Endpoint Protection

 View Only
Expand all | Collapse all

Generic Trojan - DWH*.tmp in Temp folder

Migration User

Migration UserJun 22, 2010 02:46 AM

Migration User

Migration UserJul 21, 2010 12:43 PM

Migration User

Migration UserSep 12, 2010 10:08 AM

Migration User

Migration UserSep 15, 2010 03:07 PM

Migration User

Migration UserSep 29, 2010 01:32 PM

  • 1.  Generic Trojan - DWH*.tmp in Temp folder

    Posted Feb 11, 2008 09:26 PM

    I am troubleshooting a SAV 10.2.0.276 client with scan engine 71.4.0.15 and up-to-date definitions. It appears to be the same issue described here , except that SAV successfully quarantines all of the .tmp files, so there are no files to delete when I boot into safe mode.

    Once or twice daily, Auto-Protect nags dozens of these files, all of them like this with DWH***.tmp in the Temp folder:

    Scan type:  Auto-Protect Scan
    Event:  Security Risk Found!
    Risk: Trojan Horse
    File:  C:\Users\Zeke\AppData\Local\Temp\DWH6C6.tmp
    Location:  Quarantine
    Computer:  ZEKE-E1405
    User:  SYSTEM
    Action taken:  Quarantine succeeded : Access denied
    Date found: Monday, February 11, 2008  7:06:07 PM

    The link goes to a generic Trojan Horse KB entry- nothing specific about the type of trojan. They keep on popping up once or twice daily, and I cannot figure out what is creating them, or if it really is a Trojan Horse in the first place. I suspect it is a false positive, but cannot be sure.

    Anybody know what might be creating these files, and how I can either stop the malicious software, or fix SAV to not call it out if it is a false positive?



  • 2.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Feb 18, 2008 11:08 PM
    I'm dealing with the same issues.  I'm only a freshman, computer science major in college, but my theory is that the DWHWizard.exe that symantic uses to update its virus definition is creating those files when it attempts to update and then the scan engine is mistaking them as trojans (just seems to fishy or odd that the temp files would have the same pre-fix).  I'm just hoping symantec comes up with an update as soon as possible because this auto-protect nonsense is driving me bonkers.  Also, symantec may not be jumping to answer this because they don't know where the error in the program is occurring and like many other large businesses, don't like to admit fault in really any situation.:smileyvery-happy:

    By the way, I got rid of symantec for a few days and the situation was gone for the entire period of time. However, my school requires symantec and when I re-downloaded, the issues came back.

    Anyways, if you hear of a fix or update before me, please send me an e-mail: michaelpieknik@yahoo.com :smileyhappy:

    Kind of funny they are using something that belongs to norton anti-virus, which in my eyes, is the root of all that is evil:smileytongue:  And yes I realize they are same company, but norton is a senseless system bogger for home use and symantec seems to be a more streamlined, hot-rod AV.


    Seems like this guy agrees with me:

    https://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&message.id=2943


    Message Edited by shakakon on 02-18-2008 08:47 PM


  • 3.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Dec 11, 2008 12:32 PM

    Hello, i am having same problem, try this.... this works for me

     

    I have Windows Vista Enterprise and Symantec End Point Protection 11.0.780.1109

     

    1. User Log on with administrative privileges, and uninstall the Symantec Antivirus and restart.

     

    2. User Log on with administrative privileges, download and run the Norton Removal Tool, you can find it on http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

     

    3. User Log on with administrative privileges, delete all temporary files of the next path: C:\Users\User Profile\AppData\Local\Temp

     

    4. Reinstall Symantec Antivirus.

     

    5. Go to path C:\Program Files\Symantec\Symantec Endpoint Protection, find the DWHWizrd.exe file and replace it with the same file of another machine (this doesn´t have much sense, but if you doesn´t make this action, didn´t works). If you are a home user, install the symantec in another machine and copy the file in a flash drive.

     

    Its important that another machine is not infected. I hope that this fix works for you.



  • 4.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Apr 10, 2009 02:25 PM
    Same problem with DWH*.tmp files. Endpoint 11 auto protect will start picking these up as soon as internet explorer starts. If I let it run, the generic trojan warning evolves into known trojans such as w32.apack.a . Every minute a new virus is detected and removed. I do not think this is a defect in endpoint but a new trojan virusdownloader that has comprimised internet explorer. I have used other spyware/antiv programs , found nothing. Another pc had similar symptoms besides w32.apack.a it had tool.killer. That pc had xp pro running and endpoint finally got it. vista 64 ultimate no luck yet....
    Any new info is appreciated.


