Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Unable to delete Trojan.Gen.2

Created: 18 Nov 2013 | 28 comments

Hello,

I am running 32-bit Windows 7 and Symantec Endpoint Protection version 12.1.3001.165.

Recently I ran a virus scan that found four particular trojans and said that it quarantined or deleted them. However, every 10 minutes or so, a new detection results window pops up and tells me that it found the same four trojans again.

They always show up like this:

Filename Risk Action
80000000.@ Trojan.Zeroaccess.C Cleaned by deletion
00000004.@ Trojan.Gen.2 Quarantined
000000cb.@ Trojan.Zeroaccess.C Cleaned by deletion
80000032.@ Trojan.Gen.2 Quarantined

And are all found in C:\Users\[username]\AppData\Local

I found this technical solution that seems to address a similar problem: http://www.symantec.com/business/support/index?page=content&id=TECH102953

But that doesn't work for me because it seems I don't have Symantec Endpoint Protection Manager (?) and all of my options are different. The only program I have is Symantec Endpoint Protection (without the manager), and I don't know if that is different or not but it appears to be. For example, my Virus and Spyware Policy is called Virus and Spyware Protection, and there is no option for Windows Settings, only Change Settings. I couldn't find the options that are presented in that solution.

I got this antivirus through a university where I am a student and I am rather unfamiliar with it, so I apologize if this is a silly mistake, but at the very least the constant intrusion is very annoying and at the most I really hope this isn't an active threat. 

If you could please let me know what to do to fix this that would be great!

Thank you!

Operating Systems:

Comments 28 CommentsJump to latest comment

.Brian's picture

Download and run this tool:

http://www.symantec.com/security_response/writeup....

You may need to do some manual work, however, like restoring drivers. The above link also provides details on how to do this

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

AKS3's picture

Thank you very much for the prompt response! 

I downloaded and ran the file, it restarted my computer, but upon restart the fix tool message said No infections were found. Shortly thereafter Symantec detected the same four trojans. Any other ideas?

.Brian's picture

Than if it truly the dwhxxx.tmp issue, this is essentially a false positive/bug within SEP. You can manually delete your quarantine by following the steps in the article you linked. Unfortunately, this is a known issue in SEP and continues in newer versions. There is no true fix yet. I would suggest deleting your quarantine. The article you linked should "fix" it for now.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

AKS3's picture

Thank you. Do you mean this?

Delete the Quarantine Folder
Type the following commands in the Command Prompt. Replace silo with the appropriate build number:

Windows 2000/XP/2003:

Symantec Endpoint Protection 12.1
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\silo\Data\Quarantine\"
RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\silo\Data\Quarantine\"

I tried in the command prompt but it said that it could not find the path specified. I probalby made a typo? Also just to make sure, I replace silo with the numbers 12.1.3001.165?

Thanks for all the help!

.Brian's picture

Yep, just add the version number you're on to replace "silo"

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

AKS3's picture

I don't know, no matter how many times I try to type it, the command prompt says "the system cannot find the path specified."

My command prompt starts in the directory C:\Users\[Username]> - do I need to get out of that?

Also, I went to windows explorer to try to find it and I too couldn't trace the path - I can't find the ProgramData folder that the quarantine is supposed to redise in. Is there a way I can find where the quarantine is and delete it without unsng the command prompt?

 

.Brian's picture

Yes in the cmd prompt type "cd c:\" to get to root than type out the command

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

AKS3's picture

Thank you again... I am so close! (I think)

Now it says "The process cannot access the file because it is being used by another process. Access is denied."

What would fix that? I will close all programs and try again, but will I have to disable Symantec for a bit as it seems to be constantly checking?

Thank you again!

.Brian's picture

Yea, you need to stop the SEP service

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

AKS3's picture

Sorry for being such a bother... 

I turned off everything, and went through SEP and disabled all virus and spyware protection, access was still denied but the message was slightly different. Is there something else I should do to fully disable Symantec while I try to clear out the quarantine? 

Thank you!

