Endpoint Protection

My SEP is not picking it up.

Check out this security article on Virus removal.

https://www-secure.symantec.com/connect/articles/virus-removal#comment-3504921

If possible, submit a sample to Security Response for analysis.

http://www.symantec.com/business/security_response/submitsamples.jsp

but, I've already tried most of what the article has to offter.  I do have Symantec Endpoint installed, but the virus' got past it.  I have two pc that have this same virus' both had uptodate protection.  I have removed the systems from the network so, at the moment I can not submit a sample.  I will most likely have to format the hard drives on both systems because this virus will not let me run a scan using Symantec Endpoint or Malwarebytes Anti-malware.  Just to let you know for the last two weeks Symantec Endpoint is letting quite a few virus' through..

Title: 'The 5 Steps of Virus Troubleshooting'
Document ID: 2007011014341948
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2007011014341948?Open&seg=ent

Same here, and in our case, I use both Trojan Remover and MBAM and in every case, one caught something and the other did not, even MBAM and TR have missed - when one fails, I run the other.
I also install from a thumbdrive and boot Windoze into safe mode with no networking.
You have to be quick with the task list open, constantly ending tasks with one hand and launching MBAM from the desktop icon with the other, and eventually, you'll win - stop the "AV.EXE" app or whichever you have from the running tasks while launching MBAM or TR.
It's like a game.......... I usually win, but sometimes I'm sweating! LOL
I then submit the files found, and in three cases in the last couple of weeks, have ended up submitting new stuff to them.

So I have my policy to block these things using application control  - that has helped a lot.
These risks are so new, they are new multiple times a day and the folks putting them up buy new domains by the dozen every day!

I had not thought of using the application control.  I've not tried Trojan Remover maybe that'll work for me.  Thanks

One thing that has worked for me in the past when the rogueware does not allow exe's to run is to rename them to something random. For example change mbam.exe to rdwbfg.exe, then malwarebytes would run and clean the machine.

Agreed - some, not all, but some do look for specific processes or EXEs and block them.
It's sure worth a shot...... even if you have to do it from a command prompt.

Ren mbam.exe a.exe

then run a.exe

I've got an article here with an attached DAT file on how I used SEP's application control to assist in preventing rogue AV and BHOs.........

Kill the av.exe process first.
Type the below taskkill.exe in the command window or in the run box.
Should work with all flavors of windows. You can re-run it every time av.exe tries to start up again.
COMPUTERNAME = Your computer name or can be your ip address
USERNAME & PASSWORD = administrator Username and password of the computer. I believe you can leave the password blank
if you don't have a password assigned.

taskkill.exe /S COMPUTERNAME /U USERNAME /P PASSWORD /IM av.exe  /F

The below key is what executes av.exe.
Backup each key before deleting just incase.

Locate this key below and change the (Default=) string to exefile
the value (secfile) is what runs av.exe
Should look like this

[HKEY_CLASSES_ROOT\.exe]
Default=exefile
Content Type=application/x-msdownload

Now do the following

Delete sub key
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command

Delete sub key
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command

Delete string only
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
"C:\\Documents and Settings\\mopereira\\Local Settings\\Application Data\\av.exe"="av"

Delete sub key
HKEY_CLASSES_ROOT\.exe\shell\open\command

Delete the key including its sub keys
HKEY_CLASSES_ROOT\secfile

Delete sub key
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command

This has saved me plenty of times.

before you format, did you try Windows system restore?