  • 5.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Apr 16, 2009 08:05 AM
    Hi

    I too have the same thing. I have taken out the HDD and hooked up to another PC running Norton AV 2009. It to detects the DWH*.tmp files as a generic Trojan Horse. I cleared all the infected files and deleted all other files in the temp directory under user profile as well. Installed the HDD back into the orriganl PC and everything was fine for 2 or 3 days before the whole process started again. The PC in question also runs Vista 32bit and Symantec End point v11.

    Mansoor: Can you tell us what updates / patches for windows is required?  Windows Update is running all the time and updating the PC everyday according to its schedule

    Any help would be very much appreciated!

    Thanks
    R


  • 6.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Apr 17, 2009 12:14 AM
    Hi Richit,

    try to apply the latest RR definition from the below link and scan the machine in SAFE MODE with System restore OFF.

    http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

    In safe mode, try to delete temp folders and well as temporary internet files.

    Incase you have any such samples, pls submit the same to symantec team on https://submit.symantec.com/gold or https://submit.symantec.com/platinum


    Rgrds,
    SAM


  • 7.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Apr 19, 2009 08:17 PM
    SAM, what the heck are these files? What is Symantec hiding? It takes up massive hardrive space?
    How do we stop it from continuing?


  • 8.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Apr 19, 2009 08:37 PM
    These bastards often has self-surviving "features" to prevent Anti- Virus/Spyware from removing them. My guessing is that it is not fully cleaned out and therefore gets alive after a while.
    Try to find the "bad" entrypoint that starts the process (creating the file) again.

    I usually use IceSword for this kind of "removal" tasks.


  • 9.  RE: Generic Trojan - DWH*.tmp in Temp folder



  • 10.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Apr 23, 2009 12:23 PM
    You should clear your quarantine folder. It will keep on popping up everyday becuase after the new defs are downloaded the AV will scan the quarantine thus creating a temp file.


  • 11.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Apr 24, 2009 02:48 AM
    I don't think that it has anything to do with the quarantine folder which is something like C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine and not Zeke's user profile as shown by the user.

    I also want to know which application causes this. Or which vulnerability. So I can take necessary actions aside from patch and updates. I just received a report that a user got this Trojan Horse. He has 40 tmp files in the same path.



  • 12.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Apr 24, 2009 03:59 PM
    I think this depends, I believe the user is using Vista that's why the profile path is C:\Users


  • 13.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Oct 19, 2009 09:53 AM

    Solution:
    This problem is fixed in Maintenance Patch 2 of Symantec Endpoint Protection Maintenance Release 4 (11.0.4202.75). You can apply this patch over Symantec Endpoint Protection MR4 or MR4 MP1.

    Please refer to the product Download page to obtain the update:
    http://www.symantec.com/business/support/downloads.jsp?pid=54619


    If you are unable to migrate up at this time, here are workarounds that should alleviate the issue. These are listed in order of preference.
    1. Disable rescanning of quarantine upon receipt of new virus definitions.
    2. Ensure no process or services (such as Windows Indexing Service for example) can access/monitor our files.
    3. Ensure that the %TEMP% folder is not open during the receipt of virus definitions and scanning of the quarantine.
    4. Restart in safe mode, deleting DWH files in the temporary folder, cleaning the quarantine folder.


  • 14.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Oct 23, 2009 10:36 AM
    Hi Senrats,

    unfortunately the patch you mention is only for Symantec Endpoint Protection. I am using Symantec Anti Virus (10.2.0.276)

    I have the same Problem as everyone here and it is very annoying for me. Booting every client in safe mode and doing the things you summarize is very much work for me!

    Can't believe that Symantec is not able to solve this issue since nearly 2(!) years...

    Do you know if there's patch also for SAV10?


  • 15.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Feb 04, 2010 11:00 AM
    I am running SEP11 MR4 MP2 and still have this issue.


