Video Screencast Help

DWH trojan, Symantec can't remove it !?

Created: 25 Jul 2007 • Updated: 02 Mar 2009 | 46 comments
Oh guys I need help!

I am using Symantec antivirus, version 10.2.0.224 (coporate version i think), scan engine is 71.3.0.25. With latest virus definition update.

Recently when I scan my computer, when it reach the application data > *my user name* > temp,

It detects looooots of trojan name "DWH****" (**** is random number, like 3D25, 5C68). And this file seems duplicate itself into different name when the virus scan touch it, so my virus scan forever stuck in this folder, scan up to 3k of files with the same name, like "DWH1D23, DWH5C71... ...blah blah blah". And it seems endless, I got to manually stop it (scan up to 5 hours!).

When I use the antivirus function to delete all of these file, restart the comp and try scan again, those files are still there, but with slightly different name!

So what I do is I enter the computer safemode, manually go into the same folder (application data > *my username* > temp), delete all of the file (I can't do that in normal mode, when it delete immediately it change name, so it will show "the file is no longer there").

Looksl ike my Symantec antivirus wont give me a **bleep** about it, I download SPybot S&D and update it, scan it but seems no luck as well.

Can someone teach me how to overcome this situation? Thanks !
Discussion Filed Under:

Comments 46 CommentsJump to latest comment

don_ite's picture
Hi Melchiah,
 
Can you tell us a little more about the threat that is being detected? Is the "DWH*****" the actual threat name that we are detecting, or is it the file name of the file that we are scanning? It sounds like it may be the file name.
 
Can you tell us what the virus name that is being detected is? Is it just calling it a trojan, or is it more specific than that? Also, the build number is 10.2.0.224, so I'm assuming that this is occurring on Windows Vista?
 
Regards,
 
Don
Melchiah's picture
Yes don_ite you're the expert one, my apologies that forgot to mention my OS, it's Vista Ultimate, 64bit OS.
 
When it detects the virus right, the name it shows its "Trojan", then the file name itself. Example:

Risk          Action                              Count  Filename
-----------------------------------------------------------------------
Trojan       Quarantined                     2         DWH2C50
Trojan       Quarantined                     2         DWH9B30
Trojan       Quarantined                     2         DWH3H25
.                .                                                   .
.                .                                                   .
.                .                                                   . and so on...
-----------------------------------------------------------------------

Thanks a lot,
 
Melchiah

Message Edited by Melchiah on 07-26-200705:18 PM

don_ite's picture
Hi Melchiah,
 
I spoke with our Security Response team today, and we looked through a list of detections for the trojan threat you listed above. We don't have a detection labeled just "trojan." It is usually "Trojan.xxx" with some extra naming convention to be more specific.
 
Is there more to the name than just trojan? What screen in Symantec Antivirus are you finding that information? I assume it's in the risk history page?
 
Truly, the quickest way to resolve this issue is to have you call into support and, with their assistance, submit samples of the threat to us. In this way we can determine exactly what's there and how to keep it from re-occurring.
 
Let me know the answers to the questions above, if you don't call in to Support. Please keep in mind, however, that the only solution may be to have you call our Support team.
 
Regards,
 
Don
 
kjsteuer's picture
I am getting the same scenerio. I also have vista 64 bit edition. My antivirus (10.2.0.298) will pickup the temp files and gives me the link:
 
 
Will this work with vista, the page only states through xp. Did you find a solution? The files are detected at the same time each day.
 
Sill Cinnamon's picture
Hi all, I also have the same problem. It has been like this for 2-3 weeks already. The threat doesn't seem harmful but annoying as hell. Basically, at a random time, the anti-virus program would pick up a trojan horse threat in a file in a temp folder starting with 'DWH*'. In one sequence, the program could pick up from 2-200 something of these DWH files as show in the picture. This happened like 5-6 times a day !!! Sometimes, the ainti-virus program would pick it up from the beginning as I start my Window.
 
