Video Screencast Help

Generic Trojan - DWH*.tmp in Temp folder

Created: 11 Feb 2008 • Updated: 28 Aug 2011 | 161 comments

I am troubleshooting a SAV 10.2.0.276 client with scan engine 71.4.0.15 and up-to-date definitions. It appears to be the same issue described here , except that SAV successfully quarantines all of the .tmp files, so there are no files to delete when I boot into safe mode.

Once or twice daily, Auto-Protect nags dozens of these files, all of them like this with DWH***.tmp in the Temp folder:

Scan type:  Auto-Protect Scan
Event:  Security Risk Found!
Risk: Trojan Horse
File:  C:\Users\Zeke\AppData\Local\Temp\DWH6C6.tmp
Location:  Quarantine
Computer:  ZEKE-E1405
User:  SYSTEM
Action taken:  Quarantine succeeded : Access denied
Date found: Monday, February 11, 2008  7:06:07 PM

The link goes to a generic Trojan Horse KB entry- nothing specific about the type of trojan. They keep on popping up once or twice daily, and I cannot figure out what is creating them, or if it really is a Trojan Horse in the first place. I suspect it is a false positive, but cannot be sure.

Anybody know what might be creating these files, and how I can either stop the malicious software, or fix SAV to not call it out if it is a false positive?

Comments 161 CommentsJump to latest comment

shakakon's picture

I'm dealing with the same issues.  I'm only a freshman, computer science major in college, but my theory is that the DWHWizard.exe that symantic uses to update its virus definition is creating those files when it attempts to update and then the scan engine is mistaking them as trojans (just seems to fishy or odd that the temp files would have the same pre-fix).  I'm just hoping symantec comes up with an update as soon as possible because this auto-protect nonsense is driving me bonkers.  Also, symantec may not be jumping to answer this because they don't know where the error in the program is occurring and like many other large businesses, don't like to admit fault in really any situation.:smileyvery-happy:

By the way, I got rid of symantec for a few days and the situation was gone for the entire period of time. However, my school requires symantec and when I re-downloaded, the issues came back.

Anyways, if you hear of a fix or update before me, please send me an e-mail: michaelpieknik@yahoo.com :smileyhappy:

Kind of funny they are using something that belongs to norton anti-virus, which in my eyes, is the root of all that is evil:smileytongue:  And yes I realize they are same company, but norton is a senseless system bogger for home use and symantec seems to be a more streamlined, hot-rod AV.


Seems like this guy agrees with me:

https://forums.symantec.com/syment/board/message?b...


Message Edited by shakakon on 02-18-2008 08:47 PM

Ryan_Dasso's picture

 

(re-posting this here in hopes that it gets some visibility)

This is an interesting issue because it's so easily misunderstood. There are a lot of things that have caused the DWH*.TMP issue. I'm really surprised none of them have been outlined in this thread, yet. There's a post by ScubaSteve early on that gives a good explanation... perhaps the implications aren't fully realized.

The first thing to understand about this issue is: It's not one, single issue. There have been many different reasons for the DWH files showing up in various locations. Ultimately, the basic reason is the same, but numerous root causes have been found over the years.

The second thing to understand about this issue is: It doesn't continue to occur because SEP developers and support engineers don't care about this issue or just can't figure it out. The truth is, it continues to occur because, as noted in misunderstanding #1, there are a lot of things that cause the issue. To date, we have fixed various root causes for the issue. We fully understand the issue and work hard to implement solutions that don't break other things at the same time. We're sorry you have this issue and, if you look, you'll find we have solutions in place.

The third thing to understand about this issue is: It's not always Symantec software's fault. This requires a little more explanation of what happens behind the scenes. When SEP gets new defs, it checks the files in Quarantine to see if there are any new remediation steps, false positives, etc. Files in Quarantine cannot simply be scanned while they're quarantined. They must be extracted from Quarantine first. The expected behavior is this: SEP extracts the files, scans them, moves them back to Quarantine. There have been cases (mostly earlier builds) where a bug in SEP would cause the DWH files to be mishandled. SEP abandons the process because it can no longer trust the files and, as it does with all files that are written to the disk, scans the file with Auto-Protect. Auto-Protect finds the virus code in the DWH file and acts on it (quarantining). There have been other cases, however, where other software (3rd party scanners or indexing services, for example) try to get in the way and cause the DWH files to be mishandled. This is something Symantec simpy cannot always avoid. We're very sorry about it and wish it didn't have to be this way, but that's just the way it is. The proper response is to fix the offending 3rd party software.

