Endpoint Protection

I was wondering why Symantec endpoint protection will not remove the virus "WIN Defrag Fraud"?  THe scan finds it but can not move it to quarantine or remove it.

This spyware / malware just infected our computer on May21.  Endpoint scanned it, but claimed that access was denied in trying to quaranteen and disable it.  I checked the processes that were running and saw a "Vwacoc.exe" process that i had not seen before.  I clicked to end theprocess but it would retrun.  It uses CPUs and memory.  I did a search for that process and found absolutely NOTHING on it.  In my temp internet files i found a number of tmp files that i was able to delete.  one file was "ewroxmnacs.tmp" which also drew a blank under a google search.

Any thoughts on how to remove this?  We get a ton of Pop-ups from both legitamite (?) websites as well as ad sites.

Hi guys, I would highly recommend that you submit the sample to Symantec to add to their definitions.

http://www.symantec.com/business/security_response/submitsamples.jsp

Call support get a case # and instructions on uploading to be able to download rapid release updates.

scan the system in safe mode since it is detecting the threat. If you find any other suspicious files, submit to Symantec.

Hi Jim,

SEP has several detections for scamware that pretends to be helpful third-party defrag tools. You may be interested in this recent blog post from Symantec Security Response:

Trojan Feigns Failures to Increase Rogue Defragger Sales
https://www-secure.symantec.com/connect/blogs/trojan-feigns-failures-increase-rogue-defragger-sales

It sounds like you're encountering one that cannot be entirely remediated by AutoProtect-?  "Thumbs Up" to the advice from 22Aug and Mon.  A full system scan in safe mode should take care of that, and definitely do submit any additional suspicious files you see.

Please do keep thisthread up-to-date with your progress!

With thanks and best regards,

Mick