Please let me know if there is a solution for this.
 
 
kjsteuer's picture
Those are the same screens I continue to get. I can't figure out which process is creating them.
Melchiah's picture
My friend, I just found out how to get rid of this annoying problem! The solution is little bit weird since we got to manually delete all of them, anyway here is what I did:

1. Unplug you network cable, or turn off the wireless connection.
2. Restart your computer into safe mode (To do so, shutdown and start up your computer, when the computer just started, non stop pressing either F2 or F8, or any other key according to your computer's setting, like mine is F1 in Vista, then in the advance option menu, use your keyboard to select "Safe Mode" which is top of th menu then press enter, wait untill the computer load up)

3. In safe mode, the computer will looks a bit weird, like WIndows 98, but it's normal. Go to your folder option, make sure it shows all the hidden folder.
 
4. Go to open User> Application Files > Local > Temp (This is the path on my WIndows Vista, for XP it should be "C: > User and Setting > *your name* > Application Folder > Local > Temp

5. Now in this folder, look for those annoying files, DWH **** inside, you will see tons of them.

6. DO NOT delete them from the top, if you do so the file will either keep duplicate themselve, which makes you can't finish delete them, or it will change it's name and show you "the specified path is no longer there...".
 
7. Instead, scroll down untill you see the LAST DWH**** file in the list, highlight them from BOTTOM to UP. Remember, from BOTTOM to UP, means you hight light them from the last of the DWH**** file! This is the correct way to avoid them to duplicate/mimic itself while deleting.
 
8. Now, delete all of them. After that, empty your recyle bin immediately.
 
9. IN the same folder, double check again to ensure no more DWH **** files lurking inside.
 
10. Restart your computer, leave it alone to let it start back to normal mode. (you can turn off the show hidden folder if you want).
 
11. Connect back to internet, run the live update.
 
It should be fine now, so far I never get this problem anymore, hope this helps.
ryoung92's picture

Wow pure ingenious. I was wondering if there was a way that you could see all of the DWH files without them deleting themselves first. You have ended my annoyance. 

cscherrey's picture
I'm getting the same error on 3 Vista 32bit PCs.  One is Vista Ultimate and the other two are Vista Business.  All 3 are running Symantec Antivirus 10.2.0.276.  Has anyone tried the solution listed and does it work?
veritas72's picture

I am getting the same exact problem.  Will try the solution listed, and report back.  I have a feeling that these aren't actually virus/trojan files at all.  The only time my system pays any attention is when I get updated virus defs and tell it to check my quarantine to clean/repair.

Meckron's picture
I don't have this problem but I was just wonder if this had anything to do with DWHWizrd.exe that is installed as part of Symantec Antivirus?
adjohns6's picture

Melchiah, you rock! I have been fighting with this problem for months and I have not been able to figure it out. I have tried searching before and unfortunatley i didn't find this response until now. This worked perfectly the first time and was pretty easy to fix. I'm just glad to be done with it. Thanks again!

Nel Ramos's picture

Thanks also.
I had documented this for future reference.

The best part was the way to delete replicating files.
BOTTOM - TOP...
Practical and effective.

Regards,

Nel Ramos
IT-OCC

Nel Ramos

asfinch's picture

I'm having some serious problems with a trojan and don't know what to do. At random times, or at some startup times, I get popups from my symantec autoprotect telling me that there is a malicious trojan file in my temp file that is always DWH***.tmp (e.g. DWHAB5.tmp). It shows on symantec as "Bloodhound.PDF.1" Each time, the number of temp files grows, I'm up to about 16 now at each instance of generation. For every infection, there is an infected file, and a browser cache. Also, the file name of the temp file always starts with "DWH" and then ends in another random 3 characters. Symantec's web page reports that the risk level is very low, however, I'd like to deal with the problem. I am also aware that the temp file is appearing as a "heuristic detection for reporting PDF files that contain javascript that may have been obfuscated or encrypted to conceal it from antivirus software." If anyone has any ideas, please let me know.
I tried Melchia's idea but I found that it only deletes the end file in the temp file (which creates the DWH files) but there is a file creating that end file also somewhere else which causes the repeated infection.  Any suggestions would be greatly appreciated.
Thanks

Abhishek Pradhan's picture

There is a tool available with Symantec Tech Suport to fix this issue. Its calles SYMDELTMPS, and needs to be executed on the computer(s) where you are facing this issue.

