Endpoint Protection

 View Only

  • 1.  Another DWH Trojan Issue

    Posted Jun 01, 2010 05:58 PM
    To whom it may concern (or help me to stop throwing things at the wall):

    I recently fell victim to the DWH trojan, most likely from removing my UAC on my 64-bit Windows 7 Dell Laptop. I've tried to go into safe mode and delete the files, but there are none in the Temp folder as I believe they are all relocated to the Quarantine folder in C:\Program Data\Symantec\Symantec Endpoint Solution\Quarantine. I saw in another thread that there is a file utility that can be used to alleviate this issue, but have been unable to procure it thus far. I believe the utility is SYMDELTMPS, but am unsure given the title that it will help as I think the files are all located in the Quarantine folder.

    Someone please help. The trojan is well known and yet impossibly hard for me to eliminate.
    I'm running Symantec Endpoint Protection v:11.0.6000.550 on a Windows 7 64-bit machine.

    Sincerely,

    Jester


  • 2.  RE: Another DWH Trojan Issue

    Posted Jun 01, 2010 06:13 PM
    It sounds like SEP caught the threat and moved the suspect files to quarantine.  Could you look at the risk logs in the SEP client interface, and determine if a threat was detected, and what action was taken? 

    If you can verify the files in quarantine are malicious/unknown, you can delete them manually from quarantine if you wish.  Otherwise, they will remain in quarantine up to 30 days awaiting code to attempt to repair the files, then automatically deleted if no remediation happens after 30 days.


  • 3.  RE: Another DWH Trojan Issue

    Posted Jun 01, 2010 07:29 PM
    Please take a look at this document, as it sounds like you are experiencing a known issue.

    Title: 'When new virus definitions are in place and the quarantine is being scanned, a DWHxxx.tmp file is created and detected by Auto-Protect'
    Document ID: 2007111911135548
    > Web URL:http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007111911135548?Open&seg=ent


  • 4.  RE: Another DWH Trojan Issue

    Broadcom Employee
    Posted Jun 02, 2010 12:02 AM
    its strange , coz it has been fixed in MR4 MP2 , yu may open a support case as well.

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009042217073548


  • 5.  RE: Another DWH Trojan Issue

    Posted Jun 02, 2010 05:52 AM
      |   view attached
    I used to have this problem with an early version of SEP but it went away with the upgrade to MR4 MP2. However it seems to have returned with a vengence in v11.0.6000.550. Have tried the Safe Mode delete of the temp directory and that cures it for a few hours but then it comes back again.

    Tennant


  • 6.  RE: Another DWH Trojan Issue

    Posted Jun 07, 2010 06:53 PM
    Judging from what I see, remove SEP and then re-install with the last version that did work - and hopefully someone at Symantec discovers the solution.

    Reminds me of an update from apple a couple of years ago. One of their cummulative security updated killed off any application that came with the OS that can access the Internet [Safari, mail, chat]. But you could use third party Internet apps. No Firefox but ended up using and old IE for the Mac to find the cure. Delete a couple of data files. Next cummulative update after was fine but the one after caused the same problem.


  • 7.  RE: Another DWH Trojan Issue

    Posted Jun 13, 2010 09:16 AM

    I'm also having this problem, again v11.0.6000.550.

    I did install fresh install using RU6 (i.e no patches required) but it still has the problem.


  • 8.  RE: Another DWH Trojan Issue

    Posted Jun 13, 2010 09:47 AM
    1. Restart the system in Safe Mode and do a Full Scan.
    2. Using the SRT (Symantec Recovery Tool) try to do an Offline Full Scan which is very effective in such cases.
    3. Check if the client is not visiting a shared folder containing the Trojan so that the virus comes back from the location.


    See if these work