 

Finally, I want to address one obsurd point of advice about re-installing SEP to fix the issue. In most cases, this simply isn't required... and furthermore, no real Symantec tech is going to recommend this as a first solution. The first thing to do is look for 3rd party software that may be causing SEP to stop trusting DWH files. Setup exclusions for SEP's working directories. If that doesn't do it, purge Quarantine and SEP's working directory. If you want to be more surgical, only delete DWH.tmp files in the working directories (still need to clear Quarantine). If you simply can't stand to have another DWH detection, disable the scans when new defs arrive (not Best Practice). If you want to go even further, adjust your detection settings to not use Quarantine (also, not Best Practice). Finally, if all this fails and you still get DWH detections, re-install the SEP client. But realize you're re-installing because there's something else very wrong with the software at this point... policy corruption, permission issues, etc. At this point, you should probably be contacting Support to work on a full investigation. 

siniestro's picture

Hello, i am having same problem, try this.... this works for me

 

I have Windows Vista Enterprise and Symantec End Point Protection 11.0.780.1109

 

1. User Log on with administrative privileges, and uninstall the Symantec Antivirus and restart.

 

2. User Log on with administrative privileges, download and run the Norton Removal Tool, you can find it on http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

 

3. User Log on with administrative privileges, delete all temporary files of the next path: C:\Users\User Profile\AppData\Local\Temp

 

4. Reinstall Symantec Antivirus.

 

5. Go to path C:\Program Files\Symantec\Symantec Endpoint Protection, find the DWHWizrd.exe file and replace it with the same file of another machine (this doesn´t have much sense, but if you doesn´t make this action, didn´t works). If you are a home user, install the symantec in another machine and copy the file in a flash drive.

 

Its important that another machine is not infected. I hope that this fix works for you.

ed@southshorecomputers's picture

Same problem with DWH*.tmp files. Endpoint 11 auto protect will start picking these up as soon as internet explorer starts. If I let it run, the generic trojan warning evolves into known trojans such as w32.apack.a . Every minute a new virus is detected and removed. I do not think this is a defect in endpoint but a new trojan virusdownloader that has comprimised internet explorer. I have used other spyware/antiv programs , found nothing. Another pc had similar symptoms besides w32.apack.a it had tool.killer. That pc had xp pro running and endpoint finally got it. vista 64 ultimate no luck yet....
Any new info is appreciated.

Richit's picture

Hi

I too have the same thing. I have taken out the HDD and hooked up to another PC running Norton AV 2009. It to detects the DWH*.tmp files as a generic Trojan Horse. I cleared all the infected files and deleted all other files in the temp directory under user profile as well. Installed the HDD back into the orriganl PC and everything was fine for 2 or 3 days before the whole process started again. The PC in question also runs Vista 32bit and Symantec End point v11.

Mansoor: Can you tell us what updates / patches for windows is required?  Windows Update is running all the time and updating the PC everyday according to its schedule

Any help would be very much appreciated!

Thanks
R

SAM_SHAIKH's picture

Hi Richit,

try to apply the latest RR definition from the below link and scan the machine in SAFE MODE with System restore OFF.

http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

In safe mode, try to delete temp folders and well as temporary internet files.

Incase you have any such samples, pls submit the same to symantec team on https://submit.symantec.com/gold or https://submit.symantec.com/platinum

Rgrds,
SAM

Steves396lt1's picture

SAM, what the heck are these files? What is Symantec hiding? It takes up massive hardrive space?
How do we stop it from continuing?

AngelD's picture

These bastards often has self-surviving "features" to prevent Anti- Virus/Spyware from removing them. My guessing is that it is not fully cleaned out and therefore gets alive after a while.
Try to find the "bad" entrypoint that starts the process (creating the file) again.

I usually use IceSword for this kind of "removal" tasks.

Paul Mapacpac's picture

You should clear your quarantine folder. It will keep on popping up everyday becuase after the new defs are downloaded the AV will scan the quarantine thus creating a temp file.

mon_raralio's picture

I don't think that it has anything to do with the quarantine folder which is something like C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine and not Zeke's user profile as shown by the user.

I also want to know which application causes this. Or which vulnerability. So I can take necessary actions aside from patch and updates. I just received a report that a user got this Trojan Horse. He has 40 tmp files in the same path.

