.... outta site, outta mind.

---------

>>> O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
>>> O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
>>> O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
>>> powrprof.dll,LoadCurrentPwrScheme
>
> Those are normal Windows apps & have nothing to do with the NET. Taskmon
> I believe is maintaining C:\WINDOWS\APPLOG for use during Defrag when
> optimizing. After a Defrag with optimization, OPTLOG.TXT has a list of
> everything that has run at least twice-- could be worth a look in there
> or at least at the names of the files in APPLOG for anything strange!
-----------------

Applog is fine... all the above are fine.

-----------------------
>
>>> O4 - HKLM\..\Run: [avast! Web Scanner]
>>> C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
>>> O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
>
> Those are part of avast!.
>
>>> O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
>
> I don't use TweakUI. Have you used it for anything NET related?
----------------

No, only thing I really wanted it for was to get rid of those annoying
short-cut arrows on the desktop..... also has been there since day dot.
Got it via 'Power Toys' around day dot.(day dot = 5 years ago)

=======================
>
>>> O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
>>> O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
>
> Going by Google,...
> http://www.google.com/search?q=nwiz.exe&btnG=Search&hl=en&sa=2
> ...that is a part of an NVidia graphics driver generating about 314,000
> Google hits. It may have to do with multiple monitors. Best look into
> it...
> http://winhlp.com/node/188
> Something not nice about nwiz.exe.
------

It too is fine..... day dot.

--------
>
>>> O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe
>>> NvMCTray.dll,NvTaskbarInit
>
> That probably starts one of your BHOs.
>
>>> O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
>>> powrprof.dll,LoadCurrentPwrScheme
>>> O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
>>> O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil
>>> Software\Avast4\ashServ.exe
>
> Those are all normal.

Yes,,, every thing above is normal and fine.

---------------
>
>>> O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
>>> Office\Office\OSA9.EXE
>
> http://www.google.com/search?hl=en&q=OSA9.EXE&btnG=Search&aq=f&oq=&aqi=
> Google has about 90,600 for OSA9.EXE. I don't have Office, only MSWorks.

----------

Normal and fine...... day dot.
-------------
>
>>> O8 - Extra context menu item: Download with Star Downloader -
>>> E:\UTILITIES\STARDLOAD\STAR DOWNLOADER\sdie.htm
>>> O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
>>> O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer =
>>> 85.255.115.4,85.255.112.14
>>> O20 - Winlogon Notify: !SASWinLogon - E:\SUPAANTI\SASWINLO.DLL
>
> Best Google those 4 to see whether there were any reported problems. I
> don't have any of them & must hit the sack again soon.

08 and 012 are normal and fine.
20 is from SuperAnt anti malaware and I deleted it today as it doesnt
support 98 anymore.... ran Hijack after and its no longer there.

Now, for the bigeee.
Number 017 is and address in the Ukrane via some sort of
UkrTeleGroup. I used 'ARIN WHOIS database' and 'RIPE Database query
service' to get this info by putting in the ip address as per what you
see on my HJT log.
No kidding PCR, I spent all day on this today.. learned so much, and
enjoyed every minute.
While I was on my travels, I found an AntiVirus program that is rated
the best of the best. I even downloaded it (11.2MB), it only took about
20-25mins at an average of 5kb per second. The one I got was via a
link from Bleeping Computers, and the link was also attributed to the
above hjt 017.(it is highly recommended by many many trusted sources.)
The AntiV is supposed to cater for All versions of windows, so I wrote
to them there and then and asked 5 questions,,, will get back to you
when they reply. This is Great News PCR.

So, the bottom line with me is now one of sorta simplicity, (shiver
shiver) and relates to whether I have the Kahunas to go into the
registry and delete:: have been there many times, but never touched a
thing,,,,, I tip-toe in, and scarper back out.
1)the above info from HJT, and
2)the entries from the FraudLoader win32 (of which live in the MRU
section of one of the sections in the registry;; did you go view the
screen shots that Franc put on?)

Thats about it,,,, all I need now is either You or Meb or both to Fill
me with confidence and give me step-by-step on how to rid myself of
these Nasties. (although, with the HJT one, I suppose I could tell it to
fix it.... yes???) Speaking of which, I never realised there was a
newer version of HJT, so I d/loaded that too.

Many many thanks for your time PCR,, I will repay with the info I get
from the new AntiV ppl.
Will ask Meb to look at this post too.

S/C