Posts by dlh6213

You appear to have some remnants of a prior infection (HotOffers?).

Run these free online scans, hopefully one of them will be able to finish it off:

TrendMicro -- http://housecall.trendmicro.com/

And Panda -- http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm

Let us know the results.

copy how...??

Perhaps these will help:
http://www.gettysburg.edu/it/itt/Support/backup/CopyandPaste.htm
http://email.about.com/cs/outlooktips/qt/et102102.htm

I noticed HotOffers in your log, so I thought I'd make a suggestion:

Get the Pocket Killbox from here (if you don't already have it -- I haven't read the entire thread):
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Boot into Safe Mode and do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any of these files could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Reboot normally, delete any unwanted icons from your desktop, and empty your Recycle Bin.

Go to Windows Update and get the Critical Updates for your system ASAP.

Update your antivirus program and do a full system scan.

Get EliteBarRemover from here:
http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/EliteBar%20Remover/EliteToolbarRemover.exe and run it.

Get rkfiles.zip from here:
http://skads.org/special/rkfiles.zip and unzip it to a permanent folder.

Reboot into Safe Mode.

Double-click rkfiles.bat
It will take a while to scan; wait for the DOS window to close, and then reboot back into normal mode.

Have all the files that rkfiles finds scanned here:
http://virusscan.jotti.org/

Post the contents of C:\log.txt in your next reply.

Scan with hijackthis and have it fix the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://community.derbiz.com/
O4 - HKLM\..\Run: [LanGuard] "C:\WINDOWS\languard.exe"
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\uk_nm.exe -N
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Be sure to close all windows, other then hijackthis before hitting Fix checked.

Go to the following locations and delete the highlighted files:

C:\WINDOWS\languard.exe
C:\WINDOWS\System32\uk_nm.exe
C:\WINDOWS\svcproc.exe

Close any open browser windows, scan with hijackthis, and post a new log (along with the rkfiles log -- C:\log.txt).

Copy all the data you wish to keep, including your Favorites, Outlook (if you use it), etc. onto a CD (if you have a burner), a USB flash drive (again, if you have one), or, if nothing else, a floppy disk.

Note: If you don't have a CD burner or USB flash drive, you really should consider it as they aren't very expensive nowadays -- and very handy!

Whew!
Boy am I relieved!

I was afraid that if you deleted DLHelper, I'd be TOAST! :eek:

Your log looks fine to me, are you still having any problems?

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please run Notepad and copy the following text into a new file:

@ECHO OFF
cd %windir%
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
cd %windir%\system32
attrib -s -r -h DrPMon.dll
del DrPMon.dll
exit

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

Reboot into Safe Mode

Once in Safe Mode, double-click on remove.bat. A window should open and close very quickly -- this is normal.

Run Ewido, and do a full scan.

Scan with HijackThis and have it fix the following entries:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: cusojwqpeitd (wbcpqjhv5) - Unknown owner - C:\WINDOWS\System32\lszqkmgr5.exe (file missing)

Be sure all windows, other then HijackThis, are closed before hitting Fix checked.

Reboot into normal mode and post a new HijackThis log, as well as the log from the Ewido scan.

Really glad you keep stuff like this in your archives -- I've been fighting this for 2 weeks now -- used everything -- even bought antispy from Mcafee (subsequently got a refund). Nothing worked. Did a search and found this forum. Removing these files in safe mode worked on my very old win98 machine. Thank you -- and keep up the good work.

Hi jstblair and welcome to DaniWeb :) Glad we could help!

Were you able to successfully delete param32.dll?

i tried this and just got that the page is unavailable

Try the suggestion in post #41.

so i put in a xp pro cd and reboot..whats that???and what is boot from cd??

can u plz give me step by step and just say the instalation doesnt go well then can i just stci k2 2000 or will that get deleted??

lol

Here's complete instructions courtesy of Catweazle :):
http://www.daniweb.com/techtalkforums/thread6632.html

Get CWShredder from:
http://www.downloads.subratam.org/CWShredder.exe

Open CWShredder, click on Check for updates, and after it's finished updating, click on Fix.

Get SilentRunners from here:
http://www.silentrunners.org/

Run it, and post the log that it generates along with a fresh hijackthis log (with all browser windows closed).

Hi Prongs24, welcome to DaniWeb :)

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Boot into Safe Mode and do a search for these files:

guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

Delete any found, and then do a search for param32.dll

Run Pocket Killbox and paste the full file path of param32.dll in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now? Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Delete any unwanted icons from your desktop.

