Endpoint Protection

 View Only
Expand all | Collapse all

DWHxxxx .tmp files problem in SAV 10.2.0.276

Migration User

Migration UserMar 02, 2010 11:49 PM

  • 1.  DWHxxxx .tmp files problem in SAV 10.2.0.276

    Posted Feb 23, 2010 10:41 PM

    I'm running a 32-bit Vista on a PC.  For the past two weeks, my SAV has been picking up multiple "trojans", a couple hundred per day.  The auto-protect lists the risk as JS.SecurityToolFraud.C, and list the file as a DWHxxxx.tmp file(all files are of the same file name format).  The files are put in the quarantine folder each time.  I do not have the SecurityTool malware, I have scanned and checked multiple times.  I also do not have the ability to change the setting of my SAV since it is run through the hospital and school I attend.  This problem sounds ridiculously similar to a problem with older versions of Endpoint about one or two years ago.  It turned out in that case that the SEP program itself was creating the files and labeling them as trojans.  A patch was made for SEP.  However, to my knowledge, there is no patch for SAV.  Does anyone one know a way to cease the creation of these files, or will Symantec be putting out a patch for SAV at least?

    Note: I had originally tried deleting the files in Safe Mode, which worked, except when I restarted my computer, it wouldn't.  Blue screens, black screens, the works.  Eventually the computer did a self consistency checked, fixed whatever got messed up and everything restarted fine again.  And the auto-protect still picked up DWH.tmp files again.  So don't try deleting the things.

    Double note: Forgive me if this is posted in the wrong place, I don't know where to post for Client Security or AntiVirus problems, the drop-down list is not clear.



  • 2.  RE: DWHxxxx .tmp files problem in SAV 10.2.0.276



  • 3.  RE: DWHxxxx .tmp files problem in SAV 10.2.0.276

    Posted Feb 24, 2010 05:22 PM

    Thanks for the reply, but I have read that thread before and I am under the impression that the particular patch you indicated does not work for SAV, only SEP.  I do not own symantec end point, and therefore I believe that those particular patches will not work.  Is this true?  If not, let me know and I'll download the patches.  But if I'm correct, is there a patch for symantec antivirus, not symantec end point?



  • 4.  RE: DWHxxxx .tmp files problem in SAV 10.2.0.276

    Posted Feb 24, 2010 05:32 PM
     Update the definitions and run a full scan in safe mode. If you have any other 3rd party Antivirus/Antispyware installed remove it.
    It can be also due to corrupt virus definitions.


  • 5.  RE: DWHxxxx .tmp files problem in SAV 10.2.0.276

    Posted Feb 25, 2010 11:31 AM
    Thanks for your reply.  The definitions are updated to the most current version.  I uninstalled my Spybot S&D now as per your request, although it was never running automatic scans, I only used it when Symantec wouldn't pick up any problems that Spybot could.  I have never been able to run Symantec in Safe Mode, because there is always a startup error that occurs whenever I try and open the program (I forget the error name, it ended in .2000000x I believe, let me know if you really need that error name to help me), preventing me from running scans.  However, as I stated in my original message, this really sounds like the problem that was happening in EndPoint, which was a problem with the Symantec software itself, not a virus, so I'm not sure that scanning in safe mode would fix the problem.  What should I do now?


  • 6.  RE: DWHxxxx .tmp files problem in SAV 10.2.0.276

    Posted Feb 25, 2010 11:33 AM
     Just to make sure its not virus or something can you run a scan with Malwarebytes once.

    Is this the error ?

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121210520948


  • 7.  RE: DWHxxxx .tmp files problem in SAV 10.2.0.276

    Posted Feb 26, 2010 05:27 PM
    Thanks again for your reply.  No, the error has a basic dialog box, usually it just says Error: (whatever the error is) and something along the lines of "startup error, symantec cannot start".  It opens fine, it just doesn't scan in safe mode.  It has always been this way, so this is not something associated with my current problem.  Because I'm using SAV as a client under the hospital I work at, I think that I might need to be connected to the internet with a recognized IP address for SAV to work in safe mode, but who knows.

    Anyway, I ran Malwarebytes a few times prior to posting here, and other than one or two minor problems that it found and corrected, it never picked up on any of the DWHxxxx.tmp files like Symantec does.  Which is all the more reason why I feel that this is a Symantec problem and not a trojan-related problem.

    Is there anything else I can I try?


  • 8.  RE: DWHxxxx .tmp files problem in SAV 10.2.0.276

    Posted Feb 26, 2010 05:36 PM
     Yes.. I would agree that DWHxxxx.tmp is Symantec's problem..but was trying to find out the cause which can be Corrupt definition, 3rd pary AV, Infection or something else.
    Well next I could recommend is 10.2.4.xx

    and
    1. Disable rescanning of quarantine upon receipt of new virus definitions.
    2. Ensure no process or services (such as Windows Indexing Service for example) can access/monitor our files.
    3. Ensure that the %TEMP% folder is not open during the receipt of virus definitions and scanning of the quarantine.
    4. Restart in safe mode, deleting DWH files in the temporary folder, cleaning the quarantine folder.


    5.  


  • 9.  RE: DWHxxxx .tmp files problem in SAV 10.2.0.276

    Posted Feb 27, 2010 12:48 PM
    Thanks for your reply.  I cannot disable rescanning of the quarantine folder because I do not have access to the administrative controls of the software.  Basically, at the institution I'm at, my computer must have the SAV software that the institution purchased, or else the computer will not work on the network.  The institution restricts any of its users to change any of the settings of the software.  For this reason, I cannot upgrade to 10.2.4.xxx I believe, as well. 

    I might try and delete all the files in the temp folder again in safe mode, but as I noted in my first response, my computer ceased functioning for a few hours after trying that.  And I am sure that I had only deleted DWHxxxx.tmp files in safe mode.  The automatic consistency check that the computer runs and the system restore function brought it back to life after a few tries, but I just want to forewarn anyone else who may read this that the first time I deleted the files directly, I encountered some resistance.

    But, I will try it again to see if I can't get the problems off of my computer.


  • 10.  RE: DWHxxxx .tmp files problem in SAV 10.2.0.276

    Posted Mar 02, 2010 11:49 PM
    I still need help please!


  • 11.  RE: DWHxxxx .tmp files problem in SAV 10.2.0.276



  • 12.  RE: DWHxxxx .tmp files problem in SAV 10.2.0.276

    Posted Mar 05, 2010 06:44 AM

    Hi, I have the same problem on all the Vista PC. This an example from my Symantec log :
    28020508361C,5,1,2,NB0025,Lorenzo,Trojan Horse,C:\Users\USERNAME\AppData\Local\Temp\DWHA9FA.tmp,5,1,1,256,37769284,"",1267775537,,0,201 4 3 0 0 5 1 6 0 0 0,369885216,25464,0,1,0,0,0,0,,0,2,4,0,SRVSYMANTEC,{C7E6A5C5-27BF-497A-AD1E-4B35C372A568},,(IP)-10.1.10.2,,DOMAIN,00:13:E8:9B:F0:E3,10.2.0.276,,,,,,,,,,,,,,,,0,,,0,

    Thanks
    Lorenzo



  • 13.  RE: DWHxxxx .tmp files problem in SAV 10.2.0.276

    Broadcom Employee
    Posted Mar 05, 2010 06:46 AM
    you need to disable scanning the quarantine folder from being scanned after new definition is installed on that machine.