Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Trojan Horse found every few seconds

Created: 18 Mar 2013 | 13 comments

Endpoint Version 12.1.1000.157 RU1

Windows 7, Home Premium

I am lookin at the "Symantec Endpoint Protection Detection Results" screen.  Every 10 -15 seconds a file pops up:

 APQ***.tmp - (the last 3 are always different), the action is Pending Analysis and the location is in the Symantec Quarantine folder.

This is always followed within one to four files saying Quarantined.    Some of those follow-on files begin with APQ and are in the Symantec Quarantine folder.  Most begin with DWH and are located in a users\app data\local\temp folder.  All of these files are labeled as Trojan Horses.

Each of these files appear within seconds of each other on the "Symantec Endpoint Protection Detection Results".  What puzzles me is that while these files are constantly appearing on this screen, I also have the Symantec Endpoint Protection Status screen open which only says "Your computer is protected.  No problems detected."  Meanwhile, every few seconds another line appears with a Trojan Horse on the detection results screen.

MEANWHILE - Microsoft Security Essentials is continually finding Trojan:Win32/Medfos.A every 10 minutes.  It is immediately removed and then comes back in about 10 minutes.

A couple weeks ago the same thing was happening.  I ran the Symantec NFE tool but no luck.  A little research led me to malwaretips.com.  I followed their instructions and ran a process involving multiple downloads and files and finally got it to stop.  But now it is back and I have no idea why. 

I don't have a clue on which way to turn and would appreciate any help.  Thanks in advance for reading this and I hope you can help.

Operating Systems:

Comments 13 CommentsJump to latest comment

.Brian's picture

This is likely a know bug. See this thread and the workaround by Mithun for clearing out the Quarantine folder:

https://www-secure.symantec.com/connect/forums/tro...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Bob58's picture

Brian,

Am I in the right forum? I am a home user with a free home-use Endpoint version provided by my employer - US Air Force. I'm looking hard but can't seem to figure out how to upgrade to the RU6 MP1 referenced in the link you provided.

.Brian's picture

This is the right forum.

Upgrading to the latest version is always recommended as with this particular issue, it has been improved in each new version, although not completely "fixed"

The latest version of SEP 11.x is RU7 MP3.

This can be downloaded from https://fileconnect.symantec.com using a serial number.

Since it is has been provided by your employer, you will likely need to contact them for the new version.

Do you know what version you currently have? If you go to Help >> About in the top right corner it should show the version.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ambesh_444's picture

Hi,

 

Trojan Horse is just a family of malwares. Too generic to provide a specific removal procedure.

There are three possible scenarios:
1) SEP already detects this Trojan Horse then, open the risk logs, take the exact name of the virus and search it in our website. There you will find the proper removal procedure. In most of the situation it is enough to disable the System Restore and run a full scan in safe mode. This is the best removal tool.
2) You know that your machine are infected (for example thanks to another AV software) but SEP does not detect and remove it, in this case you have to submit the malware sample to Symantec in order to release the proper definitions
3) The malware is detected but not properly removed: open a case with the Technical Support or submit a sample to improve the quality of the detection and the removal of some malware variants

Please check with these link...

Trojan remooval tool.

http://www.symantec.com/security_response/writeup....

 

 

 

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

Bob58's picture

Thanks for all your help.

I currently have SEP Version 12.1.1000.157 RU1.

The USAF download site has SEP Version 12.1 RU2.

The DOD download site has the above and also has SEP 11.0 RU7 MP3

Any advice on which I should download and use?  (Also, should I remove what I currently have BEFORE installing a new version or will that be automatically done when I start installation?)

 

Rafeeq's picture

you can run 12.1 RU2. on top of your existing installation

Bob58's picture

Thanks.  Will install when I get home tonight and cross my fingers that the problem is solved.

Bob58's picture

No luck. Installed the new version of SED and still have the same ;problem, though slightly different.

SED is now detecting a Risk of "Trojan Horse" every 5-6 seconds. All with a filename beginning with DWH. All located in C;\PROGRAMDATA\Symantec\Defwatch.DWH\ both for original location and current location. All showing an action of "Pending Analysis" with nothing quarantined.

Meanwhile, Microsoft Security Essentials is detecting and removing "Trojan:Win32/Medfos.A" every 10 minutes just like it was doing before.

I'm about to totally remove SED and see what happens but will wait awhile to see if anyone can possibly provide any more tips. Thanks in advance for reading this.

Bob58's picture

I have been reading Symantec support site info and Googling and reading a lot of other sites detailing similar problems.  My latest problem does not seem to be identified.  Most fixes seem to deal with files being quarantined.  On my system these DWH files are NOT being quarantined anymore.  All DWH files stay in a Pending Analysis status.  No files are being put in the Quarantine folder.  They all stay in the Defwatch.DWH folder.

.Brian's picture

You may just want to do a complete uninstall/reinstall.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Sachin Sawant's picture

Install MS Patch KB958644 and scan the machine....

Bob58's picture

Did all of the above to no avail. I have now removed it completely and won't be reinstalling. Hey, it was free from my employer who also offers McAfee for free so I will try that one and, if needed, will simply purchase something.

W007's picture

hello,

 

You can check this public kb's

tmp file (DWH*****.tmp) detected as Trojan.Gen or Trojan.Gen.2 by Corp products

http://www.symantec.com/business/support/index?page=content&id=TECH102953

 

you can help symantec support for this issue

You can create a Case with Symantec Technical Support Team.

How to create a new case in MySymantec (formerly MySupport)

http://www.symantec.com/docs/TECH58873

Regional Support Telephone Numbers:

United States: 800-342-0652 (407-357-7600 from outside the United States)

Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)

United Kingdom: +44 (0) 870 606 6000

Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp

Check this thread one of problem not fixed

https://www-secure.symantec.com/connect/forums/sta...

 

Look this discussion

https://www-secure.symantec.com/connect/forums/sudden-increase-quarantined-viruses-and-trojans

 

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.