Empty your Recycle Bin.

Go to AddRemove Programs in your Control Panel and remove ADVANCED SEARCHBAR, if found.

Scan with hijackthis, and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0278/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} …

You're quite welcome; glad we could help :)

Hi Gandalftheking, welcome to DaniWeb :)

Try Winsockfix and see if it helps:
http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml

Also, have you checked your firewall settings to see if anything there could be blocking some sites?

Hi Aurora1899, welcome to DaniWeb :)

so that we can see exactly what you have running on your system, I suggest you get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Then close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log, and paste it here in this thread.

You still have HijackThis in a Temp folder (C:\DOCUME~1\PEROGA~1\LOKALE~1\Temp\Midlertidig mappe 5 for hijackthis.zip\HijackThis.exe); it should be in it's own permanent folder so it, and the backups it will create, don't accidently deleted.

You may wish to consider disabling CTHELPER.EXE -- quote from sysinfo:

CTHELPER is a background task that is a plug-in manager for Creative drivers. The theory is that 3rd party manufacturers can use the CTHELPER plug-in interface to produce drivers, add-on features, and fixes that will integrate with a tighter fit with Creative’s sound drivers and utilities. Given its purpose CTHELPER would normally be classified as a "leave alone" background task. It also allows Creative speaker setup to be synchronized with Windows Control Panel speaker setting. Without it running that check box in Creative speaker setting is not functional (settings are not in sync). Unfortunately there are often problems with CTHELPER, most notably that it can use 100% of CPU time so it's best left disabled unless you need it.

Please post a new log after you move HJT into a new folder.

Hi Apurva, welcome to DaniWeb :)

You're using an older version of HijackThis; I suggest you get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Then close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log, and paste it here. (The newer version may find things the older one didn't)

Go to Add/Remove Programs again and remove Viewpoint Manager

Scan with HJT and have it fix the following entries (if found):

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Go to C:\Program Files and delete the Viewpoint folder

I don't see anything else, are you still having problems?

I tried that link and it wouldn't work; I think this is it:
www.kellys-korner-xp.com/regs_edits/desktoptab.reg

Before fixing anything with HijackThis, you should put it in it's own folder. To do this, right-click in an open area of your desktop, select New, Folder, and give the folder a name (like HJT or HijackThis). Then, drag the hijackthis.exe icon that is on your desktop into this new folder.

After you move it, close any open browser windows, scan with hijackthis, and post a new log please.

Before fixing anything with hijackthis, you need to move it out of the Temp folder it's in to it's own permanent folder, like c:\HJT\hijackthis.exe

After you move it, please post a new log (with all browser windows closed when you scan).

Ad-Aware SE and Spybot (http://www.download.com/) should both be able to fix that particular problem, did you update Spybot before running it? Did you try Ad-Aware?

Get CWShredder from:
http://www.downloads.subratam.org/CWShredder.exe

Open CWShredder, click on Check for updates, and after it's finished updating, click on Fix.

Scan with hijack this and it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {00000049-8F91-4D9C-9573-F016E7626484} - (no file)
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - (no file)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Be sure all windows are closed, other then …

Hey Paul, welcome to DaniWeb :)

In addition to what DMR suggested, due to the similarity in names, Smitfraud may be related to Joke.Smitfraudoid, which has ties to HotOffers, NEWGENLOOK, and Error Message 317, so I would recommend doing the following:

Boot into Safe Mode and do a search for these files:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

Delete them, reboot normally and delete any unwanted icons from your desktop.

Empty your Recycle Bin.

If any of those files could not be deleted (most likely param32.dll):

Turn off System Restore

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed.

Run Pocket Killbox and paste the full file path of the below file in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you enter the file path.

C:\WINDOWS\System32\param32.dll

Reboot afterwards if the file was successfully deleted.

If the file was not deleted, do not reboot yet. Run Pocket Killbox again, and again paste the full file path in the box, but this time click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now? Click …

Try downloading these other Virus, Adware, Spy, and Trojan removal Programs they are also Great addition to all the others, but know that you can run them separately, but only run one Virus program on your PC at a time and one popup blocker as running two will conflict with others.
Mil Shield
Trojan Guarder Gold
WinSpy
XoftSpy
Bazooka
NoAds
Aluria Security
AVG Free edition
Tweak Now Reg Cleaner
If you cant find them (Can be found in most search engines)I will email the links in as a reply to your email.
Trac Eraser Pro I have a ton of others also because not one program can keep up with all the garbadge that people do to harm others PCs, so I am on a constant search to find the best currant programs. I am a Pastor and for privatcy reasons I keep my pc clean from all and any invaders I have several tech friends that help me and together we use a program Remote Administrator to help eachother rid and fix others PCs free. So if you need help EMAILTO:BarhorstWm[edit].com My website is http://www.bofmissions.org
God bless all you fellas and Ladies if any, that are here to help people in their time of need!

