Infestation causing fake sys popups,shutdowns

My system - Windows XP Pro - sp1
I use McAfee Personal Firewall plus.
I did not have the automatic MS update on.

After endless searching I found others who had similar infestations but not exactly the characteristics of the one I have. I am guessing this one is some variant of a sasser virus? I been the the MS site and looked over their sasser variations but each one shows what might appear in the registry and I do not find any of them in my registry.

I realize now that there are a couple of MS security updates that I should have installed that might have protected me from this.

Can somebody please help me remove this malware out of my system?


About the messages
A few days ago is when this all started.
When I start up the system a fake Windows Security Center menu pops up on the desktop. It does not say there is any problem.
It has a subtitle 'Security essentials' and under it are three third party listings for download and install.
1. UltimateFixer. 2. SystemDefender 3. SysCleaner.
Then there are several FAKE messages that separately pop up at random, whether I am working on the computer or it is just sitting idle. I do not have IE7. I use IE6.
The shutdown popup has a 60 second countdown then shutsdown windows and restarts it unless I am there to cut if off with by running 'shutdown -a'.

Another freaky thing this malware does is overlays a fake Free scan image over an existing image on any web page I might visit. The image flashes annoyingly to get attention. The virus sizes the image to match the size of the image it is overlaying.
Those images link to a suspicious site - http://www.admtransit.com/


Two examples of the flashing fake scan popup-

It also deleted all of my prior saved System Restore points so I could not go back before all of this junk started happening.


I downloaded and ran several detection programs to try and find it in my system but none did.
Mcafee antivirus
Spybot - Search & Destroy
Protector Plus
AVG 7.5
SUPERAntiSPyware
Spy Sweeper

 

Problems when trying to follow the Read & Run page prodecures...

My Java version was out of date.
When trying to download the current Sun Java I get a box - Getting File Information. Then a couple of minutes later another box pops up saying Internet Explorer cannot download. Internet Explorer was not able to open this Internet site. The requested site is either unvavailable or canot be found. Please try again later. I tried to download it for three days without success.


Download and install CCleaner
http://majorgeeks.com/download4191.html

When the page trys to load it aborts with msg - Internet Explorer cannot open the Internet site http://majorgeeks.com/download4191.html. Operation aborted.

 

I was finally able to get back into this. Have to say these malware popups are depressing.

I had forgot I disabled the windows installer earlier in case the virus was using it. I enabled it and was then able to update my Sun Java, and download the ccleaner from the ccleaner website.

I ran the ccleaner as instructed in the Read & Run procedures.
I then followed the Windows XP Cleaning Procedure.
I still have the virus in the computer.
I could not reinstall the SuperAntiSpyware program. Kept giving me an abnormal termination msg. But I downloaded and ran the others to create logs just as instructed.

I do not have a SuperAntiSpyware log since I was not able to install the program.
I am attaching three logs total...

mbam-log-11-4-2006 (18-13-28).txt
ComboFix.txt
MGlogs.zip

Tim, Let me know if you still want me to use Bitdefender.
I await your next instructions. Thank you for your help.

 

After running those diagnostic programs I do not see any flashing anti-virus ad overlaying in my browser. But now along with the other problems, I have a windows security center incon in the system tray and I cannot get rid of it. It frequently pops up a balloon.

 

I apologize for failing to follow the MalwareBytes instructions the first time.
Okay yesterday I reran it according to instructions. Then the C:\MGtools\GetLogs.bat program

Attached are the logs from those.

After I ran the MalwareBytes things appeared to have been amazingly corrected. No more Windows Security Icon in the system tray thus no more ballons, no Windows Security popup after restart and no other fake error popups. But I was going to go to this thread to thank you and the explorer browser could not find this site like it was not online. Other sites I had accessed okay.

THEN..... this morning(next day), my operating system was like hell again. This time there was an 'X' icon in the system tray and it produce a box that says 'Your computer is infected. Windows has detected spyware infection.'

I could not open a blank Explorer browser screen. It would appear for a split second then close. I tried to open a text file and it would abort with the Explorer msg asking me if I wanted to send error report. My firewall would not work. When I tried to manually start it, it would abort with some weird error msg. I tried to run MSCONFIG and nothing would appear but only the hourglass for a few seconds. I tried to rerun the MalwareBytes detection program but no menu would appear and the program would terminate in a few seconds. Also could not execute other things.

