Endpoint Protection

There appears to be an upgraded version of CoreGuardAntiVirus2009 in the wild, it self identifies as CoreGuardAntiVirus2010.

This version locks up Taskmgr, Regedit and Msconfig as well as disabling SEP.

SEP could not clean the malware even when operating in Safe Mode.

I was able to partially clean the malware off the system by altering the security on the files mentioned in Symantec's Coreguardantivirus2009 removal instructions, then rebooting and running SEP. This then allowed me to run MSCONFIG and I disallowed the files from loading at boot time.

This left me mostly clean. The rest of the malware was then suseptible to Malwarebytes, log file below.

NOTE: The registry keys mentioned in Symantec's removal instructions did not exist. They apparently have been changed to the ones mentioned below.



Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

2/19/2010 9:00:51 AM
mbam-log-2010-02-19 (09-00-29).txt

Scan type: Full Scan (C:\|)
Objects scanned: 762930
Time elapsed: 8 hour(s), 9 minute(s), 51 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
C:\Windows\msa.exe (Trojan.Agent) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe (Security.Hijack) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ibahihikilugoqor (Trojan.Agent.U) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon32.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon32.exe -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\htran\AppData\Local\Temp\rigslhn.exe (Trojan.Dropper) -> No action taken.
C:\Windows\System32\pcidisk.sys (Rootkit.Agent) -> No action taken.
C:\Windows\System32\Winlogon32.exe (Trojan.FakeAlert) -> No action taken.
C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> No action taken.
C:\Windows\msa.exe (Trojan.Agent) -> No action taken.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> No action taken.
C:\Users\htran\AppData\Local\tkSmsd.dll (Trojan.Agent.U) -> No action taken.
C:\Windows\System32\41.exe (Trojan.FakeAlert) -> No action taken.

Title: 'Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not'
Document ID: 2000100610314948
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2000100610314948?Open&seg=ent

What you have is a variant of TDSS/TDL3.2x rootkit, the rogue is using it as launching pad for all other infections. Symantec has been useless in dealing with these so far, just do a search here. 
Download and run Hitman Pro in "Force Breach" mode as described in this thread:
http://www.wilderssecurity.com/showthread.php?t=265202
  There's also a YouTube video on how to do it in the first post. Good luck!