Some of those programs listed are suspect themselves, before getting any spyware programs, this is a good place to start your research:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Get CWShredder from:
http://www.downloads.subratam.org/CWShredder.exe

Open CWShredder, click on Check for updates, and after it's finished updating, click on Fix.

Before fixing anything with hijackthis, you need to move it out of the Temp folder it's in to a permanent folder of it's own (like c:\HJT\hijackthis.exe).

After you've done that, close all browser windows, scan with hijackthis, and post a new log please.

Go to Add/Remove Programs in your Control Panel and remove ISTsvc (if found).

Get CWShredder from:
http://www.downloads.subratam.org/CWShredder.exe

Open CWShredder, click on Check for updates, and after it's finished updating, click on Fix.

Scan with hijackthis and have it fix the following entries:

O4 - HKLM\..\Run: [CTfvH] C:\WINDOWS\pcgbmf.exe
O4 - HKLM\..\Run: [n8behn55] C:\WINDOWS\System32\n8behn55.exe
O4 - HKLM\..\Run: [IST Service] C:\ProO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)gram Files\ISTsvc\istsvc.exe

Be sure to close all windows, other then hijackthis, before hitting Fix checked.

Go to the following locations and delete the highlighted file or folder:

C:\WINDOWS\pcgbmf.exe
C:\WINDOWS\System32\n8behn55.exe
C:\Program Files\ISTsvc

Reboot, close any open browser windows, scan with hijackthis, and post a new log please.

Do you use Viewpoint Manager?

Get CWShredder from:
http://www.downloads.subratam.org/CWShredder.exe

Open CWShredder, click on Check for updates, and after it's finished updating, click on Fix.

Scan with hijackthis and have it fix these entries (if found):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ujeoe.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ujeoe.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ujeoe.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ujeoe.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ujeoe.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ujeoe.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {7C23478B-E64D-0153-181A-A208684B040F} - C:\WINDOWS\system32\apieb.dll
O2 - BHO: GetPostLog module - {C9B0D3DC-DC2B-4a17-8E34-02CD4C1E573F} - C:\WINDOWS\gpl.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\msym32.exe

Be sure to close all windows, other then hijackthis, before hitting Fix checked.

Go to the following locations and delete the highlighted files:

C:\WINDOWS\system32\apieb.dll
C:\WINDOWS\gpl.dll
C:\WINDOWS\system32\msym32.exe

Reboot, close any open browser windows, scan with hijackthis, and post a new log please.

Scan with HJT and have it fix the following entries:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

Remember to close all windows, other then HJT, before hitting Fix checked

Help keep your system clean and protected with Ad-Aware SE, Spybot Search & Destroy, and SpywareBlaster (you can download them all -- for free -- from Download.com). Keep them all updated along with your antivirus and Windows Updates.

Yes, it goes to the seller, who then uses it to cover his actual shipping costs and other 'handling' costs. Ebay has rules so shipping charges don't get too outrageous, but I don't know how well they're enforced -- or even if they are unless someone reports it.

Try booting into Safe Mode first, then scan with HJT and have it fix:

O16 - DPF: {10000000-1000-0000-1000-000000000000} -
O16 - DPF: {11212111-2121-1311-1141-115611111222} -
O16 - DPF: {24311111-1111-1121-1111-111191113457} -

Be sure all windows, other then hijackthis, are closed before hitting 'Fix checked.'

Reboot normally, close any open browser windows, scan with HJT, and post a new log.

Can you tell us where Norton is finding these files? It's possible they are in your System Restore folder.

You can also try this:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbot.gen.html

As for the redirect, scan with HJT and have it fix:
R3 - Default URLSearchHook is missing

If it still doesn't work, download Hoster from here:
http://www.funkytoad.com/download/hoster.zip

Run it, and when it opens, click on the Restore Original Hosts button and then exit Hoster and try it again.

Hi Nightwing, welcome to DaniWeb :)

I suggest you get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log and paste it here so we can see what you have running on your system.

