Video Screencast Help
Search Video Help Close Back
to help

Temp folder has an infected tmp file

Created: 09 Jan 2013 | 4 comments
icanfly's picture
icanfly
0 0 Votes
Login to vote

Whenever i start or log in to my computer, the Symantec Endpoint Protection pops a box mentioning the name of an infected file (Trojan).  From the day this started appearing, Windows Explorer restarts at least once almost every day after I start my computer. Whenever Windows Explorer restarts, the symantec pops the same message again. Not sure if the file is run when explorer runs.

This is a tmp file of called 46c9d0b_0.tmp. I am not able to delete or clean this file through symantec - I am not sure if it gets deleted when I clean my temporary files. There are several instances of this under View Quarentiane - each one has a different File Create Date (not all the days from when it started showing up first - there are no files on some dates in between (mostly one day in between dates are missing).

I do not see any such file when go into the folder where this file is supposed to be (users\svs\appdata\local\temp) located.

Can someone let me know if there is a way to get rid of this file?

Discussion Filed Under:
, , , , , ,

Comments 4 CommentsJump to latest comment

Brian81's picture
Brian81 Trusted Advisor
Temp folder has an infected tmp file - Comment:09 Jan 2013 : Link

What version of SEP are you on and is this a managed or unmanaged client?

This may be a known issue:

DWH***.tmp files are detected in the user profile temp directory.

Article:TECH92399  |  Created: 2009-01-16  |  Updated: 2012-04-27  |  Article URL http://www.symantec.com/docs/TECH92399

 

SEP Knowledge Base

Endpoint SWAT

0
Login to vote
Ashish-Sharma's picture
Ashish-Sharma
Temp folder has an infected tmp file - Comment:09 Jan 2013 : Link

HI,

What sep version are you using ?

Is your system infected? Symantec tools to help clear an infection

https://www-secure.symantec.com/connect/forums/you...

 

Thanks In Advance

Ashish Sharma

SEPM Knowledgebase Documents  

 

0
Login to vote
pete_4u2002's picture
pete_4u2002 Symantec Employee
Temp folder has an infected tmp file - Comment:09 Jan 2013 : Link

try deleting the files in safe mode and see if it helps?

Cheers!
Pete

Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619

0
Login to vote
Mithun Sanghavi's picture
Mithun Sanghavi Symantec Employee Technical Support Accredited
Temp folder has an infected tmp file - Comment:09 Jan 2013 : Link

Hello,

What version of SEP 11.x are you running??

Check this Article:

tmp file (DWH*****.tmp) detected as  Trojan.Gen or Trojan.Gen.2 by Corp products 

http://www.symantec.com/business/support/index?page=content&id=TECH102953

and 

Check the Security Forum Thread - 

Generic Trojan - DWH*.tmp in Temp folder

https://www-secure.symantec.com/connect/forums/generic-trojan-dwhtmp-temp-folder

Here is the Solution for the same.

 

If such detections continue after deleting old .tmp files and updating to SEP 11 RU6a, see the following:

Stop the Symantec service

  • Symantec Endpoint Protection

    • Click Start, then Run
    • Type: smc -stop
    • Click OK

 

Deleting the files

NOTE: The following instructions are to be done from the Command Prompt as attempting to perform the deletions from the Windows user interface may result in delays and application hangs due to the large amount of files that can reside in these locations. Please note that these instructions will delete the files in the targeted directories, not the directories themselves. Do not remove the directories themselves, only the contents of those directories.

 

Open the Command Prompt

Deleting files from User Temp folder

  • Click Start, then Run
  • Type: cmd
  • Click OK
  1. Type the following command in Command Prompt. (The following string will vary depending on the user name.) Replace "<NAMEOFUSER>" with the username of the desired Windows user you wish to empty the temp folder for:
      • Windows 2000/XP/2003 
        DEL /F /Q "C:\Documents and Settings\<NAMEOFUSER>\Local Settings\Temp"
      • Windows Vista/7/2008
        DEL /F /Q "C:\Users\<NAMEOFUSER>\AppData\Local\Temp"
  2. Deleting the contents of the temp folder at the root of C:\
      • Type the following command in Command Prompt:

        DEL /F /Q C:\temp

  3. Deleting the contents of the Windows Temp folder
      • Type the following command in Command Prompt:

        DEL /F /Q C:\WINDOWS\Temp

  4. Deleting the contents of the xfer and/or xfer_temp directories

     

    • Type the following command in Command Prompt:
        • Windows 2000/XP/2003 
          DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\"

          DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\"

        • Windows Vista/7/2008
          DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp\"

          DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer\"

 

The Quarantine Folder

NOTE: The following instructions are to be done from the Command Prompt as attempting to open the Quarantine folder in the Windows user interface may result in delays and Windows Explorer application hangs due to the large amount of files that can reside there.

 

    Delete the Quarantine Folder

    Type the following commands in the Command Prompt:
     

      • Windows 2000/XP/2003 
        DEL /F /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

        RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

      • Windows Vista/7/2008
        DEL /F /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

        RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

      Recreate the Quarantine Folder
       

      Type the following command in Command Prompt:
       

        • Windows 2000/XP/2003 
          MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
        • Windows Vista/7/2008
          MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

      Start the Symantec service
       

      • Click Start, then Run
      • Type: smc -start
      • Click OK

         

        If you have frequent recurrences of this issue and would like to disable re-scanning of the quarantine folder please follow these steps:

        • From the SEP-Manager:
          - Edit the Antivirus and Antispyware policy of affected clients.
          - In the policy editor click "Quarantine" on the left-hand menu.
          - On the general tab click "Do nothing" under the heading "When new Virus Definitions Arrive"

        Hope that helps!!

        Mithun Sanghavi
        Symantec Technical Support Engineer, SEP
        MIM | MCSA | MCTS | STS | ITIL v3

        Twitter: @mithun_sanghavi

        Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a

        0
        Login to vote