Video Screencast Help

Unable to fully remove Trojan.Gen.2 with SEP

Created: 14 Dec 2011 • Updated: 18 Jan 2012 | 3 comments
This issue has been solved. See solution.

Hi, I about a week and a half ago my computer caught what I am assuming to be Trojan.Gen.2. At that time it coopted my computer screen with a fake antivirus program and removed all icons from my homescreen; I restarted the computer in Safe mode and was able to go to a previous system restore point and do a full scan with both symantec endpoint protection and Ad-Aware.

Since then, intermittently symantec pops up telling me it has identified and quarantined Trojan.Gen.2, all of the files are said to be in my AppData/local/temp folder and begin with DWH####.tmp. I've read about how dangerous this virus can be and wish to get rid of it but everywhere I've looked for solutions online has been archaic, to me, at best. If someone could walk me through the steps to remove this I'd greatly appreciate it.

Comments 3 CommentsJump to latest comment

Mithun Sanghavi's picture


This is a known issue with the older versions of Symantec Endpoint Protection version 11.x

Incase, if you are carrying an older version of SEP, it would be adviced to install the Latest version of SEP 11.0.7101 OR Migrate to the SEP 12.1.1000

Check this:

DWH***.tmp files are detected in the user profile temp directory

When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect


Create a policy as suggested below:

  1. Open Symantec Endpoint Protection Manager (SEPM)
  2. Select Policies
  3. Select Antivirus and Antispyware Policy
  4. Select Quarantine
  5. Click on the Cleanup Tab
  6. Under Quarantined Files check mark "Delete oldest file to limit folder Size at ( X ) MB (Instead of X mentioned the Size of Quarantine Folder normally selected.)
  • If you have frequent recurrences of this issue and would like to disable re-scanning of the quarantine folder please follow these steps:
  • Disable re-scanning of quarantine files.

    From the SEP-Manager:
    - Edit the Antivirus and Antispyware policy of affected clients.
    - In the policy editor click "Quarantine" on the left-hand menu.
    - On the general tab click "Do nothing" under the heading "When new Virus Definitions Arrive"

    Also, to remove the DWxxxxxx.tmp, follow the steps as provided in the Article below:

    Hope that helps!!

    Mithun Sanghavi
    Associate Security Architect

    MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

    Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

    Mohankumar's picture

    If you are facing problem in your machine due to trojan virus

    1.Check wether your SEP client is get update sith latest update are not

    2.Scan your system with thired part tools like NSS, stinger ,combofix,trojen remover...etc

    3.even your facing same problem after you scan your system also take sampel of that virus and send to compressed file and send to Symantec

    4.Go to browser and type this link

    5. fill your personeal details and add that zip file.