“Your most unhappy customers are your greatest source of learning.”

Paul Mapacpac's picture

I think this depends, I believe the user is using Vista that's why the profile path is C:\Users

Senrats's picture


Solution:
This problem is fixed in Maintenance Patch 2 of Symantec Endpoint Protection Maintenance Release 4 (11.0.4202.75). You can apply this patch over Symantec Endpoint Protection MR4 or MR4 MP1.

Please refer to the product Download page to obtain the update:
http://www.symantec.com/business/support/downloads.jsp?pid=54619

If you are unable to migrate up at this time, here are workarounds that should alleviate the issue. These are listed in order of preference.

  1. Disable rescanning of quarantine upon receipt of new virus definitions.
  2. Ensure no process or services (such as Windows Indexing Service for example) can access/monitor our files.
  3. Ensure that the %TEMP% folder is not open during the receipt of virus definitions and scanning of the quarantine.
  4. Restart in safe mode, deleting DWH files in the temporary folder, cleaning the quarantine folder.

"Trust, but verify."

gezahorvat's picture

Hi Senrats,

unfortunately the patch you mention is only for Symantec Endpoint Protection. I am using Symantec Anti Virus (10.2.0.276)

I have the same Problem as everyone here and it is very annoying for me. Booting every client in safe mode and doing the things you summarize is very much work for me!

Can't believe that Symantec is not able to solve this issue since nearly 2(!) years...

Do you know if there's patch also for SAV10?

CoreTechnologySolutions's picture

I am running SEP11 MR4 MP2 and still have this issue.

FRITZ2's picture

TO ANYONE THAT HAD THIS BUG I WENT INTO THE DOS PROMPT AND DID A DEL DWH(FILES  NAME).TMP ONE AT A TIME .TOOK A BIT TO GET THEM ALL HAD 72 OF THEM  DID THIS ON THE 9TH NONE HAVE COME BACK SCANED CLEAN.... ON ALL THE TEM FILES AND THEN DEL ALL THE OTHER TEMP  FILES AFTER I GOT THOSE GONE HAD BEEN TRYING TO DEL THEM IN THE WINDOWS C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINS\TEMP THIS WAS WHERE THE FILES SET THEMSELF COULDN'T DEL THERE IT WOULD JUST DEL AND JUST POP BACK IN SEEMS TO BE OK WILL KNOW IN A FEW DAYS

                                                                                             HOPE THIS WILL HELP

Grant_Hall's picture

Hi Fritz.

I am glad you got your issue resolved, and I am glad you decided to come here to the forums to let us know the route you took to get it solved. However in the future please try to not post on these old of threads (2 years old) because the product (and the specific virus) has changed so much in the time that your post is probably not relevant anymore. In the future just create a new thread.

Great seeing you in the forums hope you come back!
Grant

Please don't forget to mark your thread solved with whatever answer helped you : )

Ryan_Dasso's picture

 

USE AT YOUR OWN RISK. 
This is a dangerous command that can cause serious harm to your computer if used incorrectly. Don't blame me or Symantec if you do it wrong. If you're not confident in using it, please don't.

That said, here's a command that will delete your DWH####.TMP files much, much faster (in command prompt):

del /q/f/s/a dwh*.tmp

 

This command will delete all files that start with "DWH" and have the "TMP" extension. It does this recursively through all subfolders, so be careful about what folder you run it in.

/q = Quiet. No confirmation on delete (once you run the command, files it finds will be removed... second chances)
/f = Force. The command will delete read-only files.
/s = Subfolders. The command will search all subfolders and delete matches.
/a = All. The command will include hidden files and, since we have the /s switch, subfolders.

ryst's picture

Old thread indeed. But this problem still occure in SEP11 RU6

GaurhothW's picture

Confirmed, I'm seeing the same type of NUMEROUS detections of D???.TMP files (identified as 'Trojan Horse' risk). Using SEP v11.0.6005.562.

brinkle1212's picture

Yes, it is an old thread, a very old thread, with no resolution. 

Using SEP v11.0.6005.562, I have the same problem.

IuliusAugustus's picture

same here : SEP v11.0.6005.562 but i have only like 5-6 stations that started to detect "those" trojans

so far i see it`s related to Windows 7 only and gives ~ 500 alerts /  day / computer . it does not start after install but at a random moment possible coupled with other minor virus ( harakit, sality ,...) that gets deleted but start to appear lots of this .tmp errors

any solution? MR-6B ?

