New threat never seen before. Advice?

Dear all, as a dedicated follower of MajorGeeks I have solved many problems, this is something I have never seen this before, so if anyone can offer a solution that would be appreciated.

Summary. Classic problem with slow speed and seizing of the system. Run exhaustive detection methods (summarized below) but nothing detected. Some key programs, such as Panda Activescan, will _not_ run. Below is a detailed summary, accumulated logfiles attached. Clearly many trivial malwares have been found and deleted, but the source of the problem seems to evade detection by these methods.
Richard

Virus removal log: 2 January 2006

Primary problem: programs will not run, and stall the machine
Example: Internet explorer
Example: Mozilla – neither trendmicro nor Symantec antivirus scans would run – simply stalled
Machine cannot be shut down – has to be manually turned off and rebooted

Clean Attempt 1. Ran CCleaner, Adaware, Spybot, Hijack this; fixed all malware. Problem persisted.
The only odd feature was detection of a file in Windows/recent named either ÓDk_6jS_._`_
or
ÒDk_6jS_._`_
Depending on display (word or windows explorer)
- that AVG said 'this file cannot be scanned'
This file cannot be deleted, even in DOS
Google does not report anything.

Clean Attempt 2. Major Geeks
Checked all malware programs using uninstall – none
View hidden files – done
Multiple anti-virus – left on AVG and ZoneAlarm
Reboot into Safemode
Ran in sequence (after unplugging web connection)
Ccleaner
Adaware – no detection
Spybot – no detection
Counterspy – detection (log appended); counterspy also detected running of C:windows/winlogon.exe and multiple prompts were required to remove it. Check directory and the file is no longer there.
CWShredder – no detection
Kill2Me – no detection

Then: Bitdefender. A problem here as Internet Explorer would not run (although Mozilla would). But, checking through using TaskMan.exe (a commercial program not unlike hijackthis) when asked for further details of a program was linked through Internet Explorer and it now worked.
Was able then to do a Bitdefender search (log appended).
The same protocol could not be done with Panda ActiveScan – seized three times and was not pursued.
Ran phase2 removal in safe mode
That was:
L2mfix
About bus
Kill2Me
Vundofix
No change in probs was seen
Then move to phase three decontamination – “additional scans”, that was:
Spysweeper - purchase, run and remove (log appended)
No change in probs
Ran Hijackthis, fixed a few minor entries identified as ‘possible’ by hijackthis.de, ran again (log appended)
All problems persist
Ran also BigFix – plugged a couple of problems, and a free tune-up program that only expressed surprise over the fact that pinging did not work – but using command ping works fine. ALL THE SUGGESTIONS ARE OF MALWARE, BUT THESE PROGRAMS CAN’T FIND IT.

 

Thanks
1. With Win98SE it seems impossible to do internet connection in safemode - so tried to run in ordinary mode. I have a broadband non-dialup connection.
2. Hijackthis logfile included in the short file I attached previously, that includes logfiles in order from:
COUNTERSPY
BITDEFENDER
SPYSWEEPER
HIJACKTHIS

 

To help the process, here's the Hijackthis logfile.
One item gives me cause for suspicion is C:\WINDOWS\SYSTEM\MSDXM.OCX


Logfile of HijackThis v1.99.1
Scan saved at 21:25:59, on 01/03/2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
D:\DOWNLOADS\SCREENDSCLOCK\DSCLOCK.EXE
C:\PROGRAM FILES\INTEL\INTEL PSNCU\CPUNUMBER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MOZILLA2004\MOZILLA.EXE
D:\DOWNLOADS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
127.0.0.1;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [AVGCtrl] "C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE" /min
O4 - HKLM\..\Run: [SunServer] C:\PROGRAM FILES\SUNBELT
SOFTWARE\COUNTERSPY\CONSUMER\sunserver.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY
SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [Desktop Locker] c:\Program Files\Desktop Locker\desklock.exe
/SUhxl#6i^Q6QC5>nks0m<2l
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -
http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

 

May I respond to comments please?
>That was your complete HJT log? Seems unusually small.
Yes, I try to keep it like - every time try to demand that programs only start on demand.

