Video Screencast Help

mspaint.exe virus

Created: 11 Feb 2013 | 3 comments


Whenever I restart the PC I receive a Symantec Tamper Protection Alert. It origins from application data\microsoft\Fhgcgh.exe

Also, i can see 2 mspaint.exe proceses running. When I try to close any one of them they restart immediately and in most of the cases detection alert pops up with file names such as 1.exe A.exe B1.exe etc. However, there are cases when one of the files slips through and similarily name processes appeare. Coresponding files appear in application data folder.

What I do next, is close the svchost.exe processes under my user name and close the mspaint.exe files, which do not restart. No more allerts about threats pop up, no more strange processes start up, no more strange files.

When I run a full system scan no issues are found anymore, but when I restart the PC everything starts from schrach.

I have tried looking it up, but with no luck. Is this a new threat? where can I read about it more if no? How can I solve this?

I do not have administrator rights to this PC so the virus should not be in the system files. Is there a way of detecting the main process creating all of those sub-routines?

Comments 3 CommentsJump to latest comment

ᗺrian's picture

You can use process explorer to show more detail. Also submit the file to security response:

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture


What version of SEP are you running?

You could run the SymHelp Utility to check the suspicious file on the client machine and then Submit those to the Symantec Security Response Team:

Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

Hope that helps!!

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Chetan Savade's picture


You need to know the best practices for responding to active threats on a network

Best Practices for Troubleshooting Viruses on a Network

Responding to a virus infection comprises the following five steps:

Step 1. Identify the Threat and Attack Vectors
Step 2. Identify the Infected Computers
Step 3. Quarantine the Infected Computers 
Step 4. Clean the Computers Infected

It's always recommended to have SEP client installed with all three features i.e. AV/AS, PTP & NTP with the latest definitions

Machine should have latest Windows patches and Service pack.

Disable Autorun if using SEP 11 version. In SEP 12.1 auto run is disabled by default.

Update third party software to their latest versions.

If you think SEP is still not able to detect the threat then need to identify the source of these attacks and submit the suspicious files.

Use Power Eraser to detect threat and remove them.

Online scan for virus and threat

Also you can atttempt to make a full scan in Safe mode.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<