  • 16.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Apr 10, 2010 03:23 PM
    TO ANYONE THAT HAD THIS BUG I WENT INTO THE DOS PROMPT AND DID A DEL DWH(FILES  NAME).TMP ONE AT A TIME .TOOK A BIT TO GET THEM ALL HAD 72 OF THEM  DID THIS ON THE 9TH NONE HAVE COME BACK SCANED CLEAN.... ON ALL THE TEM FILES AND THEN DEL ALL THE OTHER TEMP  FILES AFTER I GOT THOSE GONE HAD BEEN TRYING TO DEL THEM IN THE WINDOWS C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINS\TEMP THIS WAS WHERE THE FILES SET THEMSELF COULDN'T DEL THERE IT WOULD JUST DEL AND JUST POP BACK IN SEEMS TO BE OK WILL KNOW IN A FEW DAYS


                                                                                                 HOPE THIS WILL HELP


  • 17.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Apr 11, 2010 06:55 PM
    Hi Fritz.

    I am glad you got your issue resolved, and I am glad you decided to come here to the forums to let us know the route you took to get it solved. However in the future please try to not post on these old of threads (2 years old) because the product (and the specific virus) has changed so much in the time that your post is probably not relevant anymore. In the future just create a new thread.

    Great seeing you in the forums hope you come back!
    Grant


  • 18.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Apr 26, 2010 06:38 PM

    Old thread indeed. But this problem still occure in SEP11 RU6


  • 19.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted May 26, 2010 08:14 AM
    Confirmed, I'm seeing the same type of NUMEROUS detections of D???.TMP files (identified as 'Trojan Horse' risk). Using SEP v11.0.6005.562.


  • 20.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted May 26, 2010 01:06 PM
    Yes, it is an old thread, a very old thread, with no resolution. 

    Using SEP v11.0.6005.562, I have the same problem.



  • 21.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Jun 09, 2010 01:29 AM
    same here : SEP v11.0.6005.562 but i have only like 5-6 stations that started to detect "those" trojans

    so far i see it`s related to Windows 7 only and gives ~ 500 alerts /  day / computer . it does not start after install but at a random moment possible coupled with other minor virus ( harakit, sality ,...) that gets deleted but start to appear lots of this .tmp errors

    any solution? MR-6B ?


  • 22.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Jun 10, 2010 12:40 PM
    Same problem here....anyone find a fix?  I hate to just uninstall the client on the affected machines.


  • 23.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Jun 10, 2010 01:27 PM
    I just started having this problem, thing is, it's on my only Windows 7 x64 box. 
    Also, the problem only started happening during an initial installation of Office 2010... 

    And now, I am flooded with this thing, 121 files claimed to be found in DW*.tmp folder... 

    And, I am using RU6a and updates are from the latest as of 12:00 pm EST ... June 10, 2010


  • 24.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Jun 10, 2010 03:25 PM
    Just an update.  FYI this was only happening on Win7 X64.  I deleted all the files in my quarantine and my  c:\users\username\app data\local\temp directory and so far in 2 hours havent had any more notifications.  Before I couldnt even go 20 minutes.  Ill post back if something changes, but for now that seems to be doing the trick.


  • 25.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Jun 14, 2010 02:55 PM
    BTW...No luck.  Still happens =(  Looks like we have to wait for Symantec to issue a fix.


  • 26.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Jun 18, 2010 11:23 AM

    I see DWHx.tmp, where "x" is A, B, C, etc. Also saw a DWH1C.tmp. All are in C:\Documents and Settings\<username>\Local Settings\Temp\

    Is there an interim solution?  I have taken this computer off the network. Do we know what program is generating these files?



  • 27.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Jun 22, 2010 02:46 AM
    Was fine before I updated to 11.0.6005.562 :(


  • 28.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Jun 22, 2010 10:57 AM

    The DWH files are temp files that are created by our process called defwatch.exe. These files are quarantined threats that we pull out of quarantine to scan during a quick scan. This usually happens when new defs are applied. The doc stated above is public facing and offers a few different workarounds to resolve the issue. What we have seen in most cases, is the indexing service, or some other real-time scanner is touching the file and then auto-protect is re-scanning it.


  • 29.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Jun 22, 2010 04:18 PM
    Thanks Steve. You refer to a doc, which one? Also when do you expect this to be fixed as appears to have been an issue for some years?


  • 30.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Jun 28, 2010 06:39 AM
    We too have experienced the above issue with RU6a and have a case open presently with Symantec support.  Hopefully there will be a fix in due course.


