Endpoint Protection

Good Day to All,

I am having a situation that I hope someone can help me with. 

I have a client machine that popped up as having a risk detected on Tuesday, 2 Jun.  The system is running Windows XP, SP2 with Symantec Antivirus Corporate Edition, Version 10.1.8.8000, with up-to-date virus definition files.  The risk(s) that were detected were:

SpywareProtect2009
Bloodhound.Exploit.193

I immediately followed the prescribed removal procedures outlined for each risk.  The system was cleaned and the scans came back clean.

Then on Friday, 5 Jun, during the scheduled scan,  the system reported again that a risk was detected.  I checked the logs and this time I saw a numerous entries for a risk entitled Trojan.Fakeavalert.  The logging started at 1:44am and continued until 8:13am.  The action taken was Reboot Required - Cleaned by deletion.  The count was 6.  The file location was the users Local Settings\Temp directory.  The filename(s) were being reported as 1677.tmp, 1678.tmp, 1679.tmp, 167B.tmp, 167C.tmp, 167D.tmp, 167E.tmp, 167F.tmp., etc.  The entries were being logged approximately every 15 minutes.

Then starting at 8:22am on 5 Jun, there are 9 entries that were logged that report the risk was cleaned, the count was 1, and that it was recorded by the Auto-Protect Scan and that the file was repaired successfully.

Then starting at 8:38am to approximately 11:11am on 5 Jun, the next set of entries to be logged into the Risk History log were back to showing the action as Reboot Required - Reboot Processing, the count was 5, the filename was listed as Unavailable, the original location was listed as Unavailable.  Then starting again at 11:17, the logs were back to showing that the risk was cleaned, the count was 1, the status was cleaned and it was logged by the Auto-Protect scan.

To make a long story short, the Symantec Server is still logging entries in the Risk History log for this particular system.  I have run numerous full scans and each time they come back clean.  Today I went to the client's office to check some things on the system while he was still logged on.  When I looked at the Risk History log on his physical system, it only shows the original two entries that were logged on 2 Jun 09.

I did full searches of the registry, the C:\ drive, and removed anything that was related to these risks.  A final full scan shows that the system is clean, however entries are still being logged in the Risk History log for this system as of 11:28am this morning.

I have exported the risk history log to a spreadsheet and have attached it to this message, in hopes that someone could maybe give me a clue as to what might be going on.

Thanks in advance for anyone who can possibly help me.

 It looks like -There is a un-detected downloader on your system that is downloading these spywares
Most propably it will be located into either start - run -%temp%
or Temporary Internet files.
Clear out these two temp locations then check if it resolves your issue.

Sorry if I didn't read thoroughly, but are those the full names of the temp files? I've seen some issues recently that appear to be false positives created by 'leftovers' from the DWHWizrd. See http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/6691b6f590131ab588256a220027aa73?OpenDocument
"It is also used to re-scan files sitting in quarantine when new virus definitions are updated and installed." (and those files get extracted to temp locations and sometimes don't get put back)
and
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/2c62c4ee0e697aae882573b000034ded?OpenDocument
- search dwhwizard (with an "a") in that one. Although that article is about SEP, it's eerily similar to what I've been seeing in SAV on 10.1.x.
Bottom line is make sure those temp files are gone and try cleaing the quarantine folder.