BrewNinja's picture

Same problem here....anyone find a fix?  I hate to just uninstall the client on the affected machines.

Jason1222's picture

I just started having this problem, thing is, it's on my only Windows 7 x64 box. 
Also, the problem only started happening during an initial installation of Office 2010... 

And now, I am flooded with this thing, 121 files claimed to be found in DW*.tmp folder... 

And, I am using RU6a and updates are from the latest as of 12:00 pm EST ... June 10, 2010

BrewNinja's picture

Just an update.  FYI this was only happening on Win7 X64.  I deleted all the files in my quarantine and my  c:\users\username\app data\local\temp directory and so far in 2 hours havent had any more notifications.  Before I couldnt even go 20 minutes.  Ill post back if something changes, but for now that seems to be doing the trick.

BrewNinja's picture

BTW...No luck.  Still happens =(  Looks like we have to wait for Symantec to issue a fix.

brucelangston's picture

I see DWHx.tmp, where "x" is A, B, C, etc. Also saw a DWH1C.tmp. All are in C:\Documents and Settings\<username>\Local Settings\Temp\

Is there an interim solution?  I have taken this computer off the network. Do we know what program is generating these files?

Scuba Steve's picture

The DWH files are temp files that are created by our process called defwatch.exe. These files are quarantined threats that we pull out of quarantine to scan during a quick scan. This usually happens when new defs are applied. The doc stated above is public facing and offers a few different workarounds to resolve the issue. What we have seen in most cases, is the indexing service, or some other real-time scanner is touching the file and then auto-protect is re-scanning it.

mastersm's picture

Thanks Steve. You refer to a doc, which one? Also when do you expect this to be fixed as appears to have been an issue for some years?

RF1_Neil's picture

We too have experienced the above issue with RU6a and have a case open presently with Symantec support.  Hopefully there will be a fix in due course.

Philonius's picture

Same issue here on a Vista Notebook. Had another where client uninstalled Google Chrome and problem went away (supposedly) unverified.

RF1_Neil's picture

Our response is thus & aiui.

There is code presently in the build for next maintenance patch.  It is hoped that the fix will be released.  This is scheduled for release in four weeks' time.  Any of the above could be subject to change as necessitated development and testing requirements .

Our call remain open pending further updates.

So in any case RU6 MP1 (RU6b?) is the one to watch out for.

Symanticus's picture

wow i also face the same problem here guys, wondering when is the date forthe next MP / patch release for this matter ?

/* Infrastructure Support Engineer */

bobbyk's picture

So this is a two and a half year old problem that plagues both SEP 10 and 11? Hopefully they issue a fix for this soon. i currently have about 5% of my users affected by this annoying bug. I have been successful with deleting affected user profiles. The other weird thing is that it happens on their computer every Thursday and no other day. Would be nice to have a definite answer from Symantec.

Jason1222's picture

If only on Thursday, you likely have a scheduled scan for Thursdays?

Unfortunately, changing the weekly scan to another day, will result in you "shifting the problem" to another day... 

Symanticus's picture

http://www.symantec.com/business/support/downloads.jsp?pid=54619

that is what i've got from the Symantec KB, but i can't seems to see any file posted in there ?

/* Infrastructure Support Engineer */

Raunak_Vaghela's picture

This is a known issue which is going to be fixed probably in SEP 11 RU6 MP1.

Meanwhile, please follow the KB below to resolve this issue:

http://service1.symantec.com/SUPPORT/ent-security....

Reason behind it:
- By default, when there is anything in quarantine folder and there is new definitions downloaded in SEP client, then a scan is initiated after download to check if any definitions are available which can resolve the quarantined files.

- Unfortunately, in some cases, during this process, scan detects the tmp files which are created in Xfer or Xfer_tmp folder during above process.

This issue was initially fixed in MR4 MP2, however, I have seen this issue in some cases of RU5 and RU6 as well.

As mentioned above, hopefully, it will resolve in RU6 MP1.

Please Mark on the solution that worked for you.

Symanticus's picture

thanks for your fast reply Raunak,

hopefully this patch will be released anytime soon.

/* Infrastructure Support Engineer */

XexeX's picture
I've got the same problem too....
This happened on some clients the infected file is in %tmp%, not in xfer or xfer_tmp.

I'm worry about SEP is hijack by virus.

SEP is a good product, but I've spend too much time for trouble shooting.... my user experience of SEP is..... I'm using a beta product.

jlawless2010's picture

Generic Trojan .tmp files 2 + year old issue

 

Caveat: Alternate Method attempted from one of the Articles listed in the thread Rename DWHWizrd.exe copy the same file from another PC, not exhibiting the problem, to the PC that is adversely affected. This Didn’t work… See below for successful solution!

This Solution Worked Thank You Scuba Steve!!! You can safely delete those .tmp files [this note added by JLAWLESS2010] {Keep in mind you may have many pages of files to delete if this problem has been going on for some time}. Unfortunately, I (Scuba Steve) doesn't support the Small business product, so I am not sure if that is the latest version. But for the Enterprise SEP, the next release will have a fix that will resolve most of the issues that can cause use to scan those files. The DWH*.tmp files are created when new definitions come down, or a quick scan is ran. Dwhwizard will run, and try to scan the files that are in quarantine. To do so, it has to create the DWH*.tmp files and copy the quarantined files to those tmp files. It scans them to see if the new defs or current defs(in the case of a quickscan) can repair the files. It will then delete the files when the process is finished. If there is some other process that touches these files, then Auto-Protect will see the I/O operation and scan the files again. It can become a very large issue as this can effectively double the amount of data each time. wink

Terry at Legal-Ease's picture

This thing has caused me many sleepless nights.  I am a small business owner, with six (6) workstations.  Four (4) of the workstations have this problem.  It's September 11, 2010; I sure hope there's a fix?

VKalani's picture

Try installing Symantec Endpoint protection latest version. The issue would be solved.

-VKalani

AusRhiannon's picture

I hope that installing it does work, Im sick to death of this trojan.

VKalani's picture

I think, it is not a trojan. It is more of a product issue.....

-VKalani

Narendran K's picture

Hi There,

Fyi.... I just did a test regarding this DWH and i found this DWH issue also occurs if the heuristics is increased to the highest level.

Can you also check that and update us

 

Thanks,
Narendran K

SteveDoughton's picture

What is the version number of SEP 11 RU6 MP1.?

I am running 11.0.6005.562 and I still have the DWH issue. Does this mean it has not been fixed or does it mean that Symantec has not updated itself to SEP 11 RU6 MP1.?

Do I have to push an install of SEP 11 RU6 MP1. on to all of my clients?

VKalani's picture

SEP RU6 MP1 is 11.0.6100.XXXX

You can download it  from https://fileconnect.symantec.com

 

Just run setup.exe, and then once sepm is upgraded, add the ru6 mp1 package into groups in  SEPM. All your clients would also be upgraded.

-VKalani

Symanticus's picture

yes +1 to Vishal, MP1 is now working great without any problem in my domain.

/* Infrastructure Support Engineer */

XexeX's picture

I'm using MP1, this issue still be obtained in some computers.... it changed the location from user\temp to c:\windows\temp only........

bjcarter's picture

We have had this problem on 2 of the 15 workstations we have.  Running SEPP 11.06005.562.  On a domain with Server 2008.  I will try the fix above.  However, we have the users that have been affected now getting a temp profile and it appears the user profile is corrupt.   When we login all our desktop files , settings, etc are gone.  They still show up in the C:/Docs and Settings/User etc....we are running Windows 7 pro 64 bit...  At this point anyone have any suggestions on how we can fix this OR are we just going to have to setup a new user on the domain, login, move all the files etc. 

Any help would be appreciated. 

I am not 100%, but at this point I am thinking that it kept doing this, thus the hard drive usage was growing and growing, and these computers were partitoned by HP for the OS and quite small, then possibly it used to much hard drive and then corrupted the OS.  Not sure, but at this point it would make sense. 

bjcarter's picture

Nevermind.  I uninstalled SEPP.  Then I did a System Restore.  It brought it back.  

_Steve's picture

Hello, Its taken me a while to read through this thread only to surmise that a definitive solution has yet to be found. Please correct me if I'm wrong.

I'm running Windows XP SP3 and using version 11.0.6005.562 and have 142 'Still Infected' users on my domain. Am i to believe that RU6 MP1 will resolve the issue?

Thank you

ZachFlem's picture

I too have not been able to resolve this issue.

I have tried a number of different AV software apps, and none seem to be able to clear the infection.

My current AV "End Point Protection 11.0.6000.550" is a fresh install, I have previously tried installing the RR defs to no avail.

Is this really an issue with a Symantec product like has been mentioned in this thread? If so, where is the fix?

I currently have 1000+ infected files locked by quarantine, and the notifications are getting really annoying.

Latvija13's picture

Is there a solution to this problem? I am currently using Symantec(tm) Endpoint Protection version 11.0.6005.562. I'm seeing thousands of DWH(random 4 digits).tmp files from my Temp directory appearing as Trojan Horses. 

dmward50's picture

Same boat- I had a computer consultant deal with it at some point and it stopped for about a month and now it's back.

 

Could someone from Symantec respond and tell us when this will get fixed? This thread began a year and a half ago and the problem is still occurring.

Mithun Sanghavi's picture

Hello,

This issue is Resolved with RU6 MP1 (SEP 11.0.6100).

Check the Knowledgebase.

DWH***.tmp files are detected in the user profile temp directory.

http://www.symantec.com/business/support/index?page=content&id=TECH92399&locale=en_US
 
Release Notes for Symantec Endpoint Protection 11.0.x and Symantec Network Access Control 11.0.x
 
http://www.symantec.com/business/support/index?page=content&id=TECH103087&locale=en_US
 
 

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Beann's picture

Hi Mithun Sanghavi,

I had installed SEP version 11.0.6100 however still get machines detected with dwh*.tmp at user temp folder.

These machines are not installed with previous SEP version. Any possible cause such issue?

Please advise. Thanks.

Regards,

James

Regards,

Beann

Aloha12345's picture

I'm having the same issues as Latvij13! I also have the same SEP edition.

Mithun, I went to the link http://www.symantec.com/business/support/index?page=content&id=TECH92399&locale=en_US and the download update link is dead. Where can we get the update to fix this? So does this mean we don't have the virus bloodhound.exploit.232 and they are .tmp files generated by SEP? Please clarify because I am concerned about this virus. Thank you kindly!

 
 
BobJohnson's picture

I was seeing this problem in 11.0.6005.  I found this page and did the update to 11.0.6100 like I was told.  I am still seeing this problem.

We've been told that the issue has been resolved in several different versions of the release.  From RU6 to 11.0.6mp1 it was supposed to be fixed.  Some still reported the problem afer the upgrade to MP1.  It was also supposed to be fixed in 6005.  Now in 6100 it is still happening.  Very frustrating.  What can be done to fix this issue once and for all?

Beann's picture

Hi all,

This morning it happens that total 1000 over detections in 1 machine which was categorized as Quarantined Viruses by Symantec Endpoint Protection Manager.

It was detected in "C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APQ****.tmp"

**** represents the combination of alphabets and numbers.

Any other better idea to solve the problem instead of manually clear the quarantine folder?

Disable new malware detection to be quarantined might not be a good way to solve the issue.

Please advise. Thank you.

Regards,

Beann

zeroping's picture

I have a support case open about this issue. Not sure why no one from Symantec has updated this but here is the article that they sent me and what to do for the short term...

 

http://www.symantec.com/business/support/index?pag...

Beann's picture

The KB Article only base on Windows Vista, 7 or later. Unfortunately, my side machines are using Windows XP SP3 environment. Any workaround for it?

Thanks.

Regards,

Beann

prodigy06's picture

Can anyone tell me whether this is an actual virus or not?

John_Prince's picture

These do not present a security risk to you, its an issue with the SEP product. The only negative affect that I can see right now is that it eats hard drive space.

Remote Product Specialist, Business Critical Services, Symantec

STVA's picture

Updated to 11.0.6100 and still have the problem even on XP than on Win7 workstations.

XP:  C:\Documents and Settings\username\Local Settings\Temp\DWHxxxx.tmp

Win7:  C:\Users\username\AppData\Local\Temp\DWHxxxx.tmp

Symanticus's picture

I'm now using the MR6MP1 and the problem has been fixed, Good job Symantec.

/* Infrastructure Support Engineer */

John_Prince's picture

To those of you still experiencing this issue, please use the following tech document:

http://www.symantec.com/business/support/index?page=content&id=TECH138856

I believe XP SP3 has an indexing option as well, I'm not 100% on that. Check in Control Panel and exclude the directories to if possible.

If you are still experiencing it after running this article than please give us a call and open a case so we can track this issue.

Remote Product Specialist, Business Critical Services, Symantec

bimjimmy's picture

I just used a combination of what i read above on my Desktop PC, w/XP Pro.

After shutting down all of my visible programs I went into both C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine and C:\Temp, and persisted in deleting all the files I possibly could.

There were about 5 files that refused to budge because they are being used by some program, so I left them. It helped that I used the 3-fingered salute to access the running routines and End the entity "rtvscan.exe". It comes back again after a couple of seconds, but the hard drive goes wonderfully silent...

With all those Temp files gone and rtvscan.exe reset, I'm hoping I can get some work done. Until it starts up again. But at least it's an effort.

HTH somebody...

J

sfotech's picture

We are using Symantec Endpoint Protection 11.0.6100.645, which I believe is the very latest issue out and we are still having this problem. I have put a Centralized exception for this file as DWH* and for most of our PCs this has stopped the problem.  However, even with the exception in place I have 3 PCs that have continued to have the problem and now a 4th one has joined the group.  Any further updates as to how to resolve this would be most appreciated.   2yrs seems like a long time for the same problem.

postechgeek's picture

@sfotech

Have you cleaned quarantine on the clients that are sill having the issue?

jimheem's picture

This is starting to get really ridiculous. I walk away from my desk for an hour or so, and I come back to over 6000 DWH files alerted as js.securitytoolfraud.

 

I'm on the latest -11.0.6005.562 - on Windows 7, fresh clean install. I excluded the temp files from indexing as suggested in the link above from the Symantec employee - didnt work - matter of fact I even stopped the indexing service an it's still rolling new alerts out.

 

Ridiculous.

samiandsusu's picture

I have the same problem with the same version.

I fully agree with you - this is ridiculous!

_Brian's picture

The lastest version is actually RU6 MP1. You may want to upgrade to see if that helps.

James Winslow's picture

Yes I concur with that. so far MR6 MP1 is stable and got no problem.

Pawel Lakomski's picture

RU6 MP2 is meant to completely resolve the problem AFAIK.

--

Cheers,

Symantec Technical Specialist
Symantec Certified Specialist
MCP & MCITP
Cisco Certified Network Associate
Citrix Certified Administrator

 

bartman's picture

I'm running RU6 MP2 and i'm still having the issue (again) :-(

This is pritty poor. Why can't this be solved in three years.

Starting from SAV10 to the newest Release of SEP.

i'm really disappointed.

_Brian's picture

Remove SEP completely then re-install RU6 MP2

bartman's picture

You cannot be Serious!

Why do i always here this solution, when having problems.

This Issue was fixed 3 times now and is back again.

what happend to QA???

_Brian's picture

It was just a suggestion. It worked for me when I had to deal with it. I uninstalled RU6a completely and installed RU6 MP2. Problem solved. As a workaround, assuming you're using a managed SEP client, you can go into the SEPM and under AV Policy >> Quarantine >> When New Definitions Arrive >> select the radio button for Do Nothing

Otherwise, call Symantec and open a case for further assistance.

The reason you hear upgrade or uninstall/re-install is because the majority of the time it works. If you are a user of Microsoft products, you should be more than familar with this.

If it still doesn't work, call Symantec so they can review. You can also ask them about their QA process if so inclined.

bartman's picture

don't take it personal. i'm just p$ssed. i opend a case yesterday. i will try your workaround.

David Spigelman's picture

I'm having the same problem with SEP 12.0.1001.95. I'm going to try to see whether Indexing is turned on for the %temp% folder, per http://www.symantec.com/business/support/index?page=content&id=TECH138856, but I find the fact that Symantec hasn't fixed this problem completely in almost four years, extremely disturbing. I'm trying to sell the product. What do I do when a client is getting all these alerts and is frustrated? How do I continue to sell this to my customers?

rickt8's picture

My computer first began having this problem 8 months ago. Still trying to solve it. Know now that I'm not alone. Will call Symantec to try and solve this problem.

IT guys, please don't stop working on ridding us of this nonsense! Getting VERY ANNOYING. Thanks.

dahman22's picture

Symantec already has the money in their pocket ofcourse they are not going to help.  The definition and the program are updated daily and the problem persists! 

Screenshots of my daily scaned so called "viruses" is attached....

virus tmp.jpg
_Brian's picture

What version of SEP are you on? This was fixed in RU6 MP2.

Did you open a case with support? Why will they not help?

MitchNussbaum's picture

We're running RU6 MP2 (that's what 11.0.6200.754 is, right?) and we're still seeing these detects.