  • 31.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Jun 28, 2010 03:06 PM
    Same issue here on a Vista Notebook. Had another where client uninstalled Google Chrome and problem went away (supposedly) unverified.


  • 32.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Jun 30, 2010 04:45 AM
    Our response is thus & aiui.

    There is code presently in the build for next maintenance patch.  It is hoped that the fix will be released.  This is scheduled for release in four weeks' time.  Any of the above could be subject to change as necessitated development and testing requirements .

    Our call remain open pending further updates.

    So in any case RU6 MP1 (RU6b?) is the one to watch out for.


  • 33.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Jul 12, 2010 12:43 AM
    wow i also face the same problem here guys, wondering when is the date forthe next MP / patch release for this matter ?


  • 34.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Jul 15, 2010 02:41 PM
    So this is a two and a half year old problem that plagues both SEP 10 and 11? Hopefully they issue a fix for this soon. i currently have about 5% of my users affected by this annoying bug. I have been successful with deleting affected user profiles. The other weird thing is that it happens on their computer every Thursday and no other day. Would be nice to have a definite answer from Symantec.


  • 35.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Jul 15, 2010 02:44 PM
    If only on Thursday, you likely have a scheduled scan for Thursdays?

    Unfortunately, changing the weekly scan to another day, will result in you "shifting the problem" to another day... 


  • 36.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Jul 21, 2010 12:43 PM
    Any updates on the new maintenance patch


  • 37.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Jul 26, 2010 07:40 PM
    http://www.symantec.com/business/support/downloads.jsp?pid=54619

    t
    hat is what i've got from the Symantec KB, but i can't seems to see any file posted in there ?


  • 38.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Jul 26, 2010 08:21 PM
    This is a known issue which is going to be fixed probably in SEP 11 RU6 MP1.

    Meanwhile, please follow the KB below to resolve this issue:

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009042217073548



    Reason behind it:
    - By default, when there is anything in quarantine folder and there is new definitions downloaded in SEP client, then a scan is initiated after download to check if any definitions are available which can resolve the quarantined files.

    - Unfortunately, in some cases, during this process, scan detects the tmp files which are created in Xfer or Xfer_tmp folder during above process.

    This issue was initially fixed in MR4 MP2, however, I have seen this issue in some cases of RU5 and RU6 as well.

    As mentioned above, hopefully, it will resolve in RU6 MP1.


  • 39.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Jul 26, 2010 08:32 PM
    thanks for your fast reply Raunak,

    hopefully this patch will be released anytime soon.


  • 40.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Jul 26, 2010 10:22 PM
    I've got the same problem too....
    This happened on some clients the infected file is in %tmp%, not in xfer or xfer_tmp.

    I'm worry about SEP is hijack by virus.

    SEP is a good product, but I've spend too much time for trouble shooting.... my user experience of SEP is..... I'm using a beta product.


  • 41.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Aug 04, 2010 03:26 PM
    Generic Trojan .tmp files 2 + year old issue

     

    Caveat: Alternate Method attempted from one of the Articles listed in the thread Rename DWHWizrd.exe copy the same file from another PC, not exhibiting the problem, to the PC that is adversely affected. This Didn’t work… See below for successful solution!

    This Solution Worked Thank You Scuba Steve!!! You can safely delete those .tmp files [this note added by JLAWLESS2010] {Keep in mind you may have many pages of files to delete if this problem has been going on for some time}. Unfortunately, I (Scuba Steve) doesn't support the Small business product, so I am not sure if that is the latest version. But for the Enterprise SEP, the next release will have a fix that will resolve most of the issues that can cause use to scan those files. The DWH*.tmp files are created when new definitions come down, or a quick scan is ran. Dwhwizard will run, and try to scan the files that are in quarantine. To do so, it has to create the DWH*.tmp files and copy the quarantined files to those tmp files. It scans them to see if the new defs or current defs(in the case of a quickscan) can repair the files. It will then delete the files when the process is finished. If there is some other process that touches these files, then Auto-Protect will see the I/O operation and scan the files again. It can become a very large issue as this can effectively double the amount of data each time. wink



  • 42.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Sep 12, 2010 04:51 AM

    This thing has caused me many sleepless nights.  I am a small business owner, with six (6) workstations.  Four (4) of the workstations have this problem.  It's September 11, 2010; I sure hope there's a fix?



