Protection Suite Enterprise Edition

 View Only
  • 1.  mspaint.exe virus

    Posted Feb 11, 2013 12:54 PM

    Hello,

    Whenever I restart the PC I receive a Symantec Tamper Protection Alert. It origins from application data\microsoft\Fhgcgh.exe

    Also, i can see 2 mspaint.exe proceses running. When I try to close any one of them they restart immediately and in most of the cases detection alert pops up with file names such as 1.exe A.exe B1.exe etc. However, there are cases when one of the files slips through and similarily name processes appeare. Coresponding files appear in application data folder.

    What I do next, is close the svchost.exe processes under my user name and close the mspaint.exe files, which do not restart. No more allerts about threats pop up, no more strange processes start up, no more strange files.

    When I run a full system scan no issues are found anymore, but when I restart the PC everything starts from schrach.

    I have tried looking it up, but with no luck. Is this a new threat? where can I read about it more if no? How can I solve this?

    I do not have administrator rights to this PC so the virus should not be in the system files. Is there a way of detecting the main process creating all of those sub-routines?



  • 2.  RE: mspaint.exe virus

    Posted Feb 11, 2013 12:59 PM

    You can use process explorer to show more detail. Also submit the file to security response:

    https://submit.symantec.com/websubmit/gold.cgi



  • 3.  RE: mspaint.exe virus

    Trusted Advisor
    Posted May 14, 2013 04:50 PM

    Hello,

    What version of SEP are you running?

    You could run the SymHelp Utility to check the suspicious file on the client machine and then Submit those to the Symantec Security Response Team:

    Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

    https://www-secure.symantec.com/connect/articles/using-symantec-help-symhelp-tool-how-do-we-collect-suspicious-files-and-submit-same-symante

    Hope that helps!!



  • 4.  RE: mspaint.exe virus

    Broadcom Employee
    Posted May 22, 2013 10:21 AM

    Hi,

    You need to know the best practices for responding to active threats on a network

    Best Practices for Troubleshooting Viruses on a Network

     
    Responding to a virus infection comprises the following five steps:

    Step 1. Identify the Threat and Attack Vectors
    Step 2. Identify the Infected Computers
    Step 3. Quarantine the Infected Computers 
    Step 4. Clean the Computers Infected

    It's always recommended to have SEP client installed with all three features i.e. AV/AS, PTP & NTP with the latest definitions

    Machine should have latest Windows patches and Service pack.

    Disable Autorun if using SEP 11 version. In SEP 12.1 auto run is disabled by default.

    Update third party software to their latest versions.

    If you think SEP is still not able to detect the threat then need to identify the source of these attacks and submit the suspicious files.

    Use Power Eraser to detect threat and remove them.

    http://www.symantec.com/theme.jsp?themeid=spe-user-guide

    Online scan for virus and threat

    http://security.symantec.com/sscv6/home.asp?langid=ie&venid=sym&plfid=23&pkj=UQFPFIZTYMWPAZTJWUF

    Also you can atttempt to make a full scan in Safe mode.