Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Infection of W32.Toal.A@mm

Created: 14 Oct 2012 | 8 comments

Dear All,

We have found below Worms on one of the system. If we have gone through below infection path and could not find any file like (DWHEA2F.tmp) but in Risk log this are appear again and again.

Can you please tell me how I can fix it?

W32.Toal.A@mm  C:\Users\abc\AppData\Local\Temp\DWHEA2F.tmp
W32.Toal.A@mm  C:\Users\abc\abc\AppData\Local\Temp\DWH5FFA.tmp
W32.Toal.A@mm  C:\Users\abc\AppData\Local\Temp\DWHA039.tmp
 

Comments 8 CommentsJump to latest comment

Ashish-Sharma's picture

W32.Toal.A@mm

http://www.symantec.com/security_response/writeup.jsp?docid=2001-102316-5116-99&tabid=2

When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect

http://www.symantec.com/business/support/index?page=content&id=TECH102953&locale=en_US

Deleting files from User Temp folder
Type the following command in Command Prompt. (The following string will vary depending on the user name.) Replace "<NAMEOFUSER>" with the username of the desired Windows user you wish to empty the temp folder for:

Windows 2000/XP/2003:
DEL /F /Q "C:\Documents and Settings\<NAMEOFUSER>\Local Settings\Temp"

Windows Vista/7/2008:
DEL /F /Q "C:\Users\<NAMEOFUSER>\AppData\Local\Temp"

Deleting the contents of the temp folder at the root of C:\

Type the following command in Command Prompt:
DEL /F /Q C:\temp

Deleting the contents of the Windows Temp folder

Type the following command in Command Prompt:
DEL /F /Q C:\WINDOWS\Temp

Deleting the contents of the xfer and/or xfer_temp directories
Type the following command in Command Prompt:

Windows 2000/XP/2003:
SEP 11.x
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\"
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\"

SEP 12.1
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo>\Data\xfer_tmp\"
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo>\Data\xfer\"

Windows Vista/7/2008:
SEP 11.x
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp\"
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer\"

SEP 12.1
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\<silo>\Data\xfer_tmp\"
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\<silo>\Data\xfer\"

The Quarantine Folder
Note: The following instructions are to be done from the Command Prompt as attempting to open the Quarantine folder in the Windows user interface may result in delays and Windows Explorer application hangs due to the large amount of files that can reside there.

Delete the Quarantine Folder
Type the following commands in the Command Prompt:

Windows 2000/XP/2003:
SEP 11.x
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\"
RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\"

SEP 12.1
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"
RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"

Windows Vista/7/2008:
SEP 11.x
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\"
RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\"

SEP 12.1
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"
RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"

Recreate the Quarantine Folder
Type the following commands in the Command Prompt:

Windows 2000/XP/2003:
SEP 11.x
MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\"

SEP 12.1
MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"

Windows Vista/7/2008:
SEP 11.x
MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\"

SEP 12.1
MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"

Start the Symantec Endpoint Protection

1. Click Start, then Run
2. Type: smc -start
3. Click OK

NOTE: It is important to recognize that there are applications, such as Windows Indexing Service, that routinely attempt to touch each file.
Other known applications are Backup applications.  In these cases, if that application can make an exclusion for *.DWH, it is strongly advised to implement that exclusion.

Thanks In Advance

Ashish Sharma

Mick2009's picture

Hi Nagesh,

"Thumbs up" to the above.  Thse are not current infections, but files already in your quarantine.  It is a SEP product issue, largely overcome by updating to the latest release of SEP.

Please do delete your quarantined files, upgrade your SEP clients, and ensure that your computers are well defended against any malicious code currently in circulation!  These links will help. 

DWH***.tmp files are detected in the user profile temp directory.
Article URL http://www.symantec.com/docs/TECH92399

http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0 
 

With thanks and best regards,

Mick

Nagesh Singh's picture

Dear Mick2009,

But my infection path is not a Quarantind path.I have mention the Path below.

C:\Users\abc\AppData\Local\Temp\DWHEA2F.tmp

Thanks & Regards,

Nagesh Singh

Mick2009's picture

Thanks for the update.  Yes, this product issue is for the Temp directory.  Detections of files with names that begin with DWH in that Temp location are teh symptom for this issue.

With thanks and best regards,

Mick

Nagesh Singh's picture

Thanks  Mick2009,

My client version is 11.0.6200.754 and my SEPM server version is SEP RU7.

So Please let us know how I can fix this issue?

Thanks & Regards,

Nagesh Singh

Mick2009's picture

Hi Nagesh,

I recommend upgrading both SEPM and SEP clients to SEP 11 RU7 MP2.  Treat these DWH "detections" as a "known issue" until your upgrade is complete. 

Many thanks once again!

With thanks and best regards,

Mick

Mithun Sanghavi's picture

Hello,

I agree with the Above comments.

Check this Article:

When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect

http://www.symantec.com/docs/TECH102953

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Sumit G's picture

Latest Symantec Endpoint Protection Releases - SEP 12.1 RU1 MP1 and SEP 11.0. RU7 MP2

https://www-secure.symantec.com/connect/articles/l...

This link help to find the latest fix avail in  SEP 11.0. RU7 MP2

Regards

Sumit G.