  • 43.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Sep 12, 2010 09:12 AM

    Try installing Symantec Endpoint protection latest version. The issue would be solved.



  • 44.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Sep 12, 2010 09:20 AM

    I hope that installing it does work, Im sick to death of this trojan.



  • 45.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Sep 12, 2010 09:26 AM

    I think, it is not a trojan. It is more of a product issue.....



  • 46.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Sep 12, 2010 10:08 AM

    Thank you, I think it might have worked :D



  • 47.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Sep 15, 2010 01:08 AM

    Hi There,

    Fyi.... I just did a test regarding this DWH and i found this DWH issue also occurs if the heuristics is increased to the highest level.

    Can you also check that and update us

     



  • 48.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Sep 15, 2010 03:07 PM

    Is there a fix for this issue yet? 



  • 49.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Sep 16, 2010 05:26 AM

    What is the version number of SEP 11 RU6 MP1.?

    I am running 11.0.6005.562 and I still have the DWH issue. Does this mean it has not been fixed or does it mean that Symantec has not updated itself to SEP 11 RU6 MP1.?

    Do I have to push an install of SEP 11 RU6 MP1. on to all of my clients?



  • 50.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Sep 16, 2010 06:47 AM

    SEP RU6 MP1 is 11.0.6100.XXXX

    You can download it  from https://fileconnect.symantec.com

     

    Just run setup.exe, and then once sepm is upgraded, add the ru6 mp1 package into groups in  SEPM. All your clients would also be upgraded.



  • 51.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Sep 16, 2010 06:59 AM

    yes +1 to Vishal, MP1 is now working great without any problem in my domain.



  • 52.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Sep 19, 2010 11:03 PM

    I'm using MP1, this issue still be obtained in some computers.... it changed the location from user\temp to c:\windows\temp only........



  • 53.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Sep 21, 2010 12:39 PM

    We have had this problem on 2 of the 15 workstations we have.  Running SEPP 11.06005.562.  On a domain with Server 2008.  I will try the fix above.  However, we have the users that have been affected now getting a temp profile and it appears the user profile is corrupt.   When we login all our desktop files , settings, etc are gone.  They still show up in the C:/Docs and Settings/User etc....we are running Windows 7 pro 64 bit...  At this point anyone have any suggestions on how we can fix this OR are we just going to have to setup a new user on the domain, login, move all the files etc. 

    Any help would be appreciated. 

    I am not 100%, but at this point I am thinking that it kept doing this, thus the hard drive usage was growing and growing, and these computers were partitoned by HP for the OS and quite small, then possibly it used to much hard drive and then corrupted the OS.  Not sure, but at this point it would make sense. 



  • 54.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Sep 21, 2010 01:06 PM

    Nevermind.  I uninstalled SEPP.  Then I did a System Restore.  It brought it back.  



  • 55.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Sep 22, 2010 05:20 AM

    Hello, Its taken me a while to read through this thread only to surmise that a definitive solution has yet to be found. Please correct me if I'm wrong.

    I'm running Windows XP SP3 and using version 11.0.6005.562 and have 142 'Still Infected' users on my domain. Am i to believe that RU6 MP1 will resolve the issue?

    Thank you



  • 56.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Sep 26, 2010 06:17 PM

    I too have not been able to resolve this issue.

    I have tried a number of different AV software apps, and none seem to be able to clear the infection.

    My current AV "End Point Protection 11.0.6000.550" is a fresh install, I have previously tried installing the RR defs to no avail.

    Is this really an issue with a Symantec product like has been mentioned in this thread? If so, where is the fix?

    I currently have 1000+ infected files locked by quarantine, and the notifications are getting really annoying.



  • 57.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Sep 28, 2010 10:18 AM

    Is there a solution to this problem? I am currently using Symantec(tm) Endpoint Protection version 11.0.6005.562. I'm seeing thousands of DWH(random 4 digits).tmp files from my Temp directory appearing as Trojan Horses. 



  • 58.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Sep 29, 2010 01:31 PM

    Same boat- I had a computer consultant deal with it at some point and it stopped for about a month and now it's back.

     

    Could someone from Symantec respond and tell us when this will get fixed? This thread began a year and a half ago and the problem is still occurring.



