Endpoint Protection

Hey guys,

 

I got a Trojan Horse after I downloaded the Free2Play game Blackshot, but Norton deleted it successfully.

 

But now, everytime I start my machine up, it founds a trojan horse called "DWH81C1.tmp" in the "C:\Users\accountname\AppData\Local\Temp".

 

Norton says they clean/delete it just fine, but next time I reboot, the file is there again. It is a tmp(temporary) file that keeps comming, but I dont understand why? And from where? And why Norton cant prevent it from keep comming? Norton should be able to find the source?

uninstalll the free2play game software; check if that creates the temp file

Delete all the files in \Users\accountname\AppData\Local\Temp and try...

delete the temp files, disable the system restore and scan the system in safe mode.

Wow, that was alot of answers so quick!

I deleted the game long time ago, and removed all files that should be linked to it, but it still generates the .tmp file.

 

I am not quite sure to disable system restore? I am running Vista.

it's ok, Vista does not have system restore. Scanning in safe mode would be the first steps ( with the latest definition applied on machine).

I cant run Symantec End Protection in Safe Mode. it says "Failed to start the Symantec Management Client Service. Error Code returned: 0x8007043c"

Ah, I found another thread to know how to open it in safe mode...

 

But if I cant find any files in my scan, what should I do next? Windows keep deleting the generated .tmp file every time it starts, but after a reboot the Trojan Horse comes back on track according to Norton.

Hi,

You can run Process Explorer and check for any suspcious process that's running

(normally without signature/company name)

Link: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

 

Kill the process and then submit the zipped source file to Symantec/Virus Total for analysis.

Symantec Gold: https://submit.symantec.com/websubmit/gold.cgi

Virus Total: https://www.virustotal.com/index.html

 

I suspect your installed AV doesnt have a signature yet for this threat.

 

regards

Atm I cant see any suspecious process running?

Hi,

See if this helps :

1) Logon with administrative rights.

2) Install Unlocker ( Google will help you find the download link for the same.)

3) Stop the Symantec Services.

4) Browse to the following locations and delete the files :

     a)C:\Users\accountname\AppData\Local\Temp

     b)C:\Documents and Settings\All users\Application Data\Symantec\SRTSP\Quarantine

NOTE: *If you are on Vista Platform the location will change to C:\Program data\App Data\Symantec\SRTSP\Quarantine

     c)C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint  Protection\xfer

NOTE: *If you are on Vista Platform the location will change to C:\Program data\App Data\Symantec\Symantec Endpoint  Protection\xfer

5) Start the Symantec services.

6) Clear prefetch.

7) restart your machine.

8) Run a Full Scan on your system.

I downloaded and installed Unlocker, but cant get it to work. It says Right click on the folder and select "Unlocker". But I dont have that function...

Ok got it to work.. But how to clear prefetch in Norton Endpoint?

Enable risk tracer, we wil see the source.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007092711352448

Hi,

 

You may want to try Malwarebytes AM to do quick/full scan your PC.

http://www.techspot.com/downloads/4716-malwarebytes-anti-malware.html

 

AV may have some issue with fake av or some trojan executer may clever enough to hide in your system

Btw did you check SEP risk log? Where this threat tracked from?

 

regards

I am referring to the systems prefetch. So, this is wat u need to do to clear prefetch. Go to start > run Type prefetch and hit ok. You now have a window poped up. Select all the files and delete them. Reboot ur machine n run a full scan. Let me knw if this works.

Hi Mike,

This is most likely a known issue that can be solved by upgrading to the latest release of SEP 11.  Check out the following forum threads and see if this is the same behavior as you are having:

https://www-secure.symantec.com/connect/forums/dwhtmp-files-being-quarantined-viruses

https://www-secure.symantec.com/connect/forums/dwhtmp

https://www-secure.symantec.com/connect/forums/dwh-files

https://www-secure.symantec.com/connect/forums/generic-trojan-dwhtmp-temp-folder

Also see:

Defwatch temp files are re-detected in temp folder (http://www.symantec.com/docs/TECH138856)

Please let the forum community know if upgrading to RU6 MP1 resolves this behavior for you, or if there is anythign further that can be done to assist!

Thanks and best regards,

Mick

Some of them are a little bit similar to mine, but none of them actually helps my situation... I am doing a full scan after deleted the tmp folder with unlocker, and after that we must see what happens... Would a format C:\ and reinstall windows be the solution?