Can't run malware bytes or combofix; regedit inoperable

Howdy, my first post anywhere so excuse me if not up to speed on protocol.

My system has been protected by AVG 8.5 but for some reason the latest definitions could not be updated, Server refusal? this may be unrelated to what follows.

The first indication of trouble (5-21-09) was when clicking on google search results, I was redirected to what seemed like random URLs; then I noticed a Health site that I was directed to a couple of times and realized it was not broken links that were at work here, I guess this is called URL redirecting?
Then quite suddenly I had red warnings popping up from "Spyware Remove 2009"
I recognized this was rogue and researched for a remover tool, came up with PC tools Spyware Doctor which found many problems and fixed them, then for good measure I ran the associated Registery Mechanic and fixed more stuff.

However some critical programs that I need for work could not function; working with their tech support showed that the regedit could not be run and I had serious issues beyond what PC Tools could deal with. I was told I could call back when my computer was fixed.

After stumbling around and trying several fixes and scans to no avail, I chanced upon this thread:
http://forums.majorgeeks.com/showthread.php?t=139313

and followed the directions religiously. SuperAntiSpyware would only run using the alternately named program, but it did work, and I have attached the log.

Malwarebytes would not finish installing even after renaming to MB.exe; the install progress bar goes to about 60% and freezes each time; an unusable icon does land on desktop

Combo fix will not install.

MGTools ran but with errors not described in the instructional thread;
Errors;
Sort utility needs to close

ProcessDll.exe
Application generated exception which cant be handled
process id=0x17a8(6056) tread id=0xc04(3076)

Runtime error 216@00E44A49

Please help, I have aprox 26 hours invested in trying to fix this on my own, I love this computer and don't want to have to replace it because the evil ones have dealt it a near fatal blow.

If you need more info or I've left out critical details, forgive me, this is my first effort posting on a help site.

 

Upon shutting down windows, I get memory error referencing ati2avxx which may be a root kit problem.
Other symptom, computer will run for about an hour or so before freezing.
Not sure how to edit the existing post but thought this should be helpful to whoever is looking at this post.

 

TimW
Thanks so much for your assistance.
Was away til yesterday travelling.

I should mention that I am using another computer to access the internet to minimize the time that the infected computer is on the network.

I followed the procedure, but with little luck.
Most importantly it took 4 attempts to reboot after the Avenger Shutdown, and I am afraid to tun it off in case I can't ever reboot it.

But from the top, Spybot will not run a window even though it it is evident in the tray. I used process manager to shut down teatimer and other apperances of Spybot. Did the best I could on AVG and SuperAntiSpyware.

The avenger process seemed to go well, but could not restart. On reboot the HP Logo screen would freeze; across the bottom of the screen it says;

v3.18 <esc=bootmenu> <F1=setup> <F10=System Restore>

I was finally able to get past this point by rebooting with a media drive removed and after a while staring at the Logo Screen, I slid the drive in and engaged it, that surprisingly kicked Windows past this logo screen to a black startup screen which asked what operating system to start up with; chose XP, cant remember the other option. When stuck at the Logo Screen the wireless keyboard is not operable.

The avenger popup window did come up

When running CCleaner; only Internet Exploret temp and System temp was checked.

As to manually deleted files, there was only one older than today

Double clicking on getlogs.bat did not appear to do anything.
I ran MGtools in the C: directory and attached that zip, renamed with an 02

mb and combofix will still not run

 

I think we are making progress; the Temp folder had 65,000 files in it, deleted them in batches of 4-5,000 at a time. Upon reboot something added about 40 new files, all with 0 kb. One or two files cannot be deleted as used by other program? I attached screen captures. The temporary Internet folder has about 50 files, mostly cookies, which were not removed by Ccleaner, I assume that is normal.

this time I was able to run getlogs.bat by dbl clicking

On boot up still got no disk error
on running mg tools still got sort utilities error

byw rebooting takes a long time

 

First of all I want to thank you so much for the help, I would be at a loss trying to clear this myself.

The C:\gz_spec.dbf file is from an industry pricing program
not sure about the other 2, I renamed them as suggested

I ran the online scan overnight, but the computer froze this morning when I went to save the log, the files detected were deleted. They were mostly generic; one file was a jpg (never knew a jpg could carry a virus) , a couple were from my download file for pdf995 (great program, not spyware), and a couple were adware which were in the aol file from the bundled junk that came with the computer. nothing stood out to my untrained eye, except the last item that said "update failed".

Upon reboot, a long wait at the logo screen, during which time the temp file began to fill up again with those verxx.tmp files. Dont know if this is a symptom of my problem but is seems significant. In the attached screen capture you can see that over 2000 temp files were created during the few minutes of the bootup, also visible is ssupdate.exe which is probably part of SuperAntiSpyware but Googling it results in some warnings, so want you to be aware. also in the temp file is ~DFxxx.tmp which is always 16kb, this is one file that I previously reported that I could not delete.