  • 59.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Sep 29, 2010 01:32 PM



  • 60.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Trusted Advisor
    Posted Sep 30, 2010 04:06 AM

    Hello,

    This issue is Resolved with RU6 MP1 (SEP 11.0.6100).

    Check the Knowledgebase.


    DWH***.tmp files are detected in the user profile temp directory.

    http://www.symantec.com/business/support/index?page=content&id=TECH92399&locale=en_US
     
    Release Notes for Symantec Endpoint Protection 11.0.x and Symantec Network Access Control 11.0.x
     
    http://www.symantec.com/business/support/index?page=content&id=TECH103087&locale=en_US
     
     


  • 61.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Oct 11, 2010 10:55 PM

    I'm having the same issues as Latvij13! I also have the same SEP edition.

    Mithun, I went to the link http://www.symantec.com/business/support/index?page=content&id=TECH92399&locale=en_US and the download update link is dead. Where can we get the update to fix this? So does this mean we don't have the virus bloodhound.exploit.232 and they are .tmp files generated by SEP? Please clarify because I am concerned about this virus. Thank you kindly!

     
     


  • 62.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Oct 18, 2010 04:32 AM

    Hi Mithun Sanghavi,

    I had installed SEP version 11.0.6100 however still get machines detected with dwh*.tmp at user temp folder.

    These machines are not installed with previous SEP version. Any possible cause such issue?

    Please advise. Thanks.

    Regards,

    James



  • 63.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Oct 18, 2010 02:41 PM

    I was seeing this problem in 11.0.6005.  I found this page and did the update to 11.0.6100 like I was told.  I am still seeing this problem.

    We've been told that the issue has been resolved in several different versions of the release.  From RU6 to 11.0.6mp1 it was supposed to be fixed.  Some still reported the problem afer the upgrade to MP1.  It was also supposed to be fixed in 6005.  Now in 6100 it is still happening.  Very frustrating.  What can be done to fix this issue once and for all?



  • 64.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Oct 19, 2010 02:01 AM

    Hi all,

    This morning it happens that total 1000 over detections in 1 machine which was categorized as Quarantined Viruses by Symantec Endpoint Protection Manager.

    It was detected in "C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APQ****.tmp"

    **** represents the combination of alphabets and numbers.

    Any other better idea to solve the problem instead of manually clear the quarantine folder?

    Disable new malware detection to be quarantined might not be a good way to solve the issue.

    Please advise. Thank you.



  • 65.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Oct 27, 2010 02:40 PM

    I have a support case open about this issue. Not sure why no one from Symantec has updated this but here is the article that they sent me and what to do for the short term...

     

    http://www.symantec.com/business/support/index?page=content&id=TECH138856



  • 66.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Oct 29, 2010 12:46 PM

    Can anyone tell me whether this is an actual virus or not?



  • 67.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Nov 03, 2010 10:09 PM

    The KB Article only base on Windows Vista, 7 or later. Unfortunately, my side machines are using Windows XP SP3 environment. Any workaround for it?

    Thanks.



  • 68.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Nov 05, 2010 04:26 AM

    Updated to 11.0.6100 and still have the problem even on XP than on Win7 workstations.

    XP:  C:\Documents and Settings\username\Local Settings\Temp\DWHxxxx.tmp

    Win7:  C:\Users\username\AppData\Local\Temp\DWHxxxx.tmp



  • 69.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Nov 07, 2010 06:43 AM

    I'm now using the MR6MP1 and the problem has been fixed, Good job Symantec.



  • 70.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Nov 08, 2010 01:49 PM

    These do not present a security risk to you, its an issue with the SEP product. The only negative affect that I can see right now is that it eats hard drive space.



  • 71.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Nov 08, 2010 01:51 PM

    To those of you still experiencing this issue, please use the following tech document:

    http://www.symantec.com/business/support/index?page=content&id=TECH138856

    I believe XP SP3 has an indexing option as well, I'm not 100% on that. Check in Control Panel and exclude the directories to if possible.

    If you are still experiencing it after running this article than please give us a call and open a case so we can track this issue.



  • 72.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Nov 12, 2010 03:25 PM

    I just used a combination of what i read above on my Desktop PC, w/XP Pro.

    After shutting down all of my visible programs I went into both C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine and C:\Temp, and persisted in deleting all the files I possibly could.