>Did you delete all the bad stuff being detected by the scanners?
Delete everything all the time

>Seems like many of these are old viruses.
Right, and I think trivial infections

>Do you have all the updates to your OS?
As far as I know, using the unofficial update site etc

>Your problems with speed may not be malware. It could just be Windows 98 period. Over a period of time Windows 9x systems just get slower and slower and run into all kinds of problems and the only really solution is to format. For example: I have seen many Win98 Se system where just emptying a few files from the Recycle Bin can several minutes and the PC almost seems hung during that time frame. There was no malware to be found. A format fixed the problems for a half year or so.
Right also, previously had to scrub and reload windows. But in this instance the system was running (with careful maintenance) like the crack of a whip, for three years, the slowdown was dramatic and immediate.

>Looks like you have paid for SpySweeeper. I would uninstall CounterSpy then. Having both will slow you down.
Too right, I just turn off extra antivirus programs routinely.

>Do not post any logs in line like you just did.
Sorry

Still, your insights would be appreciated - I really don't believe this can be put down to a Win98 glitch and I am enormously puzzled. I could be wrong, let's hope I am, while we've deleted the lambs, mice and pixies, a wolf is still roaming, and that's new and worrying.

 

>This new log is a little different. It shows one O16 line for pcpitstop.
How come no O16 lines are showing for the Panda and BitDefender scans?

Panda never ran. Bitdefender was removed via Hijackthis, I think.
Pcpitstop will be removed also, a try-out.

 

FURTHER UPDATE AND RESPONSES
> As far as I know, using the unofficial update site etc
>>When is the last time you checked?
>>And if you recently installed any updates, did your problems begin after the update.
Not done recently, not related to problems

>>Sobig is not to be taken lightly. See: http://www.liutilities.com/products/...rary/winppr32/
Should I pursue this, given that winppr32 files are no longer present?

>>Neither is Trojan.Bagle.BK. Did you remove all of these infections in email?
Deleted all the email infections

>>Did you delete:
>>c:\windows\winppr32.exe
No longer on the system - must have been deleted by one of the programs I ran

>>c:\windows\system\extract.exe
I have three extract.exe files, one in C:\Windows,
one in C:\Windows\Command, and one in C:\Windows\options\cabs
Advice?

>>c:\windows\winlogon.exe
Also gone, was deleted by one of the programs

>>Did you fix the infected registry entries?
Not specifically (unless the programs I ran fixed them). Advice?

>Quote:
Originally Posted by rlathe
Too right, I just turn off extra antivirus programs routinely.
>>It's an antispyware program not an antivirus program. Are you referring to something
else? "
Sorry I was referring to antispyware programs

>>Turning off" does not stop the process from wasting resources. Uninstalling does.
What I have done is to uncheck run at startup using msconfig

>>Have you run sfc to see any system files are missing or corrupt?
Good idea. I ran this and it found one file corrupt that it asked me to reload from the
Win98SE original disc, which I did. Ran again, no problems detected.

>>Have you run a disk cleanup and defrag lately?
Yes, I use VoptXP as the Win98 defrag program is poor.

>>How much diskspace is free?
3 GB free on C: - that is 53%

>>Let's did deeper.
>> Download WinPFind
I followed your instructions precisely. I am attaching the logfile

 

Not sure this is the right way to do it, let's try

Today - fully revised, no change in any of the problems encountered

I have now done that exactly as you recommend. File attached.

Meantime a further insight - none of the antivirus or antispyware programs will update when so instructed, they just stall.

 

Sorry, I didn't forget, I tried twice - so trying again now!
(Indeed, I checked earlier and the file was there!)

I followed your guidance exactly, thanks

Remarks. It is now not easy to tell whether updating is working - AVG has always been dicely on this, and I yesterday updated (manually) a couple of other programs that tell me 'you have the most recent version', so affording no test.
I tried Panda on IE, it locked. Had to reboot. I tried Trendmicro - and there was a change - the narrow box on the left was now showing activity (a moving horizontal bar) that reflects improved communication, but then it stalled and I had to reboot.
Coming back to MG on Mozilla, first time around it seized the system and I had to reboot. So, as yet problem unchanged.
Your advice is deeply appreciated.

 

A question remains - in the opinion of MajorGeeks, is this a threat that evades all our analyses?

For the forum - key features:
Abrupt slowing. Internet connection perturbed. Affects IE more than Mozilla.
System stalls, signature being that open boxes cannot be closed even with
CTRL+ALT+DEL. Manual reboot needed every time.
Aspects of web connections perturbed - updates of antivirus programs stall.
No malware detectable by any of dozens of programs.
No untoward activity detected.
We need a name. Suggest "Virus Q"