Message Edited by Melchiah on 07-26-200705:18 PM

I am getting the same exact problem.  Will try the solution listed, and report back.  I have a feeling that these aren't actually virus/trojan files at all.  The only time my system pays any attention is when I get updated virus defs and tell it to check my quarantine to clean/repair.

Melchiah, you rock! I have been fighting with this problem for months and I have not been able to figure it out. I have tried searching before and unfortunatley i didn't find this response until now. This worked perfectly the first time and was pretty easy to fix. I'm just glad to be done with it. Thanks again!

Thanks also.
I had documented this for future reference.

The best part was the way to delete replicating files.
BOTTOM - TOP...
Practical and effective.

Regards,

Nel Ramos
IT-OCC

I'm having some serious problems with a trojan and don't know what to do. At random times, or at some startup times, I get popups from my symantec autoprotect telling me that there is a malicious trojan file in my temp file that is always DWH***.tmp (e.g. DWHAB5.tmp). It shows on symantec as "Bloodhound.PDF.1" Each time, the number of temp files grows, I'm up to about 16 now at each instance of generation. For every infection, there is an infected file, and a browser cache. Also, the file name of the temp file always starts with "DWH" and then ends in another random 3 characters. Symantec's web page reports that the risk level is very low, however, I'd like to deal with the problem. I am also aware that the temp file is appearing as a "heuristic detection for reporting PDF files that contain javascript that may have been obfuscated or encrypted to conceal it from antivirus software." If anyone has any ideas, please let me know.
I tried Melchia's idea but I found that it only deletes the end file in the temp file (which creates the DWH files) but there is a file creating that end file also somewhere else which causes the repeated infection.  Any suggestions would be greatly appreciated.
Thanks

There is a tool available with Symantec Tech Suport to fix this issue. Its calles SYMDELTMPS, and needs to be executed on the computer(s) where you are facing this issue.

Call Tech Support and tell them to email you the link from where you can download and use the tool.

@Abhishek Pradhan: thanks for the tip...

@Symantec Team: Hi, could we have the link for SYMDELTMPS in this thread.
This will be a big help for us Symantec clients.
Does SAV and SEP already have a patch for this one so that we would not deal with it manually?

thanks.

Nel Ramos 

@ Nel

Hard Luck. No Patch for this issue.

AND you really do need to open a support case to get the tool. Unless you open a suport case, no one in support will send you the link to download the tool (unfortunately)

Yes its actually not a virus at all. What is happening is, when you update your antivirus, it changes some names in the temporary files.. which is normal.. but changing file names is a symptom of  viruses.. so it detects it as a virus even though IT is the one that just created it.. lol 

So in other words your anti virus is making fake viruses.. But i like to compair it to a guy who just farted during sleep and wokr up thinking it was someones else..

Document ID: 2007111911135548

Solution:
This problem is fixed in Maintenance Patch 2 of Symantec Endpoint Protection Maintenance Release 4 (11.0.4202.75). You can apply this patch over Symantec Endpoint Protection MR4 or MR4 MP1.

Please refer to the product Download page to obtain the update:
http://www.symantec.com/business/support/downloads.jsp?pid=54619

If you are unable to migrate up at this time, here are workarounds that should alleviate the issue. These are listed in order of preference.

1. Disable rescanning of quarantine upon receipt of new virus definitions.
2. Ensure no process or services (such as Windows Indexing Service for example) can access/monitor our files.
3. Ensure that the %TEMP% folder is not open during the receipt of virus definitions and scanning of the quarantine.
4. Restart in safe mode, deleting DWH files in the temporary folder, cleaning the quarantine folder.

I encountered this problem starting about a month ago.  I suspected that this wasn't a virus and am glad that this suspicion has been confirmed.  My result was I was annoyed enough with this that I contacted my company's tech support.  They punted and now I'm getting a new computer with Windows 7 (even though it now appears the solution in this forum works...thanks Melchiah).  Sigh.  I might forward this along to tech support to help educate them.

Hello I am running 11.0.6 and this issue is still not resolved. What is the resolve to this issue??

Puzzled

Upgrade to 11.0.6a & check.

Regards...
Ramji Iyyer

Hi

I'm on 11.0.6005.562 and have the same problem on a Win7 X64 computer.

Any suggestions?

Thx

It fixed at MR5 but come again at MR6........
I think symantec has developed a "Bug Restore" function at thier product. XD

Same issue for me!

We had this issue in SAV 10.   It popped back up for us in SEP11 RU5.  RU6 was supposed to fix it... oops it didn't.  Now RU6-MP1 is supposed too.  

Who wants to lay odds on a fix or not?

I have te same problem using SEP 12.0.101.95 (SEP Small Business Edition)

a lot of files in Quarentine!!!

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009042217073548

This is driving me insane. I have updated the engine and I am running 10.1.2.142 and PRogram version 10.2.0.298.

Today alone I have already run two online scans AND Malwarebytes only to find that it's a Symantec problem. Every 20 seconds or so I am getting the "Auto-Protect has acted upon the risks" and showing me it has quarantined the next batch of so-called Trojan Horses. I am getting to the stage of deleting Symantec and installing a free virus checker!!!!!

Hello,

If the steps that Melchiah didn't work try it scanning the machine in safe mode and ensure that system restore is turned off.

If that still doesn't work uninstall the Symantec agent from on the client machine then test again and see if the files still exist in the temp folder as it did when Symantec was installed. However it shouldn't exist anymore restart your machine and it should be fine. From the console deploy the agent to the machine and the problem should be fixed.

Whew, this is one we have been fighting for quite a few versions of SEP. I apologize to you all for this problem...