    There were about 5 files that refused to budge because they are being used by some program, so I left them. It helped that I used the 3-fingered salute to access the running routines and End the entity "rtvscan.exe". It comes back again after a couple of seconds, but the hard drive goes wonderfully silent...

    With all those Temp files gone and rtvscan.exe reset, I'm hoping I can get some work done. Until it starts up again. But at least it's an effort.

    HTH somebody...

    J



  • 73.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Nov 22, 2010 01:26 PM

    We are using Symantec Endpoint Protection 11.0.6100.645, which I believe is the very latest issue out and we are still having this problem. I have put a Centralized exception for this file as DWH* and for most of our PCs this has stopped the problem.  However, even with the exception in place I have 3 PCs that have continued to have the problem and now a 4th one has joined the group.  Any further updates as to how to resolve this would be most appreciated.   2yrs seems like a long time for the same problem.



  • 74.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Nov 22, 2010 02:36 PM

    @sfotech

    Have you cleaned quarantine on the clients that are sill having the issue?



  • 75.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Nov 22, 2010 04:53 PM

    This is starting to get really ridiculous. I walk away from my desk for an hour or so, and I come back to over 6000 DWH files alerted as js.securitytoolfraud.

     

    I'm on the latest -11.0.6005.562 - on Windows 7, fresh clean install. I excluded the temp files from indexing as suggested in the link above from the Symantec employee - didnt work - matter of fact I even stopped the indexing service an it's still rolling new alerts out.

     

    Ridiculous.



  • 76.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Nov 22, 2010 06:42 PM

    The lastest version is actually RU6 MP1. You may want to upgrade to see if that helps.



  • 77.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Nov 23, 2010 06:35 AM

    I have the same problem with the same version.

    I fully agree with you - this is ridiculous!



  • 78.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Nov 26, 2010 11:54 PM

    Yes I concur with that. so far MR6 MP1 is stable and got no problem.



  • 79.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Dec 07, 2010 05:49 PM

    I'm having the same problem with SEP 12.0.1001.95. I'm going to try to see whether Indexing is turned on for the %temp% folder, per http://www.symantec.com/business/support/index?page=content&id=TECH138856, but I find the fact that Symantec hasn't fixed this problem completely in almost four years, extremely disturbing. I'm trying to sell the product. What do I do when a client is getting all these alerts and is frustrated? How do I continue to sell this to my customers?



  • 80.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Dec 08, 2010 04:31 AM

    RU6 MP2 is meant to completely resolve the problem AFAIK.



  • 81.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Jan 15, 2011 09:18 PM

    My computer first began having this problem 8 months ago. Still trying to solve it. Know now that I'm not alone. Will call Symantec to try and solve this problem.

    IT guys, please don't stop working on ridding us of this nonsense! Getting VERY ANNOYING. Thanks.



  • 82.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Jan 15, 2011 09:33 PM
      |   view attached

    Symantec already has the money in their pocket ofcourse they are not going to help.  The definition and the program are updated daily and the problem persists! 

    Screenshots of my daily scaned so called "viruses" is attached....



  • 83.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Jan 15, 2011 09:44 PM

    What version of SEP are you on? This was fixed in RU6 MP2.

    Did you open a case with support? Why will they not help?



  • 84.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Feb 01, 2011 09:32 AM

    I'm running RU6 MP2 and i'm still having the issue (again) :-(

    This is pritty poor. Why can't this be solved in three years.

    Starting from SAV10 to the newest Release of SEP.

    i'm really disappointed.



  • 85.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Feb 01, 2011 10:14 AM

    Remove SEP completely then re-install RU6 MP2



  • 86.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Feb 01, 2011 10:22 AM

    You cannot be Serious!

    Why do i always here this solution, when having problems.

    This Issue was fixed 3 times now and is back again.

    what happend to QA???



  • 87.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Feb 01, 2011 06:00 PM

    It was just a suggestion. It worked for me when I had to deal with it. I uninstalled RU6a completely and installed RU6 MP2. Problem solved. As a workaround, assuming you're using a managed SEP client, you can go into the SEPM and under AV Policy >> Quarantine >> When New Definitions Arrive >> select the radio button for Do Nothing

    Otherwise, call Symantec and open a case for further assistance.