Hi Indy, welcome to DaniWeb

The first thing you need to do is go to Windows Update and get SP1a for both XP and IE.

Next, you need to move HijackThis out of the Temp folder it's in to a permanent folder of it's own (like c:\HJT\hijackthis.exe).

After you've done that, close all browser windows, scan with hijackthis, and post a new log please.

Do you use Viewpoint Manager?

Hi Gary, welcome to DaniWeb :)

The first thing you need to do is go to Windows Update and get SP1a for both XP and IE.

Next, you need to move HijackThis out of the Temp folder it's in to a permanent folder of it's own (like c:\HJT\hijackthis.exe).

After you've done that, close all browser windows, scan with hijackthis, and post a new log please.

Glad I could help; the shop should have explained that to you the first time they took your $5.

I've had very few problems buying or selling on ebay, and gotten some pretty good deals. Things to check before buying from anyone on ebay:
Positive Feedback -- don't buy if this is less then 98, and even then, see what the negative feedback was for
Feedback Score -- should be at least 100
Member since -- if they're new to ebay, it's too hard to know if they are reputable or not
Shipping charges -- if it's not stated clearly in the ad, ask first or don't buy! Many sellers sell at low prices, but make up for it with shipping and 'handling.'
Return policy -- make sure there is one and that the terms are acceptable to you

I had a Dazzle 150 that I used with MovieStar5, but the unit stopped working. Since Dazzle was taken over by Pinnacle, they no longer support units that were shipped with MovieStar, even though the problem is with the hardware.

So I bought a new Dazzle 150 (that came with the Pinnacle software). But this new software uses way too much RAM for me (about 245MB and I only have 384MB), and the new unit won't work with MovieStar.

So now I'm looking for either alternatives to Dazzle -- a totally different capture device; some software that will work with Dazzle (without using up all my system resources); or suggestions on how I can get MovieStar to work with the new unit.

Before you fix anything with HijackThis, you should move it from the Temp folder it's in to it's own permanent folder (like c:\HJT\hijackthis.exe)

I believe LogonDll.dll is bad, but I don't think streamhlp.dll is; you can have them both checked here:
http://www.kaspersky.com/remoteviruschk.htm

Your log looks clean to me now, glad we could help.

To help keep your computer clean and protected, you should get:
SpywareBlaster (http://www.download.com/SpywareBlaster/3000-8022_4-10372089.html?tag=lst-0-1)
Ad-Aware SE (http://www.download.com/Ad-Aware-SE...76.html?tag=pop)
Spybot Search and Destroy (http://www.download.com/Spybot-Sear...35.html?tag=pop)

Keep them all updated, along with your anti-virus program, and run them frequently (about once a week).

I'd suggest running SFC and see if it helps:
http://support.microsoft.com/default.aspx?scid=kb;en-us;185836

Hi derekbka, welcome to DaniWeb :)

I've split your post (from http://www.daniweb.com/techtalkforums/thread22827.html) into it's own thread so you can get individual attention and so the recommended fixes don't get confused.

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed.

Boot into Safe Mode and do a search for these files:

guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

Delete any found, and then find param32.dll

Run Pocket Killbox and paste the full file path of param32.dll in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now? Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Delete any unwanted icons from your desktop.

Empty your Recycle Bin.

Before you fix anything with HijackThis, you need to move it from the Temp folder it is in to it's own permanent folder (like c:\HJT\hijackthis.exe).

After you followed these steps, close any open browser windows, scan with hijackthis, and post a new log please.

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed.

Boot into Safe Mode and do a search for these files:

guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

Delete any found, and then find param32.dll

Run Pocket Killbox and paste the full file path of param32.dll in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now? Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Delete any unwanted icons from your desktop.

Empty your Recycle Bin.

Scan with hijackthis, and have it fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0179/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3

DMR --
In the beginning of this thread he said he didn't have access to any other computers, so I'm pretty sure he has only this one computer and no network.

Southernneonservice --
You should still answer all of DMR's questions to help determine a possible explanation/solution.

I recall asking you in a prior post how well you knew the person that installed XP on your computer; I don't recall the exact entries now, but something led me to suspect this person may attempt to do something like this because of certain programs on your computer that you didn't even know existed.

I still recommend a fresh installation of Windows2000 (or purchase XP), and install it yourself!

You need to go to Windows Update and get SP1a for XP and IE.

Get HSRemove from here:
http://www.majorgeeks.com/download4286.html

Print out the instructions for using it on that page, and then run it accordingly.

Then post a new hijackthis log here.