Call Tech Support and tell them to email you the link from where you can download and use the tool.

Abhishek Pradhan, PMP, MCT
Blog: http://blog.abhishekpradhan.net | SIG Lead - Pune IT Pro (Microsoft Pune User Group) | http://www.puneusergroup.org

Nel Ramos's picture

@Abhishek Pradhan: thanks for the tip...

@Symantec Team: Hi, could we have the link for SYMDELTMPS in this thread.
This will be a big help for us Symantec clients.
Does SAV and SEP already have a patch for this one so that we would not deal with it manually?

thanks.

Nel Ramos 

Nel Ramos

Abhishek Pradhan's picture

@ Nel

Hard Luck. No Patch for this issue.

AND you really do need to open a support case to get the tool. Unless you open a suport case, no one in support will send you the link to download the tool (unfortunately)

Abhishek Pradhan, PMP, MCT
Blog: http://blog.abhishekpradhan.net | SIG Lead - Pune IT Pro (Microsoft Pune User Group) | http://www.puneusergroup.org

Frez121212's picture

Yes its actually not a virus at all. What is happening is, when you update your antivirus, it changes some names in the temporary files.. which is normal.. but changing file names is a symptom of  viruses.. so it detects it as a virus even though IT is the one that just created it.. lol 

So in other words your anti virus is making fake viruses.. But i like to compair it to a guy who just farted during sleep and wokr up thinking it was someones else..

Senrats's picture

Document ID: 2007111911135548

Solution:
This problem is fixed in Maintenance Patch 2 of Symantec Endpoint Protection Maintenance Release 4 (11.0.4202.75). You can apply this patch over Symantec Endpoint Protection MR4 or MR4 MP1.

Please refer to the product Download page to obtain the update:
http://www.symantec.com/business/support/downloads.jsp?pid=54619

If you are unable to migrate up at this time, here are workarounds that should alleviate the issue. These are listed in order of preference.

  1. Disable rescanning of quarantine upon receipt of new virus definitions.
  2. Ensure no process or services (such as Windows Indexing Service for example) can access/monitor our files.
  3. Ensure that the %TEMP% folder is not open during the receipt of virus definitions and scanning of the quarantine.
  4. Restart in safe mode, deleting DWH files in the temporary folder, cleaning the quarantine folder.

"Trust, but verify."

tennyboy's picture

I encountered this problem starting about a month ago.  I suspected that this wasn't a virus and am glad that this suspicion has been confirmed.  My result was I was annoyed enough with this that I contacted my company's tech support.  They punted and now I'm getting a new computer with Windows 7 (even though it now appears the solution in this forum works...thanks Melchiah).  Sigh.  I might forward this along to tech support to help educate them.

Puzzled's picture

Hello I am running 11.0.6 and this issue is still not resolved. What is the resolve to this issue??

Ramji Iyyer's picture

Puzzled

Upgrade to 11.0.6a & check.

Regards...
Ramji Iyyer

Regards...
Ramji Iyyer

Wayne1's picture

Hi

I'm on 11.0.6005.562 and have the same problem on a Win7 X64 computer.

Any suggestions?

Thx

TPJohnP's picture

I am using Windows 7, latest version of Symantec and get the same error, see below, DWHxxxx.tmp.
The first post for error is over 3 years ago and you still don't have a fix! WOW.

Here is the alarm I am getting. I have sanitized the user details:

-----------------------------------------------------------------------------------------------
Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: Trojan Horse
File: C:\Users\username\AppData\Local\Temp\DWHDBD0.tmp
Location: C:\Users\username\AppData\Local\Temp
Computer: compname
User: username
Action taken: Pending Side Effects Analysis : Access denied
Date found: Monday, August 02, 2010  9:51:22 AM
-----------------------------------------------------------------------------------------------

Thanks.

meanmiguel's picture

I'm as amazed as you TPJohn, I hope a fix is found for this "trojan.gen" soon. 

echostate's picture

Exactly the same issue! Make my computer very slow ... Hope Symantec can come up with a solution soon. This is stupid!

