There appears to be an upgraded version of CoreGuardAntiVirus2009 in the wild, it self identifies as CoreGuardAntiVirus2010.
This version locks up Taskmgr, Regedit and Msconfig as well as disabling SEP.
SEP could not clean the malware even when operating in Safe Mode.
I was able to partially clean the malware off the system by altering the security on the files mentioned in Symantec's Coreguardantivirus2009 removal instructions, then rebooting and running SEP. This then allowed me to run MSCONFIG and I disallowed the files from loading at boot time.
This left me mostly clean. The rest of the malware was then suseptible to Malwarebytes, log file below.
NOTE: The registry keys mentioned in Symantec's removal instructions did not exist. They apparently have been changed to the ones mentioned below.
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005
2/19/2010 9:00:51 AM
mbam-log-2010-02-19 (09-00-29).txt
Scan type: Full Scan (C:\|)
Objects scanned: 762930
Time elapsed: 8 hour(s), 9 minute(s), 51 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 8
Memory Processes Infected:
C:\Windows\msa.exe (Trojan.Agent) -> No action taken.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe (Security.Hijack) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> No action taken.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ibahihikilugoqor (Trojan.Agent.U) -> No action taken.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon32.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon32.exe -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Users\htran\AppData\Local\Temp\rigslhn.exe (Trojan.Dropper) -> No action taken.
C:\Windows\System32\pcidisk.sys (Rootkit.Agent) -> No action taken.
C:\Windows\System32\Winlogon32.exe (Trojan.FakeAlert) -> No action taken.
C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> No action taken.
C:\Windows\msa.exe (Trojan.Agent) -> No action taken.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> No action taken.
C:\Users\htran\AppData\Local\tkSmsd.dll (Trojan.Agent.U) -> No action taken.
C:\Windows\System32\41.exe (Trojan.FakeAlert) -> No action taken.