Endpoint Protection

Whenever i start or log in to my computer, the Symantec Endpoint Protection pops a box mentioning the name of an infected file (Trojan).  From the day this started appearing, Windows Explorer restarts at least once almost every day after I start my computer. Whenever Windows Explorer restarts, the symantec pops the same message again. Not sure if the file is run when explorer runs.

This is a tmp file of called 46c9d0b_0.tmp. I am not able to delete or clean this file through symantec - I am not sure if it gets deleted when I clean my temporary files. There are several instances of this under View Quarentiane - each one has a different File Create Date (not all the days from when it started showing up first - there are no files on some dates in between (mostly one day in between dates are missing).

I do not see any such file when go into the folder where this file is supposed to be (users\svs\appdata\local\temp) located.

Can someone let me know if there is a way to get rid of this file?

What version of SEP are you on and is this a managed or unmanaged client?

This may be a known issue:

DWH***.tmp files are detected in the user profile temp directory.

HI,

What sep version are you using ?

Is your system infected? Symantec tools to help clear an infection

https://www-secure.symantec.com/connect/forums/you...

Hello,

What version of SEP 11.x are you running??

Check this Article:

tmp file (DWH*****.tmp) detected as  Trojan.Gen or Trojan.Gen.2 by Corp products 

http://www.symantec.com/business/support/index?page=content&id=TECH102953

and 

Check the Security Forum Thread - 

Generic Trojan - DWH*.tmp in Temp folder

https://www-secure.symantec.com/connect/forums/generic-trojan-dwhtmp-temp-folder

Here is the Solution for the same.

If such detections continue after deleting old .tmp files and updating to SEP 11 RU6a, see the following:

Stop the Symantec service

• Symantec Endpoint Protection

  • Click Start, then Run
  • Type: smc -stop
  • Click OK

Deleting the files

NOTE: The following instructions are to be done from the Command Prompt as attempting to perform the deletions from the Windows user interface may result in delays and application hangs due to the large amount of files that can reside in these locations. Please note that these instructions will delete the files in the targeted directories, not the directories themselves. Do not remove the directories themselves, only the contents of those directories.

Open the Command Prompt

Deleting files from User Temp folder

• Click Start, then Run
• Type: cmd
• Click OK

1. Type the following command in Command Prompt. (The following string will vary depending on the user name.) Replace "<NAMEOFUSER>" with the username of the desired Windows user you wish to empty the temp folder for:
   • • Windows 2000/XP/2003 
       DEL /F /Q "C:\Documents and Settings\<NAMEOFUSER>\Local Settings\Temp"
     • Windows Vista/7/2008
       DEL /F /Q "C:\Users\<NAMEOFUSER>\AppData\Local\Temp"
2. Deleting the contents of the temp folder at the root of C:\
   • • Type the following command in Command Prompt:

       DEL /F /Q C:\temp

3. Deleting the contents of the Windows Temp folder
   • • Type the following command in Command Prompt:

       DEL /F /Q C:\WINDOWS\Temp

4. Deleting the contents of the xfer and/or xfer_temp directories

    

   • Type the following command in Command Prompt:
     • • Windows 2000/XP/2003 
         DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\"

         DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\"

       • Windows Vista/7/2008
         DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp\"

         DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer\"

The Quarantine Folder

NOTE: The following instructions are to be done from the Command Prompt as attempting to open the Quarantine folder in the Windows user interface may result in delays and Windows Explorer application hangs due to the large amount of files that can reside there.

Delete the Quarantine Folder

Type the following commands in the Command Prompt:
 

• Windows 2000/XP/2003 
  DEL /F /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

  RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

• Windows Vista/7/2008
  DEL /F /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

  RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

Recreate the Quarantine Folder
 

Type the following command in Command Prompt:
 

• • Windows 2000/XP/2003 
    MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
  • Windows Vista/7/2008
    MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

Start the Symantec service
 

• Click Start, then Run
• Type: smc -start
• Click OK

If you have frequent recurrences of this issue and would like to disable re-scanning of the quarantine folder please follow these steps:

• From the SEP-Manager:
  - Edit the Antivirus and Antispyware policy of affected clients.
  - In the policy editor click "Quarantine" on the left-hand menu.
  - On the general tab click "Do nothing" under the heading "When new Virus Definitions Arrive"

Hope that helps!!