The last I have is this was fixed in RU6 MP1 (11.0.6100.x), I haven't seen this issue occur with that particular build. /Fingers Crossed.

Here's a few workarounds:

-Get Symdeltmp from Support

If you cannot/don't want to get this tool you can try the following:

NOTE: Please be aware this was written for Windows 7/Vista/2008. You will need to change the ProgramData folders below to C:\Documents and Settings\All Users\Application Data\Symantec\...

I apologize for the formatting, this is a copy/paste job from one of your internal KB's.

Detailed Steps:

Stop the Symantec Management Client service

•Click Start, then Run
•Type: smc -stop
•Click OK

Open the Command Prompt

•Click Start
•Click All Programs
•Click Accessories
•Right-click Command Prompt
•Click Run as administrator
•Click Yes or enter your password

Delete the contents of the User’s Temporary Folder

•Login as the user who is receiving the .tmp file detections
•From the Command Prompt, type in:
•del /F /Q %temp%

Delete the contents of the Windows Temporary Folder

•From the Command Prompt, type in:
•del /F /Q “C:\Windows\Temp”

Delete the contents of the “xfer” and “xfer_tmp” Folders

•From the Command Prompt, type in:
•del /F /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer”
•del /F /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp”

Delete the Quarantine Folder

•From the Command Prompt, type in:
•del /F /S /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine”
•rd /S /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine”

Recreate the Quarantine Folder

•From the Command Prompt, type in:
•md “C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine”

Symantec Endpoint Protection

•Click Start, then Run
•Type: smc -start
•Click OK

Please be cautious with the use of these commands, any data in the folders that you delete will be lost forever.

John_prince,

I am running version 11.0.6005.562, and am experiencing the same problem.

windows 7 64 bit.

I tried downloading the utility and it didnt work, so I tried your attempt with the command prompt deletion.  Hopefully this one will work, because I would get dozens of DWH alerts at a time.

We just deployed the 11.0.6_MP2 release and the problem still exists.  As late as yesterday, 2/9, I'm still seeing C:\Users\username\AppData\Local\Temp\DWH(random 4 characters).tmp detected as Trojan.Gen, failing to quarantine.

This is version 11.0.6200.754, client OS is Windows 7 64-bit.

This "virus" reared it's ugly head again starting 3/15/2011. I tried the steps provided by John_Prince and will see if it helps. I am running Win7 32 bit Version 11.0.6005.562.

Somebody resolved this problem? Because the upgrade for it@gdsx.com don't work.

Any other idea or upgrade?

I need to resolve this, i have client with SEP 11.0.6100.645 and this problem occur very times.

I tried to do the method you suggested that your friend helped you out with but I forgot how to get to Safe Mode...LOL.  Yes, I'm a n00b when it comes to virus-related stuff.  The computer I was having the problem on has Windows XP 32-bit but I tried the method as close as possible and it actually worked too.  What I did was restart my computer but unplugged the internet beforehand.  Then, I ran a query for "local settings" and found the "temp" file within it and there was that annoying DWH thing but it stopped duplicating.  I clicked on all of them from bottom to top but waited until each file's information showed up.  Then, Sympantics popped up and ran an analysis on all of them and quarantined them.  When I turned the internet back on the files stopped reproducing and the DWHwizard.exe no longer showed up in the processes.  Also, thanks for the tip.  Now my mom's computer isn't as slow and she can work on it in peace. XD

this is still going on? I have the latest build on a fresh imaged computer and this is still going on. it renders my machine almost useless for what i need it to do. we need a quick easy fix now or we need to find someone else to handle this part of  security.

Same in this thread:

https://www-secure.symantec.com/connect/forums/gen...

They are similar in nature. What's amusing with the other post is that it just keeps going on even if the thread starter is inactive. In fact, that is his/her only post in this site.

OCT 27 2011

SYMANTEC ENDPOINT PROTECTION  V 11.0.6005.562

OS WINDOWS 7 - 64 BITS

I have the same DWH####.temp issue.

I’m reading this forum, and it started in MARCH 2009, today more than two years ahead the problem remains and is not fixed by symantec, so it should be manually fixed and from the reading there is no successful guaranteed.

Not all the persons buying a virus protection have the same level of knowledge in hardware or software, and even if there is something straight forward for many, the same should be very difficult for others.

This particular problem should be fixed by Symantec. If not, start looking for another virus protection (there are many in the market).

We just recently upgraded our Symantec Endpoint Protection to Version 12.1.671.4971 and this issue still persist.  I followed the directions of Melchiah above which worked great but I followed up with Symantec Support since supposedly this was to be resolved several releases back.  There response was that this has been an ungoing issue, that Endpoint creates the files but then thinks the files are viruses, yada, yada yada, but that it is suppose to be fixed in the next release but until then there is a quick work around that everyone can do.

From Symantec Support on 10/31/11

As discussed, here is the workaround to the case:

1. Log in to SEPM

2. Edit the Antivirus and Antispyware or Virus and Spyware Protection policy (from Policies or from Clients page)

3. Go to Windows Settings > Quarantine > General tab, and under "When New Virus Definitions Arrive" choose "Do nothing".

4. Go to the Cleanup tab: and under "Quarantined Files" enable automatic deleting.

Hope this helps.  I would follow Melchiah's notes above and apply this work around.

Robert

I am new to this product.  I am trying to find the settings that are referenced by Sancocho28.  I found where to edit the Virus and Spyware policy.   However there is not a Quarantine section in the settings under Windows Settings.  I am using End Point Protection for Small Buissness Version 12.1.671.4971

Should I be looking elswhere for the quarentine settings?

Thanks for the help

Quarantine option is not there for Small Business Edition.