Microsoft Security Essentials Alert virus. We have had two such infections over last two days. Symantec is aware of a variant of this virus:
While Symantec will not currently prevent infection, a full scan (and only a Full scan) will detect associated files after removing two files associated with the infection.
We appear to have been hit with a new version of the same animal noted in the two links. There may be a newer threat write-up (please let me know if this is so), though I was not able to find it at the time of this post.
Have submitted two associated files (users folder\documents and settings\application data\hotfix.exe and users folder\documents and settings\desktop\mstsc.exe), to symantec and asked for virus definitions to prevent infection.
If you are having these symptoms but the files don't match the original threat write-up, perhaps you could try what we had to do here to remove the threat:
NOTE: I've written these from an IT Staff standpoint, so for many of the steps previous IT knowledge is assumed. If you need assistance on any menu items try searching for the task/item on support.microsoft.com. Also, I will not be checking back to this post and will not be able to answer any questions:
1. Login as a user with admin privileges, other than the user that was infected.
- e.g. if your normal user login is Administrator, then create a new user and add that new user to the Administrator's Group
2. Login as the new/other user
3. Turn off System Restore
4. Goto C:\Documents and Settings\infectedusername\Local Settings\Application Data\ & C:\Documents and Settings\infectedusername\Application Data\
- If you see the file "hotfix.exe" in either of these folders -- delete it
5. Goto C:\Documents and Settings\infectedusername\Desktop\
- If you see the file "mstsc.exe" -- delete it
NOTE: this is the name of a valid Windows file (installer for MS Terminal Services Client), however, the desktop is not its proper location. One should not delete this file from any other location.
6. Precautionary/Optional steps
- Goto c:\windows\prefetch -- delete contents (do not delete the folder, just its contents). This is the folder where programs cache copies of their installers for recovery.
- Delete infecteduser's temp internet files and temp files from C:\Documents and Settings\infectedusername\Local Settings\Temp and C:\Documents and Settings\infectedusername\Local Settings\Temporary Internet Files (not the folders, just the content of those folders)
- Delete c:\Windows\temp\ files (again, not the folder, just the contents)
7. Run LiveUpdate on Symantec AV to get most current definitions
8. Run Full System Scan
9. Reboot and login as the infecteduser
- Pop-up should not return. If it does...well, unfortunately you're still infected and just know that you have my sympathy.
Cheers.