Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Temp file trojan

Created: 16 Dec 2010 • Updated: 27 Dec 2010 | 23 comments

 Hi Experts

                 I having problem on my computer. A lot of temp files are created and were put into quarantine list as trojan.how do i trace the culprit of those temp files.Want to know  created by which program.And are they really trojans.I couldn't delete from Enpoint console .FYI I am using VMWare workstation version.Is it possible those files were created by vmware?Below is screen shot 

Comments 23 CommentsJump to latest comment

pete_4u2002's picture

hi,

what is the SEP version, this issue has been fixed in RU6 MP1, however the RU6 MP2 is out. You install the current version. That should fix the issue.

Information on issue

http://www.symantec.com/business/support/index?page=content&id=TECH92399&locale=en_US

P_K_'s picture

As mentioned above upgrade is the first solution,

DWH***.tmp files are detected in the user profile temp directory.

 http://www.symantec.com/docs/TECH92399



Large numbers of .tmp files are being created in the xfer_tmp or 7.5/xfer folder and are being detected as threats.

http://www.symantec.com/business/support/index?page=content&id=TECH93590&locale=en_US

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

browserman's picture

Are you familiar with Ccleaner. It is a simple utillty program that erases temp files. Run a scan and copy the temp file in the search box.

jpj1980's picture

I ran into this also.  

What is happening is Symantec will rescan the files in Quarantine when it downloaded new def files.  When it does this is places those files in the Temp folder as a file named DWH***.tmp.  Unfortunately it then detects those files as a Trojan.Gen and quaratines them.  

What I did to fix it was:

  1. Clear out the temp folder.  You can either do this from the GUI or from a command prompt.
  2. Clear out the quarantine folder.  You can do this from the SEP GUI.

Once those are both cleaned out it should stop happening.  

I also wrote a batch script that clears out all the Temp folders, for all users, and Recycler.

You may need to modify it not to include C:\Temp.  Some of our clients were re-pointed to C:\Temp for their temp locations, if yours are not just remove that line.  

This also only works in XP right now.  Working on modifying it to run in Win7

AttachmentSize
Temp Files.zip 381 bytes
Pawel Lakomski's picture

Which ersion you run - should be fully resolved if you upgrade to RU6 MP2 (current version).

--

Cheers,

Symantec Technical Specialist
Symantec Certified Specialist
MCP & MCITP
Cisco Certified Network Associate
Citrix Certified Administrator

 

jpj1980's picture

Just realized I uploaded the wrong version of the zip.  The one I uploaded would only remove the files and not the folders in the Temp directories.  Sorry.

Here is the right one.

AttachmentSize
Temp Files.zip 381 bytes
aungaung84's picture

Hi

I have installed and upgraded  Symantec_Endpoint_Protection_11.0.6_MP2_Xplat_EN_DVD as i was suggested in this forum.Since that upgraded i am running into some problems.

I can't make any reports in SEP console.And in the monitor page shows nothing for any summary.Seems update has problem.how could i remove that or any better solution.

Rgds

 

P_K_'s picture

Are the reports blank or the page does not appear at all??

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

aungaung84's picture

Yes it's blank totally I have attached screen shot. Apparently i cannot logout as well.Even i have logout console is still active and buttons are still alive

report.jpg
aungaung84's picture

Actually i am just wanna remove that update already since i am still getting temp file trojans alert.Can anyone please guide me to remove update (Symantec_Endpoint_Protection_11.0.6_MP2_Xplat_EN_DVD)  or replace with correct one.

I am not sure about compatiblity as well. I am using window 2008 (standard) for SEP Server.

Pawel Lakomski's picture

I don't think there is a way to downgrade the console. What you can do is to perform Disaster recovery with your previous version and DB backup.

Preparing for and Recovering from Disaster with Symantec Endpoint Protection
http://www.symantec.com/docs/TECH105658

Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager
http://www.symantec.com/docs/TECH102333

--

Cheers,

Symantec Technical Specialist
Symantec Certified Specialist
MCP & MCITP
Cisco Certified Network Associate
Citrix Certified Administrator

 

aungaung84's picture

OMG that will be a lot of things bro.do i need to do the whole process? i just want reporting function to back in normal

Pawel Lakomski's picture

I don't see why reporting component should not work... I would start with troubleshooting the reporting component and not by disaster recovery which it the very last option :-)

--

Cheers,

Symantec Technical Specialist
Symantec Certified Specialist
MCP & MCITP
Cisco Certified Network Associate
Citrix Certified Administrator

 

aungaung84's picture

Hihi

then where do i start trouble shoot the reporting component

Tks a lot 

Pawel Lakomski's picture

What heppens when you put the address http://YOU_SEPM_ADDRESS:8014/reporting ?

I saw the screenshot you put a few posts above - do you run the console via Citrix?

--

Cheers,

Symantec Technical Specialist
Symantec Certified Specialist
MCP & MCITP
Cisco Certified Network Associate
Citrix Certified Administrator

 

aungaung84's picture

Hi

It seems fine on remote login .page as file attached.

http://YOU_SEPM_ADDRESS:8014/reporting

but i don't know why i cant find that info on server admin page.

No , I am not using cytrix.SEPM is running on window server 2008

there is another sybase database software running on that server also.

sep.jpg
Pawel Lakomski's picture

Ok, to sum up - when you go through the web browser - the report charts are there but if you open SEPM console (locally) - they are blank, on exactly the same page, right?

--

Cheers,

Symantec Technical Specialist
Symantec Certified Specialist
MCP & MCITP
Cisco Certified Network Associate
Citrix Certified Administrator

 

Pawel Lakomski's picture

Don't you login to this server via Remote Desktop BTW?

--

Cheers,

Symantec Technical Specialist
Symantec Certified Specialist
MCP & MCITP
Cisco Certified Network Associate
Citrix Certified Administrator

 

aungaung84's picture

Usually I  use VNC viewer for remote administration.

aungaung84's picture

Hi

Thanks for helping me along the way.

I am still unable to put the tmp files into the exception list.

keep getting the below error

  Scan type: Auto-Protect Scan

Event: Risk Found!
Security risk detected: Trojan Horse
File: C:\Users\thet\AppData\Local\Temp\DWHCA05.tmp
Location: C:\Users\thet\AppData\Local\Temp
Computer: HP
User: thet
Action taken: Pending Side Effects Analysis : Access denied
Date found: Wednesday, December 29, 2010  10:43:31 AM
 
And i have another problem 
 
whenever i log in to SEP management server to change some policy settings I am not able to logout .Means session seems still alive even though i have done logout.I could still go into the policies page since i have installed update .
pete_4u2002's picture

did you check manually scanning the system in safe mode, if not worth giving it a try. It's RU6 MP2, right?

pete_4u2002's picture

it is needed in case of disaster in upgrade etc. Esle the client will not communicate with SEPM and you have to manually update the SEP clients with sylink.