Win XP infected, not sure if clean yet

I have a Win XP service pack 3 laptop that suddenly started churning and churning and going so slow that I couldn't do any work a day ago. (Usually it's fine.) It was worst in Firefox, but also affected MS Office programs. I rebooted a few times and the machine got slower, and then the wifi card started enabling and disabling on its own, seemingly randomly.

I found MyWaySearchAssistant under my programs and tried to uninstall it, but got an error saying "the specified module could not be found."

Then I ran the Read and Run Me guide and these were my results (attached). But I encountered a few problems:

1) msconfig was already on normal, but when I went in there to check, and then hit "ok" it said "An access denied error was returned while attempting to change a service.You may need to log on using an Admin account to make the specified changes." BUT I was using an Admin account already. This worried me.

2) I couldn't run Root Repeal, I got the error: "Root Repeal Error, Attempt to read from address 0x00ac5008" and then the message "Error-invalid PE image found!"

The rest of the programs seemed to run fine and a few found and removed some things.

The computer seems almost normal now but still does some things much slower than usual, like populating the list of programs in the add/remove programs pane under control panel. Also, when this problem started, I suddenly started getting unread message counts and a listing of how many programs were running on my welcome/login screen when I had never had these before, and these are still there. Not sure if this is a clue of any sort.

 

Here are the rest of the logs.

 

Sorry, the logs seemed not to have attached to the first message.

 

Hi Mintech,
Your logs look pretty clean to me but we can do some more thorough checks.

According to your logs, it is properly set to Normal, which is what we want

You get this message because of McAfee being installed.

Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.
See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double-click MessengerDisable.exe
• Place a check-mark in Uninstall Windows Messenger
• Click Apply
• Click Exit

Now download GooredFix by jpshortstuff to your desktop.
See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Ensure all Firefox windows are closed.
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista/Win 7).
• When prompted to run the scan, click Yes.
• GooredFix will check for infections, and then a log will appear.
• Please attach the Goored.txt log to your next reply (it can be found on your desktop). (How to attach items to your post)

Now we need to make use of ComboFix by sUBs

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
  • If it is not on your desktop, the below will not work.
• Shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

KillAll::
FileLook::
C:\Documents and Settings\Marie\Desktop\blackra1n-1.exe
C:\Documents and Settings\Marie\Desktop\JHymn.exe
C:\Documents and Settings\Marie\Desktop\tih_s_e_14010.exe
Folder::
C:\Documents and Settings\Marie\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142030}
RegLock::
[HKEY_USERS\S-1-5-21-1026584931-1069327939-3102619959-1007\Software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
"Policy"=hex:00,00,00,00

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
• At this point, you must exit all browsers now before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• This shall launch ComboFix.
  Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
• Allow ComboFix to update itself if prompted.
• When it finishes, a log will be produced at C:\ComboFix.txt
  Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
• Attach this log to your next message. (How to attach items to your post)

Is this an IP address you are familiar with?

This is shown in your ComboFix log under FireFox (FF) settings. TiVo Desktop or Cisco AnyConnect VPN Agent settings perhaps?

Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)


Please download MBRCheck by GeeksToGo to your desktop.
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

Please download SystemLook by jpshortstuff to your desktop.

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :filefind
  msconfig.exe
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (How to attach items to your post)
  Note: The log be found on your desktop entitled SystemLook.txt

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS​