Video Screencast Help

Generic Trojan - DWH*.tmp in Temp folder

Created: 11 Feb 2008 • Updated: 28 Aug 2011 | 161 comments

I am troubleshooting a SAV 10.2.0.276 client with scan engine 71.4.0.15 and up-to-date definitions. It appears to be the same issue described here , except that SAV successfully quarantines all of the .tmp files, so there are no files to delete when I boot into safe mode.

Once or twice daily, Auto-Protect nags dozens of these files, all of them like this with DWH***.tmp in the Temp folder:

Scan type:  Auto-Protect Scan
Event:  Security Risk Found!
Risk: Trojan Horse
File:  C:\Users\Zeke\AppData\Local\Temp\DWH6C6.tmp
Location:  Quarantine
Computer:  ZEKE-E1405
User:  SYSTEM
Action taken:  Quarantine succeeded : Access denied
Date found: Monday, February 11, 2008  7:06:07 PM

The link goes to a generic Trojan Horse KB entry- nothing specific about the type of trojan. They keep on popping up once or twice daily, and I cannot figure out what is creating them, or if it really is a Trojan Horse in the first place. I suspect it is a false positive, but cannot be sure.

Anybody know what might be creating these files, and how I can either stop the malicious software, or fix SAV to not call it out if it is a false positive?

Comments 161 CommentsJump to latest comment

fixerr's picture

yes the version what you are having is RU6 MP2

upgrade to 11.0.6300 (RU6 MP3) your issue will get fixed.  This is a product bug

Don't forget to mark your threat as "SOLVED' with the answer that helped you!!!!!!!

hbien's picture

According to their technical document, I was able to solve the same problem as reported (multiple hits on "DWH???.tmp" files) on Windows 7 x64 with SEP 11.0.6005.562 by:

1) Disable "Symantec Endpoint Protection", then

2) Open up the SEP client and DELETE all files in Quarantine, then

3) Re-enable "Symantec Endpoint Protection"

 

This worked well for me. I have no other indexing programs running. Hope this helps others.

Rodney323's picture

hbien, I tried something similar to your suggestion.  Not so much to delete the DWH**** tmp files in quarantine, but to do a full scan of my computer without incurring the DWH****tmp files.  No such luck. There is a file in the Endpoint Protection program entitled: DWH Wizard that generates the DWH****tmp files.  You may be able to delete the quarantine files, but problem will still be there; and you'll will acquire more/additional DWH***tmp quarantine files.   hbien, please take a look at my thread entitled " DWH Trojan Horse problems"  Hopfully, you will be able to provide some insight about this problem that so many of us are having with this "DWH***tmp file thing.

I tried disabling "Symantec Endpoint Protection," and scanned my computer with another Anti-Virus program.  But as soon as the scanning reached the Endpoint Protection program directory, the automatic protection of Endpoint popped-up to begin capturing the DWH****tmp files.   I did disable the Endpoint Protection program.  Perhaps, some aspect of the Endpoint Protection program (automatic protection part) was still active in memory. 

jhay6600@yahoo.com's picture

Hi guys,

Can you dowload process explorer. Simply search on the web and download it. Then.. Kindly screenshot the whole process. I think there's an application running on the task manager or try to terminate that application and proceed to deletion of file.

I also found link regarding this problem. Hope it works..

 

http://djakaprasetja.blogspot.com/2009/11/generic-trojan-dwhtmp-in-temp-folder.html 

hbien's picture

That's how I actually found what was going on. I used Process Explorer, filtered by "DWH*" files and found that the only processes that were accessing them were DWHWIZ.EXE and RTVscan.exe - both SEP programs. Even indexing programs usually only run at periodic intervals (usually not continuously). As much as this "bug" was a problem (I had the quarantine messages for so long) I prefer this type of "false positive" hits to a false negative where someone may package a virus/trojan/malware and make it appear to be a "virus definition" file to escape detection.

ejhonda's picture

That link you posted is simply a regurgitated post from earlier in this thread - better to read it here than visit that dicey-looking blog page.

AzureX120's picture

1)First, disable symntec auto protect.

2)Then in the tash manager end the smc.exe process, the smcgui process and the dwhwiz.exe process.

3)Finally delete all the files in the C:\user\*username*\AppData\Local\Temp.

Then reenable symantec.

Works on every computer I've tried (Vista + 7)

 

 

caveat: I've only run this as an administrator.

Its not a real virus like the commenters said, just the definition whizard tricking the realtime virus scan.

PeroB's picture

For all those suggesting reinstalling, disabling SEP, terminating associated processes, excluding certain folders and what-not.

You gotta be joking, seriously. What you are suggesting is to literally drop pants down and hope for the best. And that is all you are left with for the time all your defences are down. You don't buy not-at-all-cheap enterprise class software just because of some cash burning holes in your pockets - you buy it to keep you protected.

@ John_Prince and his comment:

'These do not present a security risk to you, its an issue with the SEP product. The only negative affect that I can see right now is that it eats hard drive space."

Some malware, among other things, does exactly that so following your logic SEP would fall into that category. Coming from an Symantec employee it can hardly be considered as a recommendation for their own product. Kudos though for the acknowledgement of a faulty product.

@ others saying it was fixed in RUxx and or MPxx - apparently it wasn't and as it seems Symantec is yet to find a solution for it.

Hundreds of clients in our environment are free of this annoyance ever since that last TMP flood about a year ago. Nothing that could be acredited to our uber-admin skills, just got lucky I guess.

A bit off-topic but ilustrates another bug which comes up from time to time on some of our clients:

SYMANTEC TAMPER PROTECTION ALERT
Target:  Symantec.SyKnAppS.SingleAccess
Event Info:  Create Internal Mutex
ActionTaken:  Blocked
Actor Process:  C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe (PID 3628)
Time:  Sunday, January 23, 2011  9:41:24 PM

Kramer vs Kramer kind of scenario, eh? If memory serves me right I first saw these on MR2 clients and it's still around.

 

Thomas66's picture

We have 20000 devices in the database 0.5%-1.5% of the machine have the issue at any given time.

We can fix individual machines and do it constantly, It's very dificult to track down every machine that has this issue. 

This has been an ongoing problem for well over 3 years, and every release and patch (both SAV and SEP) is 'supposed' to be the final fix for this.

Very frustrating.

nemsabes's picture

Dear Friens.

I've got the same problem as you. My version is 11.0.6005.562, I have a computer that every single day alerts about this FALSE virus.

I'll try  to perform the suggestion of AzureX120 and let you know.

But in case of another discoveries, please let us know.

 

Thanks all

fixerr's picture

fix for Generic Trojan - DWH*.tmp in Temp folder

Hi all ,

You will be getting DWH*.tmp in temp folder, where symantec will be detecting it as a threat.  Fix for this issue is by upgrading your SEP to 11.0.6300 (MP3)

If you have RU6 (11.0.6000.550) and above you can go ahead and directly install RU6 MP3 (11.0.6300.803) which is released in March 2011 .\

If you have the version below RU6 (11.0.6000.550) you need to upgrade to RU6 (11.0.6000.550) and then you can go directly with RU6 MP3 (11.0.6300.803)

links

migration to RU6 MP3

http://www.symantec.com/docs/TECH155655

Don't forget to mark your threat as "SOLVED' with the answer that helped you!!!!!!!

Ryan_Dasso's picture

This is an interesting issue because it's so easily misunderstood. There are a lot of things that have caused the DWH*.TMP issue. I'm really surprised none of them have been outlined in this thread, yet. There's a post by ScubaSteve early on that gives a good explanation... perhaps the implications aren't fully realized.

The first thing to understand about this issue is: It's not one, single issue. There have been many different reasons for the DWH files showing up in various locations. Ultimately, the basic reason is the same, but numerous root causes have been found over the years.

The second thing to understand about this issue is: It doesn't continue to occur because SEP developers and support engineers don't care about this issue or just can't figure it out. The truth is, it continues to occur because, as noted in misunderstanding #1, there are a lot of things that cause the issue. To date, we have fixed various root causes for the issue. We fully understand the issue and work hard to implement solutions that don't break other things at the same time. We're sorry you have this issue and, if you look, you'll find we have solutions in place.

The third thing to understand about this issue is: It's not always Symantec software's fault. This requires a little more explanation of what happens behind the scenes. When SEP gets new defs, it checks the files in Quarantine to see if there are any new remediation steps, false positives, etc. Files in Quarantine cannot simply be scanned while they're quarantined. They must be extracted from Quarantine first. The expected behavior is this: SEP extracts the files, scans them, moves them back to Quarantine. There have been cases (mostly earlier builds) where a bug in SEP would cause the DWH files to be mishandled. SEP abandons the process because it can no longer trust the files and, as it does with all files that are written to the disk, scans the file with Auto-Protect. Auto-Protect finds the virus code in the DWH file and acts on it (quarantining). There have been other cases, however, where other software (3rd party scanners or indexing services, for example) try to get in the way and cause the DWH files to be mishandled. This is something Symantec simpy cannot always avoid. We're very sorry about it and wish it didn't have to be this way, but that's just the way it is. The proper response is to fix the offending 3rd party software.

 

Finally, I want to address one obsurd point of advice about re-installing SEP to fix the issue. In most cases, this simply isn't required... and furthermore, no real Symantec tech is going to recommend this as a first solution. The first thing to do is look for 3rd party software that may be causing SEP to stop trusting DWH files. Setup exclusions for SEP's working directories. If that doesn't do it, purge Quarantine and SEP's working directory. If you want to be more surgical, only delete DWH.tmp files in the working directories (still need to clear Quarantine). If you simply can't stand to have another DWH detection, disable the scans when new defs arrive (not Best Practice). If you want to go even further, adjust your detection settings to not use Quarantine (also, not Best Practice). Finally, if all this fails and you still get DWH detections, re-install the SEP client. But realize you're re-installing because there's something else very wrong with the software at this point... policy corruption, permission issues, etc. At this point, you should probably be contacting Support to work on a full investigation. 

reza akhlaghy's picture

Dear Ryan,

Thanks for very long reply. I dont know about why this error occured technically and who is responsible for creating this situation, but here's what I find out in my experience:

  • This error only occurs if there is something in client's quarantine
  • This error is cause by SEP rescanning quarantine on each update in hope of fixing any of quarantined files
  • While you've something in quarantine and your client keep getting update you'll face this issue continously.

And this is the reason uninstalling and reinstalling will work because uninstall removes quarantine folder.

If you disable rescanning of quarantine when new definitions arrives it will reduce the number of events and also try reducing number days you keep files in quarantine folder. As soon as you get rid of those files problem will go away in most of cases.

Regards,

Mithun Sanghavi's picture

Hello,

Here is the Solution for the same.

 

If such detections continue after deleting old .tmp files and updating to SEP 11 RU6a, see the following:

Stop the Symantec service

  • Symantec Endpoint Protection

    • Click Start, then Run
    • Type: smc -stop
    • Click OK
  •  
  • Deleting the files

    NOTE: The following instructions are to be done from the Command Prompt as attempting to perform the deletions from the Windows user interface may result in delays and application hangs due to the large amount of files that can reside in these locations. Please note that these instructions will delete the files in the targeted directories, not the directories themselves. Do not remove the directories themselves, only the contents of those directories.

     

    Open the Command Prompt

    Deleting files from User Temp folder
     

        • Click Start, then Run
        • Type: cmd
        • Click OK
      1. Type the following command in Command Prompt. (The following string will vary depending on the user name.) Replace "<NAMEOFUSER>" with the username of the desired Windows user you wish to empty the temp folder for:
          • Windows 2000/XP/2003
            DEL /F /Q "C:\Documents and Settings\<NAMEOFUSER>\Local Settings\Temp"
          • Windows Vista/7/2008
            DEL /F /Q "C:\Users\<NAMEOFUSER>\AppData\Local\Temp"
      2. Deleting the contents of the temp folder at the root of C:\
          • Type the following command in Command Prompt:

            DEL /F /Q C:\temp

      3. Deleting the contents of the Windows Temp folder
          • Type the following command in Command Prompt:

            DEL /F /Q C:\WINDOWS\Temp

      4. Deleting the contents of the xfer and/or xfer_temp directories

         

        • Type the following command in Command Prompt:
            • Windows 2000/XP/2003
              DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\"

              DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\"

            • Windows Vista/7/2008
              DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp\"

              DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer\"

     

    The Quarantine Folder

    NOTE: The following instructions are to be done from the Command Prompt as attempting to open the Quarantine folder in the Windows user interface may result in delays and Windows Explorer application hangs due to the large amount of files that can reside there.

     

      Delete the Quarantine Folder

      Type the following commands in the Command Prompt:
       

        • Windows 2000/XP/2003
          DEL /F /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

          RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

        • Windows Vista/7/2008
          DEL /F /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

          RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

        Recreate the Quarantine Folder
         

        Type the following command in Command Prompt:
         

          • Windows 2000/XP/2003
            MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
          • Windows Vista/7/2008
            MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

        Start the Symantec service
         

        • Click Start, then Run
        • Type: smc -start
        • Click OK
      • If you have frequent recurrences of this issue and would like to disable re-scanning of the quarantine folder please follow these steps:
      • From the SEP-Manager:
        - Edit the Antivirus and Antispyware policy of affected clients.
        - In the policy editor click "Quarantine" on the left-hand menu.
        - On the general tab click "Do nothing" under the heading "When new Virus Definitions Arrive"
      •  
      •  

         

        Mithun Sanghavi
        Senior Consultant
        MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

        Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

        Thomas66's picture

        This only fixes it untill it happens again 

         

        This is just a Laughable solution!  A machine once fixed will get the issue again at a later date!

        Fix your software no mater how many root causes there are!!  

        You found the same basic reason for many root causes!  So is that the root of the many root causes? ... lol!!

        From my console screen:

         
         

        of the 400,000 still infected over 99% are either DWH files or Mac faulse positives from ~ 1% of our 20000 managed devices.

        This throws most reporting out the window trying to proactivly fight this stuff.

        Fixed it please!

        Bob in AC's picture

        There are a lot of steps involved with this remedy.  What recommendations would you have for an enterprise situation? 

        I commonly hear from support engineers where they want you to RDP to a client comupter and try one thing or another, but when there are several 100 devices with the same problem the unit solution is a non-viable one.

        From appearances this is a end-client issue where the scanning engine is causing a false-positive response.

        .Brian's picture

        Ideally, a removal tool should be built for this.

        Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

        William9758's picture

        I use Symantec, AVG and Malwarebyte's Anti Malware. First time i found out my computer had a virus was when Symantec popped up, then came AVG Resident Shield. They both say it's the same file(s):

        C:\Users\<Users' Name>\AppData\Local\Temp\DWH*****.tmp

        AVG had the following extra info:

        Infection(s):

        Trojan horse PSW.Generic8.ASGU, Trojan horse BackDoor.Bifrose.DLH,

        Trojan horse Dropper.Generic3.KGK, Trojan horse PSW.Generic8.AQDL (There are more files than this, but these are the only types of infections)

        Process name: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe

        Process ID: 756 (All of them are the same)

        I've tried to remove these viruses off my computer, but all they did was make Symantec stop, AVG's still going crazy:

        Going to the file location (C:\Users\<Users' Name>\AppData\Local\Temp) and found the DWH*****.tmp files (they are blank files which take around about 80 to 120KB) and i've tried deleting them from bottom to top (from what i've read, it seems to be the right way to do it if you don't want the files to continuously remake/duplicate themselves).

        This stopped Symantec from having many notifications, but did not stop AVG. Is this "virus" a big threat? If it is, is there any way to get rid of it?

        William9758's picture

        Srry, but for some reason, it won't delete the problem i have with AVG. The problem with Symantec is gone (the pop ups and stuff) but AVG just came up again. It says the "virus" was detected on open. I've talked to my friend about this as well and he says since both my Malwarebyte's and Symantec can't find the files anymore, it might be a problem with AVG, he said i might want to consider re-installing AVG. Problem is, there are files, i can see them in my folder. I also told him this and he told me to start my computer up in safe mode and then scan my computer (since safe mode only runs the files necessary for windows to start up and function, etc). I don't know what's really going on. Symantec and Malwarebyte's don't find anything wrong anymore but AVG is spamming me with threat detections. And another thing, just now, i looked in my folder and there were two DWH*****.TMP files that appeared. But then almost right away, they disappeared. Any ideas? Do i have to re-instal windows?

        .Brian's picture

        You shouldn't run 2 different antivirus's on the same machine. Either go with SEP/Malwarebytes or AVG/Malwarebytes. Malwarebytes is OK because it is simply a second opinion scanner

        Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

        William9758's picture

        Well, it seems that the problem might be fixed, but then again, i'm not so sure. (Btw, thanks for the tip, i'll keep that in mind) The files seem to go on and off. One second AVG could find the file, then when i get to the file folder, the virus isn't there anymore... i have no clue what's going on right now...

        William9758's picture

        Ok well now both Symantec and AVG are finding the virus again...

        Mithun Sanghavi's picture

        Hello,

        Forget everything...If we are working for solution.

        Try the Following:

        Please Work on the Following Steps.

        Stop the Symantec service

        • Symantec Endpoint Protection

          • Click Start, then Run
          • Type: smc -stop
          • Click OK

        Deleting the files

        NOTE: The following instructions are to be done from the Command Prompt as attempting to perform the deletions from the Windows user interface may result in delays and application hangs due to the large amount of files that can reside in these locations. Please note that these instructions will delete the files in the targeted directories, not the directories themselves. Do not remove the directories themselves, only the contents of those directories.

         

        Open the Command Prompt

        Deleting files from User Temp folder

        • Click Start, then Run
        • Type: cmd
        • Click OK

        1. Type the following command in Command Prompt. (The following string will vary depending on the user name.) Replace "<NAMEOFUSER>" with the username of the desired Windows user you wish to empty the temp folder for:

         

         

         

      • For Windows 2000/XP/2003
         
      •  

         

      • DEL /F /Q "C:\Documents and Settings\<NAMEOFUSER>\Local Settings\Temp"
      •  

         

      •  
      •  

         

      • For Windows Vista/7/2008
         
      •  

         

      • DEL /F /Q "C:\Users\<NAMEOFUSER>\AppData\Local\Temp"
      • 2. Deleting the contents of the temp folder at the root of C:\

        • Type the following command in Command Prompt:

          DEL /F /Q C:\temp

        3. Deleting the contents of the Windows Temp folder

        • Type the following command in Command Prompt:

          DEL /F /Q C:\WINDOWS\Temp

        4. Deleting the contents of the xfer and/or xfer_temp directories

        • Type the following command in Command Prompt:
            • Windows 2000/XP/2003
              DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\"

              DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\"

            • Windows Vista/7/2008
              DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp\"

              DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer\"

         

        The Quarantine Folder

        NOTE: The following instructions are to be done from the Command Prompt as attempting to open the Quarantine folder in the Windows user interface may result in delays and Windows Explorer application hangs due to the large amount of files that can reside there.

         

        Delete the Quarantine Folder

        Type the following commands in the Command Prompt:

        • Windows 2000/XP/2003
          DEL /F /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

          RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

        • Windows Vista/7/2008
          DEL /F /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

          RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

        Recreate the Quarantine Folder

        Type the following command in Command Prompt:

        • Windows 2000/XP/2003
          MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
        • Windows Vista/7/2008
          MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

        Start the Symantec service

        • Click Start, then Run
        • Type: smc -start
        • Click OK

         

        NO LAUGHABLE SOLUTION...it works REALLY...

         

         

      • If you have frequent recurrences of this issue and would like to disable re-scanning of the quarantine folder please follow these steps:
      • Disable re-scanning of quarantine files.

        From the SEP-Manager:
        - Edit the Antivirus and Antispyware policy of affected clients.
        - In the policy editor click "Quarantine" on the left-hand menu.
        - On the general tab click "Do nothing" under the heading "When new Virus Definitions Arrive"

        Mithun Sanghavi
        Senior Consultant
        MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

        Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

        Thomas66's picture

         

        NO LAUGHABLE SOLUTION...it works REALLY...

        It is Laughable because you have to phisically touch every affected machine.  If you have a centrally managed solution, Why do we need to visit each and every machine to fix them?

        I guess theis attitude is why the problem is not being addressed! 

         

        Edit: Oh and editing the policy is ok if you only have a few different ones ... We have over 100 different policies depending on support group.  Not a small task editing each of them.

        fnordgren's picture

        Unless this "solution" gets integrated in the product, and the SEP client thus made self-healing (at least in this respect), or the SEPM get a "Fix FUBAR clients" option, this "solution" is no solution at all.

        jontyler2k's picture

        I tried these steps and they did not work for me.  The SEP Quarantine log continued to be filled with DW*.tmp files.  :-(

        GeoGeo's picture

        Did you disable Indexing Options from the control panel?

        When SEP is taking the items out of quarentine to rescan them indexing option may be re-scanning them prior to sep and then sep is re-quarentining them as trojans.

        Please review ideas and vote there could be something useful :)

        https://www-secure.symantec.com/connect/security/ideas

         

        HunterFighter's picture

        Disable indexing service is not a good idea, if we have few thousand of clients, impossible for us to diable it one by one just because it installed with Symantec.

        Can we say that Symantec can't work well with Windows OS?

        Car_Bed's picture

        Symantec "Supposedly" fixed this in the original RU6 release, however, thats incorrect.

         

        Indexing is a shoot or miss.

        Its some file access contention issue tht they cant seem to pinpoint

        hey, maybe version12/amber will be the magic number.

         

        there is always the windows firewall you can manage VIA GP :0

        tksuoran's picture

        I encountered this issue and was getting hundreds of hits in just few minutes. I have SEP 11.0.6005.562.

        I changed SEP Antivirus and Antispyware Protection Settings / Actions to DELETE instead of Quarantine. This could prevent the problem in the first place. Note that delete action will cause false positives getting deleted.

        At first I was not able to delete files in Quarantine. Later, after changing those settings, and also changing quarantine purge options to 1 day / 1 MB, deleting quarantine succeeded.

        I think SEP should in the future autodetect this condition and automatically prompt/recommend user to purge quarantine and/or switch delete action instead of quarantine. I think my issue was initially caused by a single false positive.

        nwavesystems's picture

        We fixed all of our issues here in regards to the DWH.tmp.  We uninstalled all SEP clients and managers and installed Comodo endpoint.  We also found a bunch of infected files symantec left over.  SEP technology is 3 years behind their home based Norton product and they could care less about their business customers.  Bye Symantec!

        .Brian's picture

        3 years behind!?! That's a baseless assumption.

        Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

        nwavesystems's picture

        Sonar 2 which came with Norton 2010 (released in 2009) by far better than Truscan and Beta version SEP realized that and has ditched Truscan.  What has changed in SEP since 10.2.4 in 2007?  Symantec's stance on the beta situation as well geared towards the home user Norton 2012 beta is out for download where is SEP beta?  They can't even give us a date for the public release.  As a side note 2012 NIS is actually a great program, maybe the Norton team can educate the business software side of the company on how things should work!

        Gersh's picture
        DWHxxxx.tmp files are scanned and deleted immediately after it is processed, from RU6MP2 onwords.
         
        I agree that a reinstall cannot be a solution all time, but the migrtation path from older version should be as per the advice in the migration documentation.
         
        Migration path :
        RU5  and Lower version to RU6MP2/MP3 Should be RU5 > RU6/6a and then to MP2/MP3
        Note: Migration from lower version directly to RU6MP2/MP3 will noe fix the below issue
         
         
        DWHxxxx.tmp files are scanned and re-detected when new definitions arrive or during a  scheduled scan
        Fix ID: 1925607
        Symptom: DWHxxxx.tmp files are scanned and re-detected when new definitions arrive or during a scheduled scan.
        Solution: After extracting a quarantined item to a temp file, the file is deleted immediately after it is processed.
         
        Cheers
        Gersh

        Please don't forget to mark your thread solved with whatever answer helped you :)
        Cheers
        Gersh

        Gersh's picture
        DWHxxxx.tmp files are scanned and deleted immediately after it is processed, from RU6MP2 onwords.
         
        I agree that a reinstall cannot be a solution all time, but the migrtation path from older version should be as per the advice in the migration documentation.
         
        Migration path :
        RU5  and Lower version to RU6MP2/MP3 Should be RU5 > RU6/6a and then to MP2/MP3
        Note: Migration from lower version directly to RU6MP2/MP3 will noe fix the below issue
         
         
        DWHxxxx.tmp files are scanned and re-detected when new definitions arrive or during a  scheduled scan
        Fix ID: 1925607
        Symptom: DWHxxxx.tmp files are scanned and re-detected when new definitions arrive or during a scheduled scan.
        Solution: After extracting a quarantined item to a temp file, the file is deleted immediately after it is processed.
         
        Cheers
        Gersh

        Please don't forget to mark your thread solved with whatever answer helped you :)
        Cheers
        Gersh

        derasachse's picture

            This DWH***.TMP issue has been haunting Symantec users for many years and has only come to place Symantec, Nortons etc., in the light of comlete incompetence.  There is NO resolution forthcoming from the R & D teams with Symantec, nor do they seem to care at all since this DWH***.TMP is no real threat but only a nuisance.  I have been reading constant explanations and remedies for years and some have worked, for a time, but nothing realy fixes the problem to where it doesnt start up again.

             For a good while I and others heaped praise and recommendation for Symantec (Nortons) as the best choice in security and protection to the success of the product and its company.  To be sure, this praise has now sunk to warning and calls for avoiding this as the best choice for any and all requesting such advice and support.  This trend shall grow and expand in the same manner as the afore mentioned praise until either the Symantec R & D team awakes to a solution, or one of its competitors takes the place as the best and only for the cause.

             This is written as not only a warning to Symantec and its client users but also, for those who are seriously seeking an end to this, a call to sanity and to give assurance that despite the mindless blather of possible solutions, your not infected with anything other than the product you've installed to protect you from such irritations.  Other than having to repeatedly close warnings of infections throughout your days as nothing other than a sort of insidious reminder that Symantec (Nortons, Endpoint, etc.,) is actively on the job, you are safe and can enjoy this object of job security as you have an endless supply of logs giving ample evidence of catching the 'bad guy' filles.  For you home users, well did you think that getting the best protection would only cost around $39 a year per computer?

        mon_raralio's picture

        This has already been fixed as recently explained by Gersh with links to the release notes and as he pasted into his reply.

        Have you tried upgrading to the latest version and still encounter this problem?

        I did see this in one of my MP1 clients and when I checked on their profiles, the DWH files were already gone. No manual intervention was made. I just reduced time to store to quarantine to a shorter period. I don't think that clients would be needing the quarantined files anyway.

        “Your most unhappy customers are your greatest source of learning.”

        alphastream's picture

        We are still getting this pop-up notifification about Trojan.Gen.2 in a Temp\*.tmp file.

        I've applied the suggested workaround but no success!

        I'ld realy appreciate a solution for this issue.!

        derasachse's picture

            I see where shortening the time for Quarantine would reduce visibility of the problem, but unless you can shorten it to 0, then it isnt really gone.

            To 'alphastream'   ffdhghsd5    f fd I say, dont hold your breath.  Although Symantec is top rated in security, it is useless in excluding its own executable file, "DWHWizrd.exe" from causing an event from announcing it as an infestation.  I would be happy to hear that someone has found a way that DEFINITELY cures this for everyone, but as I said, hold not your breath.  Perhaps it is time for McAfee to reclaim the title as first in security.  I doubt it though.  That is like expecting the Democratic party in the USA to actually write laws that would undo everything Dick Cheney caused.  McAfee has proven to be very user unfreindly in comparison.  So it is like having the choice between Sarah Palin or Michele Bachmann for President.  The only votes would be for self-destruction, either at the hand or the winner or as the alternative.  Unless you opt for a third party software then suffer you must with the incompetence of a Paul Ryan bill in an effort to do away with Gay abortion.

             If you think I am off track, then consider the insanity of more than 5 years of being told that the only solution to stopping Symantec Antivirus from detecting itself as a threat is to cause it to quickly throw away all evidence of it doing so. 

        mon_raralio's picture

        Too much have been posted in this thread. We're currently using RU6 MP1 and still waiting for the hardware to arrive to be able to upgrade to the latest version. Because, I'd rather stay with this version than to upgrade without backups and risk losing more than a years worth of data if the machine decided to obey Murphy's Law.

        I have a feeling that this dwh*.tmp would start rearing its ugly head in my network. They're being detected as VBS.Runauto and it's found in the users "local settings\temp" folder and gets Quarantined.

        Someone please reply the link to the best workaround for this. Thanks. :D

        “Your most unhappy customers are your greatest source of learning.”

        .Brian's picture

        In the AV policy under Quarantine on the General tab, select Do Nothing for When New Virus Definitions Arrive.

        Fixed it for me.

        Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

        Decent's picture

        I have also found DWH files in Temp folder, but what surprising thing i noted is when it gets downloaded to temp folder SEP is unable to detect it, however once i access that folder and say select these file then it is able to detect this as trojon, or if i run scan on this folder in that case it is able to detect this trojan.

        The best way i found is to directly shift delete this file or i run batch file created with below commands for cleaning this thing once we browse through the suspecious web pages.

        cd C:\DOCUME~1\mauliky\LOCALS~1\Temp
        del /Q *.*

        Albert Culleton's picture

        Under the management console in version12 ther is no option for policy on quarantine ?

        Can this be done some where else on the console on version 12 so i can turn off scanning of quarantined items?

         

        this is to avoid the occurrance of the saem problem where Symantec is continually detecting this file as a RISK

        c:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\4cebf025.tmp

         

         

        Found more than 10 risks. Actual number of risks found was 247 in 1 minutes.

         

        See attached report.jpg for more example.

        report.jpg
        mon_raralio's picture

        Hi, not sure if this option is available in the SEPM console: but could you check if there is an option to not scan items in the quarantine when new definitions has arrived?

        And the logs show that the found threats were cleaned by deletion. Could you export the logs. Sort them by computer, then by file and then by date to see if they are indeed treated by SEP. And if they return.

        I'm presently testing only 1 client as unmanaged and its quarantine is empty at the moment to be able to check.

        “Your most unhappy customers are your greatest source of learning.”

        .Brian's picture

        yes, this option is available and it works

        Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

        nwranich's picture

        Where is this option located?  I'd be interested in testing this on some machines in our environment.

        Rodney323's picture

        Like many of you, I am also plagued with a varity and enormous amount of DWH temp files.  Using the Endpoint Protection version 11.03001.2224.  When I scan my computer, Endpoint Protection automatic protection will pop up and start capturing DWH temp files and identify them as Trojan Horses.  Within the mass of files that are being captured and identified as Trojan Horses, a few of them are identified as "Trojan.Gen.2".  I am by no means a computer technie, in an effort to navigate through my computers directory system to submit to Symantec one of the captured DWH temp files, I can't seem to locate the temp files.  I have not yet been able to find and submit a DWH**** tmp file.  However, in my frustrated effort, I discovered a file within the Endpoint Protection program that seems to generate the DWH files that the auto protection part of Endpoint Protection is tagging the DWH temp files as a Trojan Horse.  The files within the Endpoint Protection program is titled "DWH Wizard."  I submitted the DWH Wizard files to an automated scanning area of Symantec Security.  After several submissions and scanning results, the file (DWH Wizard) was declared by the Symantec automated scanning as not a threat.  I have not yet found a way to contact Endpoint Protection (Symantec) to determine whether or not the DWH Wizard file is a legitmate file used in the Endpoint Protection program.  I do know that the DWH Wizard file is generating the DWH**** tmp files that is being tagged as Trojan Horses.  It seem that another user of Endpoint Protection who goes by the log-in name of Bruce 12345 is experiencing the same problem with the DWH**** tmp files, and cites that Symantec has been aware of the problem for sometime.  But, nothing, so it appears, is being done about it or even being addressed.  I have scanned my computer with other anti-virus programs and whenever the scan reaches Endpoint Protection directory all hell brokes loose with the DWH****tmp files. On occasion, I have encounted in excess of 200 of those damn files.  As far as I can tell, no one has mentioned anything about the DWH Wizard file. I have not been able to again find Bruce12345's discussion thread about this problem.  It would be great if someone could start a fire under Symantec's ass about this problem.

        IuliusAugustus's picture

        the solution is simple if there are few systems and Mithun Sanghavi  mention it 

        basically is :

        1 - in the station  menu - go to quarantine and delete all 

        2 - use a bat with this commands 

        c:
        cd %temp%
        cd ..
        rd Temp /q /s
        rd "Temporary Internet Files" /q /s
         
        3 - it needs 3-5 repetition to really work, something like today i get an alert ..start with 1-2 , tomorrow i get a new alert, again 1-2 , after maximum 5 repetition of steps 1-2, in 99% of encounters the dwh error dissapears 
        Gersh's picture

        Release Update 6 Maintenance Patch 3 (RU6 MP3) has the FIX.

        http://www.symantec.com/business/support/index?page=content&id=TECH103087&key=54619
         

        DWHxxxx.tmp files are scanned and re-detected when new definitions arrive or during a scheduled scan
        Fix ID: 1925607
        Symptom: DWHxxxx.tmp files are scanned and re-detected when new definitions arrive or during a scheduled scan.
        Solution: After extracting a quarantined item to a temp file, the file is deleted immediately after it is processed
         

        Please don't forget to mark your thread solved with whatever answer helped you :)
        Cheers
        Gersh

        ThaveshinP's picture

        This is definitely still an issue with RU6MP3 and SYmantec's answer is RU7....how much longer?? AGain it may still be in SEP 12.1 as well...

         

        fixerr's picture

        Hi all ,

        You will be getting DWH*.tmp in temp folder, where symantec will be detecting it as a threat.  Fix for this issue is by upgrading your SEP to 11.0.6300 (MP3)

        If you have RU6 (11.0.6000.550) and above you can go ahead and directly install RU6 MP3 (11.0.6300.803) which is released in March 2011 .\

        If you have the version below RU6 (11.0.6000.550) you need to upgrade to RU6 (11.0.6000.550) and then you can go directly with RU6 MP3 (11.0.6300.803)

        links

        migration to RU6 MP3

        http://www.symantec.com/docs/TECH155655

        Don't forget to mark your threat as "SOLVED' with the answer that helped you!!!!!!!

        ThaveshinP's picture

        We're running RU6 MP3 and we have the same issue still. Even tested with SEP 12.1 beta and still doesnt resolve.

        cseng's picture

        me too, facing the same problem... even with the latest version of the SEP application.

        fixerr's picture

        hey this is the product bug, call to support they will guide you

        Don't forget to mark your threat as "SOLVED' with the answer that helped you!!!!!!!

        ThaveshinP's picture

        Spoke to Business Critical support - no light at end of tunnel - product bug or not, Symantec is not willing to make steps to resolve this issue within SEP.

        ScreamingPotato's picture

        Having this problem on 12.1, DWH**.tmp and dwh**.js files in Temp folder.

        fixerr's picture

        Have you upgraded your product

        Don't forget to mark your threat as "SOLVED' with the answer that helped you!!!!!!!

        cashpoint's picture

        i also have this problem with 12.1....a dog chasing after his own tail

        also windows 7 security center says it is reporting in a no longer supported way

        that is also a old problem which was fixed in 11 ages ago

         

        it is so full of new bugs...it is the WORST software I have EVER seen

        I exclude a know risk..it is found again by bloodhound as unknown risk

        I exclude the the file and path..it is still found!!

        It wants to reboot because it thinks it could not quarantine a file (but the file is gone)

        i restore the file..it still wants to reboot...I say remind me again in 2 hours...it pops back up evey 5 minutes

        I press dissable all virus and spyware protection..the double excluded file is still found

        I press dissable proactive threat protection...the button does not even change to enable...and it still deletes my file..which is a comercial remote application which I have excluded in every way that i can think of

         

        NOTHING AT ALL works in this crap

        it is completly unusable

        symantec has 18 thousand employes...seems not one could be bothered to test this s...

        .Brian's picture

        Did you call support and open a case to get assistance?

        Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

        la_ripper's picture

        This issue recoourrs in RU6 MP3 as well .

         

        This is issue is fixed in Ru7 and in 12.1

         

        Don't forget to mark your thread as 'solved'  or vote with the answer that best helped you!
         

        ScreamingPotato's picture

        Issue is not fixed in 12.1, I'm running 12.1 and one of my servers goes ape **** daily on these DWH files.

        ThaveshinP's picture

        I second that. We have tried RU7 and SEP 12.1 and stil the same DWH files, temp files...

        swatpup102's picture

        I'm running an october 23, 2011 definition file, R5. Don't know how to specifically check what version numbers and such, this is on my personal client machine.

        I was getting every day the SEP popup saying DWH*.tmp file trojan, of which I would say delete, and then the next day it would be back again. Today when starting up, I was getting the pop up every 2 minutes with a enw DWH temp file. After doing some searches and hitting this post, I tried a combo of some methods, and it seems to have fixed my issue, we'll see if it continues.

        My steps: 

        Open symantec endpoint protection program

        Disable all protections

        Open task manager

        Sort by description

        End all processes with the description of symantec

        Go to the end point protection program, and lookunder the view quarantine tab

        White for the entire list to populate

        Delete all entries. You might get errors in this process, just keep doing it over and over again

        Open the temp folder, C:\Users\(*user being used)\AppData\Local\Temp

        Any file that is called DWH*.tmp, delete it. 

        Keep doing the process of deleting the local temp files until they are all gone, and checking the quarantine files until they don't populate any more. It took my probably 4 or 5 times of hitting delete until they were gone completely from both folders and not showing up again.

        Restart the computer

        Enable all end point protection programs

        Should be good to go!

        This really is a pain and something symantec should fix, hopefully some out there that are seeing this issue will find this process helpful. I'm hoping that it doesn't return, but am not expecting this to be a permanent fix. I don't like the idea of disabling the scan of new definitio quaranite files, as it may start missing things. Good luck, and hopefully there is a script or easier way to do this process for full enterprise solutions.

        shakirullah's picture

        Hi everyone

        i am using symantec endpoint protection server base .

        i found trogan  on  clients computers in  temp folder something like DWHB008.tmp & DWHF77A.tmp  and etc i scanned and deleted but still it appear after sometime so could someone tell me i want to delete it perminantly .

        thank you

        PrimeInc's picture

        I'm running 11.0.7000 and have the issue.  I can't go to 12.x because it conflicts with my Checkpoint Firewall GUIs.   

         

        Have you tried clearing out your quarantine like previously discussed?   Does the problem go away when you have no viruses in quarantine?

        NRaj's picture

        Did you try not to scan the quarantined files by defwatch scan? That helped quite a few.

        Robocop's picture

        This issue is fixed in SEP 11 RU7 MP2. Due in April