XexeX's picture

It fixed at MR5 but come again at MR6........
I think symantec has developed a "Bug Restore" function at thier product. XD

Thomas66's picture

We had this issue in SAV 10.   It popped back up for us in SEP11 RU5.  RU6 was supposed to fix it... oops it didn't.  Now RU6-MP1 is supposed too.  

Who wants to lay odds on a fix or not?

info-123's picture

I have te same problem using SEP 12.0.101.95 (SEP Small Business Edition)

a lot of files in Quarentine!!!

 

Disgruntled's picture

This is driving me insane. I have updated the engine and I am running 10.1.2.142 and PRogram version 10.2.0.298.

Today alone I have already run two online scans AND Malwarebytes only to find that it's a Symantec problem. Every 20 seconds or so I am getting the "Auto-Protect has acted upon the risks" and showing me it has quarantined the next batch of so-called Trojan Horses. I am getting to the stage of deleting Symantec and installing a free virus checker!!!!!

Dana-Marie's picture

Hello,

If the steps that Melchiah didn't work try it scanning the machine in safe mode and ensure that system restore is turned off.

If that still doesn't work uninstall the Symantec agent from on the client machine then test again and see if the files still exist in the temp folder as it did when Symantec was installed. However it shouldn't exist anymore restart your machine and it should be fine. From the console deploy the agent to the machine and the problem should be fixed.

John_Prince's picture

Whew, this is one we have been fighting for quite a few versions of SEP. I apologize to you all for this problem...

The last I have is this was fixed in RU6 MP1 (11.0.6100.x), I haven't seen this issue occur with that particular build. /Fingers Crossed.

Here's a few workarounds:

-Get Symdeltmp from Support

 

If you cannot/don't want to get this tool you can try the following:

NOTE: Please be aware this was written for Windows 7/Vista/2008. You will need to change the ProgramData folders below to C:\Documents and Settings\All Users\Application Data\Symantec\...

I apologize for the formatting, this is a copy/paste job from one of your internal KB's.

Detailed Steps:

Stop the Symantec Management Client service

•Click Start, then Run
•Type: smc -stop
•Click OK

 

Open the Command Prompt

•Click Start
•Click All Programs
•Click Accessories
•Right-click Command Prompt
•Click Run as administrator
•Click Yes or enter your password

 

Delete the contents of the User’s Temporary Folder

•Login as the user who is receiving the .tmp file detections
•From the Command Prompt, type in:
•del /F /Q %temp%

 

Delete the contents of the Windows Temporary Folder

•From the Command Prompt, type in:
•del /F /Q “C:\Windows\Temp”

 

Delete the contents of the “xfer” and “xfer_tmp” Folders

•From the Command Prompt, type in:
•del /F /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer”
•del /F /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp”

 

Delete the Quarantine Folder

•From the Command Prompt, type in:
•del /F /S /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine”
•rd /S /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine”

 

Recreate the Quarantine Folder

•From the Command Prompt, type in:
•md “C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine”

 

Symantec Endpoint Protection

•Click Start, then Run
•Type: smc -start
•Click OK

 

Please be cautious with the use of these commands, any data in the folders that you delete will be lost forever.

Remote Product Specialist, Business Critical Services, Symantec

shikkapow's picture

John_prince,

I am running version 11.0.6005.562, and am experiencing the same problem.

 

windows 7 64 bit.

 

I tried downloading the utility and it didnt work, so I tried your attempt with the command prompt deletion.  Hopefully this one will work, because I would get dozens of DWH alerts at a time.

it@gdsx.com's picture

We just deployed the 11.0.6_MP2 release and the problem still exists.  As late as yesterday, 2/9, I'm still seeing C:\Users\username\AppData\Local\Temp\DWH(random 4 characters).tmp detected as Trojan.Gen, failing to quarantine.

This is version 11.0.6200.754, client OS is Windows 7 64-bit.

Ivpro's picture

This "virus" reared it's ugly head again starting 3/15/2011. I tried the steps provided by John_Prince and will see if it helps. I am running Win7 32 bit Version 11.0.6005.562.

