Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

trojan detected but sysmantec failed

Created: 10 Aug 2012 | 16 comments

Hi

 

sysmantec detected a troajn but it has failed to delete

 

Computer using

OS:windows 7 enterprise

Symantec endpoint version: 11.0.6100.645

Virius name: trojan.gen.2
File names:starts with DWH****.tmp

 

I state **** is because it always deletes the name and make a new namee.

 

It could not delete it. Please help as i have no idea what this is doing to my computer.

 

Comments 16 CommentsJump to latest comment

Fabiano.Pessoa's picture

Hi NG Han Wei,

So dear friend, you have to put your windows to run in safe mode and try to run inside the antivirus. If you run it in normal mode, the virus will continue to self installing or naming folders. In safe mode, it can not, because you all services that run on your desktop.

Also use this page here

http://www.symantec.com/security_response/detected_writeup.jsp?name=Trojan.Gen.2

will help you a lot in this case.

If you give the solution, as slução check in my name.

Big hug.

 
 
Desfazer edições
 
 
 

 

Fabiano Pessoa

Systems Analyst - Forensic Expert

Fabiano.Pessoa's picture

Hi NG Han Wei,

Just some information you should know about this trojan.

is a fake security software that spreads primarily through P2P channels or browsing untrusted sites. Symptoms that a PC was the victim of Trojan.Gen.2 are:

system slowed

changed the browser settings

Continuous opening pop-ups while browsing

in some cases impossible, to connect to the Internet

If you can not take it for nothing, let me know what I taught you to remove it manually.

hugs

Fabiano Pessoa

Systems Analyst - Forensic Expert

Fabiano.Pessoa's picture

Hi NG Han Wei,

I'll teach you just trying to sweep this trojan manually if I'm no longer here and you can address your question.

Do the following:

First note the name of the Trojan. path and do the following Start> Run> regedit> click the + key HKEY_LOCAL_MACHINE, look for subkey Software and do the same, then Microsoft, then Current Version, and then the RUN folders on the right side must be written Win32. Trojan-Gen. {Other}, so delete it.

hugs

 
 

 

Fabiano Pessoa

Systems Analyst - Forensic Expert

ng han wei's picture

Hi all

 

Thanks to Fabiano.Pessoa for the replies, will try the steps mention :).

ng han wei's picture

how do i run in safe mode. i check online for a guide. they say to press F8 while the system is botting up. but it only makes a button being press sound and nothing else.

Fabiano.Pessoa's picture

Hi NG

When it is booting, press F8 until it shows a black screen with options of choice, and there will be SAFE MODE. enter it without connecting to that says connect the network. Your PC will get a little weird, with a large format screen, do not be alarmed, this is how even the safe mode of Windows. With that turn their security and be able to run successfully. You also can use that link I put on top of Symantec solutions that are good and I think that will give viously result.

Any questions, I am available.

hugs

Fabiano Pessoa

Systems Analyst - Forensic Expert

W007's picture

Please Follow this steps in the Article:

 

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. 
 

How to block known virus executables that run from %UserProfile% using Application and Device Control

 

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

greg12's picture

You don't have a virus.

It's a well known problem that can emerge when SEP tries to re-check the quarantine with newly downloaded virus signatures.

Here are some documents about it:

DWH***.tmp files are detected in the user profile temp directory

http://www.symantec.com/docs/TECH92399

When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect

http://www.symantec.com/docs/TECH102953

Interesting reading why it's difficult to solve this issue:

https://www-secure.symantec.com/connect/forums/generic-trojan-dwhtmp-temp-folder#comment-5191661

 

You can do the following:

  1. Activate Antivirus and Antispyware policy > Quarantine > General > "When New Virus Definitions Arrive" > "Do nothing"
  2. Upgrade to the latest SEP version (SEP 11.0.7200 or SEP 12.1.1101), where the issue should be mitigated.

HTH!

.Brian's picture

Known issue. See this thread, particularly at the end:

https://www-secure.symantec.com/connect/forums/generic-trojan-dwhtmp-temp-folder

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

jujubee's picture

I got this error. What do I do?

 

 

Scan type:  Scheduled Scan
Event:  Risk Found!
Trojan.ADH
File:  >>...>>...>>...>>keygen\keygen.exe
Location:  >>...>>...>>...>>keygen
Computer:  ANJU-PC
User:  SYSTEM
Action taken:  Clean failed : Delete failed
Date found: Tuesday, December 11, 2012  9:04:40 PM
 
Ajit Jha's picture

Use Symantec Endpoint Recovery Tool. To Obtain it and use please visit the link below:

http://www.symantec.com/business/support/index?pag...

Regard's

Ajit Jha

Technical Consultant

ASC & STS

jujubee's picture

It is asking me for a serial number, but I dont know how to get that. Thanks

pete_4u2002's picture

scan in safe mode. if the file is not required delete the file.

Ferrarium_2's picture

As last thing you could load from other OS and delete file manually. Hope that could help!