Spybot slows to crawl at coolwwwsearch [HJT log]

I know that the target PC was infected with some "about:blank" critter and other malware, and I've made significant progress removing much if not all of them. HJT shows nothing I feel is unusual.

But I thought I'd throw Spybot at it just to see if it finds anything. Much to my dismay Spybot's scan slows to an imperceptible crawl at the coolwwwsearch pest. I'm running the system in Safe Mode (it's a W98se oldie). Spybot appears to still be running and after 8 hours has progressed from 5708 to 7586 but that's insanely slow. Does this mean the system is still infected with cws?

thanks!

 

Already tried CWS shredder, etc. Here's HJT file

Two additional observations:

W98se boot time is incredibly long on this PC.
C:\windows\system has numerous 0-size dll files as well as a few odd ones that appear to have been created recently (size about 82kb). My recollection of past exterminations is that this is meaningful.

Pasted below is the HiJackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 12:06:38 PM, on 6/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HIJACK\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\ovqji.dll/sp.html#28129
O2 - BHO: Class - {935BB868-D573-FCBF-9F0F-F1E0E429CD01} - C:\WINDOWS\appdp32.dll (disabled by BHODemon)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE "
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://*.www.sysinternals.com
O15 - Trusted Zone: http://www.trojanhunter.com
O15 - Trusted Zone: http://www.trendmicro.com

 

Hello,
Rescan with HJT, and remove these items.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\ovqji.dll/sp.html#28129
O2 - BHO: Class - {935BB868-D573-FCBF-9F0F-F1E0E429CD01} - C:\WINDOWS\appdp32.dll (disabled by BHODemon)

Now Shutdown, but choose to Restart in Dos Mode, and do these commands at the prompt.
smartdrv
deltree c:\windows\cookies
deltree c:\windows\history
deltree c:\windows\temp
deltree c:\windows\tempor~1
deltree c:\windows\appdp32.*
deltree c:\windows\system\ovqji.dll

Type a Y that you want to delete, check for typos at this time. Reboot when done.

Get About:Buster, and update if first. Then run it twice, back to back.
Those odd files may be a part of about:blank, as it creates several files to be used in this;
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

 

THANK YOU! markp62

Your suggestions nailed it. No recurrence after a few days of use. This WindowsBBS forum is a great resource!

 

Your welcome.
BTW, the first 5 commands can be used as a good general cleanup at any time.

 

Cleanup.exe tried

I had already installed and run cleanup.exe on the PC, which I believe does much the same thing but not in DOS. Is it critical to be in DOS?

 

For those commands, yes. They delete folders and their files that would be in use by windows, you can't do those in a dos window too well. If cleanup deletes the files named "index.dat" and "desktop.ini" located in some of those folders, it would be.