    The reason you hear upgrade or uninstall/re-install is because the majority of the time it works. If you are a user of Microsoft products, you should be more than familar with this.

    If it still doesn't work, call Symantec so they can review. You can also ask them about their QA process if so inclined.



  • 88.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Feb 02, 2011 04:59 AM

    don't take it personal. i'm just p$ssed. i opend a case yesterday. i will try your workaround.



  • 89.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Feb 14, 2011 06:28 PM

     

    USE AT YOUR OWN RISK. 
    This is a dangerous command that can cause serious harm to your computer if used incorrectly. Don't blame me or Symantec if you do it wrong. If you're not confident in using it, please don't.

    That said, here's a command that will delete your DWH####.TMP files much, much faster (in command prompt):

    del /q/f/s/a dwh*.tmp

     

    This command will delete all files that start with "DWH" and have the "TMP" extension. It does this recursively through all subfolders, so be careful about what folder you run it in.

    /q = Quiet. No confirmation on delete (once you run the command, files it finds will be removed... second chances)
    /f = Force. The command will delete read-only files.
    /s = Subfolders. The command will search all subfolders and delete matches.
    /a = All. The command will include hidden files and, since we have the /s switch, subfolders.



  • 90.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Feb 16, 2011 03:51 PM

     

    (re-posting this here in hopes that it gets some visibility)

    This is an interesting issue because it's so easily misunderstood. There are a lot of things that have caused the DWH*.TMP issue. I'm really surprised none of them have been outlined in this thread, yet. There's a post by ScubaSteve early on that gives a good explanation... perhaps the implications aren't fully realized.

    The first thing to understand about this issue is: It's not one, single issue. There have been many different reasons for the DWH files showing up in various locations. Ultimately, the basic reason is the same, but numerous root causes have been found over the years.

    The second thing to understand about this issue is: It doesn't continue to occur because SEP developers and support engineers don't care about this issue or just can't figure it out. The truth is, it continues to occur because, as noted in misunderstanding #1, there are a lot of things that cause the issue. To date, we have fixed various root causes for the issue. We fully understand the issue and work hard to implement solutions that don't break other things at the same time. We're sorry you have this issue and, if you look, you'll find we have solutions in place.

    The third thing to understand about this issue is: It's not always Symantec software's fault. This requires a little more explanation of what happens behind the scenes. When SEP gets new defs, it checks the files in Quarantine to see if there are any new remediation steps, false positives, etc. Files in Quarantine cannot simply be scanned while they're quarantined. They must be extracted from Quarantine first. The expected behavior is this: SEP extracts the files, scans them, moves them back to Quarantine. There have been cases (mostly earlier builds) where a bug in SEP would cause the DWH files to be mishandled. SEP abandons the process because it can no longer trust the files and, as it does with all files that are written to the disk, scans the file with Auto-Protect. Auto-Protect finds the virus code in the DWH file and acts on it (quarantining). There have been other cases, however, where other software (3rd party scanners or indexing services, for example) try to get in the way and cause the DWH files to be mishandled. This is something Symantec simpy cannot always avoid. We're very sorry about it and wish it didn't have to be this way, but that's just the way it is. The proper response is to fix the offending 3rd party software.

     

    Finally, I want to address one obsurd point of advice about re-installing SEP to fix the issue. In most cases, this simply isn't required... and furthermore, no real Symantec tech is going to recommend this as a first solution. The first thing to do is look for 3rd party software that may be causing SEP to stop trusting DWH files. Setup exclusions for SEP's working directories. If that doesn't do it, purge Quarantine and SEP's working directory. If you want to be more surgical, only delete DWH.tmp files in the working directories (still need to clear Quarantine). If you simply can't stand to have another DWH detection, disable the scans when new defs arrive (not Best Practice). If you want to go even further, adjust your detection settings to not use Quarantine (also, not Best Practice). Finally, if all this fails and you still get DWH detections, re-install the SEP client. But realize you're re-installing because there's something else very wrong with the software at this point... policy corruption, permission issues, etc. At this point, you should probably be contacting Support to work on a full investigation. 



  • 91.  RE: Generic Trojan - DWH*.tmp in Temp folder

    Posted Mar 16, 2011 05:19 PM

    We're running RU6 MP2 (that's what 11.0.6200.754 is, right?) and we're still seeing these detects.