Glad we could help :) Just a bit more to do now.

Scan with hijackthis and have it fix the following entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8l.hpwis.com
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitemwb32.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com

Then go to C:\windows\system32 and delete elitemwb32.exe

As a precaution, get CWShredder from:
http://www.downloads.subratam.org/CWShredder.exe

Open CWShredder, click on Check for updates, and after it's finished updating, click on Fix.

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

(Note: if any of these temporary files cannot be deleted while in ‘normal mode,’ try Safe Mode.

In addition to SpywareBlaster that Crunchie recommended earlier, you should get:
Ad-Aware SE (http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10319876.html?tag=pop)
Spybot Search and Destroy (http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10289035.html?tag=pop)

Keep them all updated, along with your anti-virus program, and run them frequently (about once a week).

And finally, avoid adult-oriented sites and file-sharing (aka P2P) :)

First of all, you should go to Windows Update and get SP1a for XP.

That error message is related to Joke.Smitfraudoid, which is related to HotOffers, NEWGENLOOK, and Error Message 317, so I would recommend doing the following:

Boot into Safe Mode and do a search for these files:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

Delete them, reboot normally and delete any unwanted icons from your desktop.

Empty your Recycle Bin.

If any of those files could not be deleted (most likely param32.dll):

Turn off System Restore

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed.

Run Pocket Killbox and paste the full file path of the below file in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you enter the file path.

C:\WINDOWS\System32\param32.dll

Reboot afterwards if the file was successfully deleted.

If the file was not deleted, do not reboot yet. Run Pocket Killbox again, and again paste the full file path in the box, but this time click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now? Click Yes to reboot.

Boot into Safe Mode

Run Pocket Killbox and paste the full path of this file in the box:

c:\misb22.exe

Click on Delete on Reboot. Next, click on the button with the red circle and an X in the middle. When you get the message saying File will be deleted on next reboot, Process and Reboot now?, click Yes to reboot (reboot normally).

Close any open browser windows, scan with HJT, and post a new log please.

First of all you should go to Windows Update and get all the Critical Updates for your system.

Then, get about:Buster from here:
http://www.majorgeeks.com/download4289.html

Unzip it to your desktop, run it, and:

Click Update, and then Check For Update, and Download Update; wait for the updates to be installed.

After the udates have been installed, click Start
(Wait for the initial ADS scan to complete.)

Click Yes to shutdown any IE session currently open when asked
(Wait for the about:blank scan to complete.)

Click OK to scan once more when prompted

Click Yes to shutdown any IE sessions currently open, and then Yes to begin the second pass

Click Save log

Click Exit, and then Exit again

Reboot

Scan with hijackthis and have it fix the following entries:

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\SYSTEM\NSE5063.DLL
O2 - BHO: (no name) - {2BC465FE-CC23-4A25-987C-98C1F5EB60AB} - (no file)
O2 - BHO: (no name) - {9672BE2E-6A04-4A74-AD16-E3924EA731DC} - C:\PROGRAM FILES\0VO6DA3Z\0VO6DA3Z.dll
O2 - BHO: (no name) - {9056A11F-5EA6-4A67-BDE9-8D3C7C453DAC} - (no file)
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\SYSTEM\winupdt.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe

Be sure all windows are closed, other then hijackthis, before hitting "Fix checked"

Go to the following locations and delete the highlighted file or folder:

C:\WINDOWS\SYSTEM\NSE5063.DLL
C:\PROGRAM FILES\0VO6DA3Z
C:\WINDOWS\SYSTEM\winupdt.exe
C:\WINDOWS\SYSTEM\exp.exe

Enable anything you have disabled …

Newgenlook appears to be related to HotOffers and shares some of the same files.

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed.

Make sure your system is set to show 'Hidden files and folders' and do a Search for param32.dll

Run Pocket Killbox and enter the full file path of the file in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you enter the file path.
(Note: the full path will be something like C:\WINDOWS\System32\param32.dll, but may be in a different folder since you're using Win98)

Reboot afterwards if the file was successfully deleted.

If the file was not deleted, do not reboot yet. Run Pocket Killbox again, and again paste the full file path in the box, but this time click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now? Click Yes to reboot.

Do a serach for on your system for the following files and delete them (you may need to boot into Safe Mode to do so):

guninst.exe
popup_bl.dll

Reboot normally, delete any unwanted icons from your desktop, and empty your recycle bin.

You're welcome :)

The log looks clean to me now; I'm marking this thread as solved.