.Brian's picture

Did you type "smc -stop" in the cmd prompt to stop the service? The icon will disappear in the task tray

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

AKS3's picture

"smc -stop" is not recognized as an internal or external command, operable program, or batch file"

I also disabled the whole thing from the taskbar too and no luck

.Brian's picture

Just do a Start >> Run and type "smc -stop" in the Run prompt instead

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Beppe's picture

Did you start your system in safe mode as explained by that same article???

Regards,

Giuseppe

AKS3's picture

Yes, just did now in safe mode, the deletion worked with no errors, but it did not solve the problem - the trojans came back.

.Brian's picture

The location still showing in the quarantine folder?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Beppe's picture

Please, verify the location of the detection is still the quarantine folder by reviewing the AV/risk logs.

Regards,

Giuseppe

GeoGeo's picture

Ah the old DWH***.tmp issue.

One of the other work arounds for this is to go into your local client and delete everything that is in the quarantine folder as everytime your SEP client downloads a new definition file first thing it does is re-scans everything in the quarantine folder to see if there is a fix for an item in there during this scan process if anything else modifies or scans the file it causes SEP to make a duplicate DWH***.tmp file and quarantines this new file doubling up. There is no full fix for this issue atm symantec are still investigating.

Please review ideas and vote there could be something useful :)

https://www-secure.symantec.com/connect/security/ideas

 

AKS3's picture

So just go to the 'View quarantine' and delete everything that is in there? 

If I am doing what you suggest correctly, I have been doing that all along so I went back and just since this morning I deleted another 12 instances of these files, so this doesn't seem to help. Bummer, but thanks for the suggestion!

GeoGeo's picture

Hi AKS3

Yes only thing we can do to reduce the impact is delete the existing quarantine it may not stop it full but will reduce the impact. This has been a known issue since SEP11 RU4 and in every update symantec have released a fix for it that slowly reduces the impact. Other things you may do to reduce the impact is turn off things like windows indexing anything that would scan the file as it's created to prevent SEP duplicating and quarantining it as while it's being scanned by another product SEP can't quarantine the original file.

Please review ideas and vote there could be something useful :)

https://www-secure.symantec.com/connect/security/ideas

 

Beppe's picture

Not exactly... the article you linked is explaining how to remove the files in quarantine folders in case of this problem, doing it from "View Quarantine" is not the same.

Regards,

Giuseppe

AKS3's picture

Yes, you are correct, I do not know how to manually remove quarantine files outside of the Symantec program. I am currently trying on the command prompt with little success.

Beppe's picture

If the detections are only those tmp files in Symantec folder, nothing more and tool does not show any infection, I believe it is safe enough to simply reinstall SEP.

Regards,

Giuseppe

AKS3's picture

How do I know if the detections are only those tmp files? I am wary about uninstalling it because the university configured and installed Symantec after I had a new hard drive put in, so it was from their network and I don't know if I have the capability to re-install it myself.

I will try this! ...After class, unfortunately. Maybe I will take it to thier tech support. Thank you though and I will let you know.

Beppe's picture

In the SEP, you can check the risk logs to see what is detected and where.

Yes, you may need to go to your university tech support for such things, however bring them the articles and suggestions you found here!

Just remember to flag the best answer you got here...

Regards,

Giuseppe

AKS3's picture

Okay, I will as soon as it is fixed; I will flag the one that turns out to be the solution.

deepaknk's picture

HI, AKS3 

Open Symantec client interface go to change setting after this clink on  client management configuration setting open it and go to temper protection, disable temper protection and stop Symantec services and try to delete quarantine.

Deleting Quarantine.png deleting Quarantine1 .png
elemes's picture

Hello,

What if I get similar notification but not for a temp/DWH... file but with some differences
- it is in a programdata/windows manager folder.
- there is a registry entry mentioned in the notification.
- that registry entry is locked (can not be changed or removed).
- a mysterious "microsoft.com" item is present among the startup programs
- this item also refers to the same locked registry entry
- that startup item can not be disabled, although owned by me (user) and not the system.

Sounds paranoic doesn't.

Attempted norton power removal tool that did not find anything. Still I'm concerned.

Thanks.

BR

Laszlo

risk.details.png startup.png