Another symptom is is my computer makes the click-snap sound that it makes when changing web pages, but it will do it when no browser is open.
I think that when the network cable is disconnected the errant clicks stop.

should I run the bitdefender scan again? it takes several hours

 

Update
My computer froze and upon rebooting;
I am back to having 65,000 plus temp files
it takes a while to delete them but I will do that now
some will not delete

 

I have been running Ccleaner as requested with only two boxes checked. IE temporary files and system temporary files. Today I did use ATF cleaner and checked "current user temp" that worked on that folder.

also I had popup for "Personal Antispyware, a rogue I think, jpg attached.

UNINSTALLED SPYBOT!!
Spybot would not run in a window even though it appeared in the tray, I uninstalled it, hoping that would address the teatimer issue. not sure what I need to do about threatfire.

 

Should have also mentioned that I ran SAS BEFORE MGtools, did not get log.

Just now tried to start SAS to see if i could get the log but it will not now run.
when it ran it earlier it found the same "Rootkit.Agent/Gen-UACFake" as before

 

OK
Threatfire; Don't know how it was installed on my computer, I assumed it came with Foxfire or PC Doctor. Was not listed in "Add-Remove Programs" and did not see it running as a process in Process manager or Security Process manager. I downloaded and ran a utility which was supposed to remove all traces of the program.

Spyware Doctor is a paid version ( as well as the registry Mechanic that was offered at a discount with it )

Ran SAS on the Guest account, no threats found; log attached

MalwareBytes; cannot still install this program, either mbam or mb, the install hangs up; see previous screen capture jpg.

MGTools; I ran this from the new file on the root directory, I hope this is what you intended. 2 errors as prev. reported, Sort util error, and ProcessDLL.exe exception.

 

A quickscan with SAS still shows a rootkit; after it's removed the computer is forced to reboot, (Windows RPC System Shutdown.) I am sure that it is reinstalled upon reboot because it is always found and removed by SAS.

There is definitely malware on this computer. I usually work with the network cable unplugged as if left plugged in I hear several sounds (a click/snap) that is the same auditory confirmation heard when intentionally moving through web pages.

SUDAN Broadcast
Today when checking email, (i was plugged in for only about 5 mins.) my computer began playing a broadcast on Sudan!
First several click sounds, then a narration on SUDAN came through my speakers. No open window was used. I closed all windows and only after disconnecting the network cable did the broadcast cease. WTF, never dealt w/ anything like this.

Have not used Registry mechanic since B4 contacting MajorGeeks
Ran the cleaners and deleted temp files.
The log is from a quickscan only

 

This log was produced on the 2nd attempt
the first attempt did not produce a log, I moved the mbr.exe file to the desktop and tried again, ( it was in the download file. )

Will delete and follow your instructions for the next message

 

Here is the second log, had to rename it

 

Sorry I do not see that the log attached to the last message but the system says I already attached a file named mbr-02.log so I am trying with -02a; sorry, won't let me attach any renamed file, here is what was in the log;

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
kernel: MBR read successfully

 

Tim,
A couple of clues.
After my computer started playing the Sudan broadcast, I checked Windows processes and found 3 versions of iexplorer.exe running. I use mozilla but did not have it opened, I terminated the process without ill effects.

Just now I checked IE history and found web activity unassociated with my own doing, one item in history was a youtube TV show which as it turns out was what I heard the soundtrack from, other items:
alertsfind.com
fulldotfinds.com
216.133.243.28 (which may be findology.com)
obviously something is operating IE in the background.

 

Here is the log, interestingly it picked up the MBR file, I reported it as false positive to sas.

 

OK;
I believe I have overcome this;

CLB Rootkit infection aka WinNT-Alureon
fixed with "RootRepeal"

The key was that MBAM would not run, but THERE IS A TOOL!!!

If you cannot run MBAM, MB, Combofix, or if AVG or others won't update, the malware has blocked these activities.

http://www.malwarebytes.org/forums/index.php?showtopic=12709

I ran this tool and it basically uncovered the "invisible" rootkit

If you have iexplorer processes running in task manager, but not showing a window, this is one symptom. Look at iexplorer history and see where the malware is trying to take your computer.

I only found this solution by googling these URLs and found another victim with the same infection, (this probably is a new infection because very few google result were generated and they were all new.
fulldotfinds.com
alertsfind.com

When working on the fix, try disconnecting the internet cable and keep closing iexplorer processes while working on the fix. I am fortunate to have a 2nd computer to download to, then, disconnect the dsl modem and connect the infected computer to the network, in this way I was able to isolate the infected computer from the internet but still get information and download tools, well it worked for me.

So far all my programs that were disabled by this infection now work! I hope I'm not jinxing myself but the scans look clean.