Manuel Varas's picture

Somebody resolved this problem? Because the upgrade for it@gdsx.com don't work.

Any other idea or upgrade?

I need to resolve this, i have client with SEP 11.0.6100.645 and this problem occur very times.

Nasrullah's picture

Hi Manuel & All,

My system was affected with the same trojan. I have visted this blog multiple times and tried the soultion whatever updated here but no luck.

Today, finally i got the soltion. I downloaded spybotsd162.exe (Spybot search & destroy ) and scanned my pc. It detected the problem and fixed it :).

It has been 24 hours now, but i cant see any DWFH*** files being created in c:\windows\Temp folder.

 

GOOD LUCK !!!

Nasrullah

 

Doll-I.A.'s picture

I tried to do the method you suggested that your friend helped you out with but I forgot how to get to Safe Mode...LOL.  Yes, I'm a n00b when it comes to virus-related stuff.  The computer I was having the problem on has Windows XP 32-bit but I tried the method as close as possible and it actually worked too.  What I did was restart my computer but unplugged the internet beforehand.  Then, I ran a query for "local settings" and found the "temp" file within it and there was that annoying DWH thing but it stopped duplicating.  I clicked on all of them from bottom to top but waited until each file's information showed up.  Then, Sympantics popped up and ran an analysis on all of them and quarantined them.  When I turned the internet back on the files stopped reproducing and the DWHwizard.exe no longer showed up in the processes.  Also, thanks for the tip.  Now my mom's computer isn't as slow and she can work on it in peace. XD

phegan's picture

this is still going on? I have the latest build on a fresh imaged computer and this is still going on. it renders my machine almost useless for what i need it to do. we need a quick easy fix now or we need to find someone else to handle this part of  security.

mon_raralio's picture

Same in this thread:

https://www-secure.symantec.com/connect/forums/gen...

They are similar in nature. What's amusing with the other post is that it just keeps going on even if the thread starter is inactive. In fact, that is his/her only post in this site.

“Your most unhappy customers are your greatest source of learning.”

aschenone's picture

OCT 27 2011

SYMANTEC ENDPOINT PROTECTION  V 11.0.6005.562

OS WINDOWS 7 - 64 BITS

 

I have the same DWH####.temp issue.

 

I’m reading this forum, and it started in MARCH 2009, today more than two years ahead the problem remains and is not fixed by symantec, so it should be manually fixed and from the reading there is no successful guaranteed.

Not all the persons buying a virus protection have the same level of knowledge in hardware or software, and even if there is something straight forward for many, the same should be very difficult for others.

This particular problem should be fixed by Symantec. If not, start looking for another virus protection (there are many in the market).

 

Sancocho28's picture

We just recently upgraded our Symantec Endpoint Protection to Version 12.1.671.4971 and this issue still persist.  I followed the directions of Melchiah above which worked great but I followed up with Symantec Support since supposedly this was to be resolved several releases back.  There response was that this has been an ungoing issue, that Endpoint creates the files but then thinks the files are viruses, yada, yada yada, but that it is suppose to be fixed in the next release but until then there is a quick work around that everyone can do.

From Symantec Support on 10/31/11

As discussed, here is the workaround to the case:

 

1. Log in to SEPM

2. Edit the Antivirus and Antispyware or Virus and Spyware Protection policy (from Policies or from Clients page)

3. Go to Windows Settings > Quarantine > General tab, and under "When New Virus Definitions Arrive" choose "Do nothing".

4. Go to the Cleanup tab: and under "Quarantined Files" enable automatic deleting.

 

Hope this helps.  I would follow Melchiah's notes above and apply this work around.

Robert

TulsaITGuy's picture

I am new to this product.  I am trying to find the settings that are referenced by Sancocho28.  I found where to edit the Virus and Spyware policy.   However there is not a Quarantine section in the settings under Windows Settings.  I am using End Point Protection for Small Buissness Version 12.1.671.4971

Should I be looking elswhere for the quarentine settings?

 

Thanks for the help

Simpson Homer's picture

Quarantine option is not there for Small Business Edition.