Alakazam

Kadah: I'm going to have the machine reformatted. Is there any risk to normal files (word, excel, etc) with this type of Malware that I would risk spreading to other machines if I copy these to a flash drive? Thanks for letting me know for sure what I was up against. Alakazam

Overlooked posting my log file yesterday. Reposting as no reply (because I didn't post my log). Working on a removal of sysguard.exe and related agents. Machine is workable, but keeps reverting to an "infected" state. Ran Symantic endpoint yesterday, full scan, removed A0033482.exe trojan. Ran full scan of Malware Bytes after and picked up 6 additional infections which it didn't see on last scan Wednedsday last week. Most disconcerting issue is that windows safe mode does not work now - getting a blue screen when I try to work that way. Yikes. Still getting popups after running Malware Bytes. I ran defogger and I'm attaching my Attach, DDS, and ARK logs per the instructions. Any help on finishing this baby off would be appreciated. Took me a while to get to this point with this nasty thing. I have a prior log file which I can also post from earlier when this thing was really cooking. Malwarebytes' Anti-Malware 1.41 Database version: 3262 Windows 5.1.2600 Service Pack 2 11/30/2009 10:20:54 AM mbam-log-2009-11-30 (10-20-54).txt Scan type: Full Scan (C:\|) Objects scanned: 158702 Time elapsed: 48 minute(s), 9 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 2 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmjpbufq (Trojan.FakeAlert.N) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmjpbufq (Trojan.FakeAlert.N) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Administrator\Local Settings\Temp\573.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{94C1EBCA-26E8-496B-8CC5-8BB64561DDB8}\RP387\A0034521.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. ark.txt Attach.txt DDS.txt

Working on a removal of sysguard.exe and related agents. Machine is workable, but keeps reverting to an "infected" state. Ran Symantic endpoint this morning, full scan, removed A0033482.exe trojan. Ran full scan of Malware Bytes this morning, picked up 6 additional infections which it didn't see on Wednedsday last week. Most disconcerting issue is that windows safe mode does not work now - getting a blue screen when I try to work that way. Yikes. Still getting popups related to sysguard infection (registrydefender.com) as I type this up, but it is minimal compared to earlier. I ran defogger and I'm attaching my Attach, DDS, and ARK logs per the instructions. Any help on finishing this baby off would be appreciated. Jeff ark.zip Attach.zip DDS.zip

First post to this forum - Great free software - saved my job today! Got handed my bosses home computer today and told to fix it, was exhibiting big time malware symptoms. Not tagging as virus. Vista machine, ran malware bytes install, and scanned. Found 20+ instanaces of malware, and tagged 2 items for removal on reboot. One item was program files\cc\agent.exe (may have been cc\cc agent.exe) On reboot, machine would boot, but immediatly began running "control center" (cc.exe) and locked out desktop. Killed cc.exe via task manager, navigated to the malware bytes exe file via command prompt as task manager was still functional (other than that it was a blank screen to work with). Ran Malware bytes again, but it did not detect the cc.exe program as malware. I then reviewed the log file, determined where cc.exe was located, and deleted it via command prompt (C:/Program files/CC). It appears Malware found and killed the "agent.exe" but left the "cc.exe" file in the same directory alive. More info on CC agent.exe and cc.exe found posted today on the threat expert. http://www.threatexpert.com/report.aspx?md...73af7f1bbc35a68