I did not try to get online without a firewall.

I am now on my backup operating system on the other hard drive in the same computer. The virus is not here.
I do not know what happened with my main operating system. Yesterday eve it had appeared everything was fixed but this morning ... disaster.

One thing wierd I did notice in the main system even after the malwarebytes repair was the time and date in the systray. The time appeared as 24 hr military time and the date format was yyyy mm dd. I could not figure how to correct that.
I do not know what to do next.

 

In response to your last post....
I belive I did rerun the ccleaner pgm prior to running Malwarebytes.
I was in the backup system during my previous post but the logs I uploaded were created the night before that, when I was in the main infected system. So those logs are from the infected system only.
---------------------------------------
At current I am back on the main system, the one that was infected. Since I was being blocked from doing much of anything yesterday, I went to Task Manager and closed several processes that I felt were not vital to the system. Then I went to Regional Options and corrected the time and date display format.
After that Malwarebytes would run.

I had ran Malwarebytes five times yesterday.
(I restarted the system after each run)
1. 53 infections detected
2. 1 infection detected with this rerun
3. 18 infections detected with this rerun after being online.
4. 0 infections detected after immediate rerun.
5. 2 infections detected with this rerun after going online for a very short time.

Why does Malwarebytes keep detecting more infections after I rerun it over and over?
I am using McAfee firewall when going online.
I installed MS security update KB835732.
Is there any other security updates from MS that I need?

During all of this mbam reruns I had noticed in the Running Processes were several suspicious programs running that had numbers for names. They were stored in c:\windows\temp folder. I also found some temp files in the temp folder under documents and settings. I deleted all of those temp files. Apparently CCleaner did not deleted them.

Attached with this post are the first three run logs of Malwarebytes that was ran yesterday.

 

Attached to this post is the fifth Malwarebytes run log which shows new infections from just going online for a few minutes.

The fourth log was clean and showed zero infections so I did not attach it.

After I get done with this post, I am going offline and run ccleaner then Malwarebytes pgm again to see what new infections I might have just picked up.

 

This post is after my last post and I went offline, ran mbam, and came back online. This attachment is from that run.
It shows two infections which had entered in Windows\temp folder while visiting this site previously.
As you see in the log the names appear to be in hexidecimal.
CCleaner does not erase these files.
There were also a couple of other similar files in that folder that mbam did not detect. So I deleted everything in that folder.
Is it normal to get these type of files in that folder or should I is there some security in place that I should have to block it?

I also emptied my recycle bin and turned off system restore so hopefully none of this mess has been left behind in the system.
I am going to MS site to see if it says my system needs security updates.

 

ATF-cleaner downloaded and ran.

Note: when running MGtools\GetLogs.Bat I get an error msg...
ProcessDll.exe - Application Error
X The application failed to initialize properly (0xc0000135). Click ok OK to terminate application.

 

I had got tied up with other work but finally got back into this. I was running the Malwarebytes pgm to keep deleting the reocurring infections.
---------------------------------------------
I followed the instructions on your last post.
I ran the avenger.exe and rebooted after it ran.
I could not get back onto the system. I repeatedly tried to startup the computer but when it tried to get onto Windows XP it kept giving me the following message with a blue background:

Stop: c000021a (Fatal System Error)
Initialization terminated status OXc0000034
system shutdown

I am now on my backup system on the other harddrive.
I am able to access the main C: harddrive of the troublesome windows system. I see the avenger.txt log. I also see other files that Avenger looked like it created.... cleanup.bat, cleanup.exe, zip.exe.
I am attaching the 'avenger.txt' file and the 'cleanup.bat' file for you to look at. (The uploader said the cleanup.bat was invalid so I converted it to a text file then uploaded it).

I do not know how to get back onto the main system.

 

I had not proceeded to running C:\MGtools\GetLogs.bat because I could not get back into the main system after rebooting. I did not think it would work properly if I ran it from my backup system as it will look for logs in only in the system I am currently in.

As I am in the backup system now, it refers to my secondary hard drive as drive 'C' and the primary as drive 'E'.

When in the infected system the primary hard drive is letter 'C'.

So I just ran the E:MGtools\GetLogs.bat while I am in the backup Windows system since I cannot enter the infected system. Please keep in mind the drive letter assignments while looking at MGlogs.zip. It may have pulled info from the backup system instead of the one that we are trying to disinfect.