Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Trojan.Gen.2

  • 1.  Trojan.Gen.2

    Posted Nov 30, 2010 09:48 PM

    I am having problem getting rid of this trojan.  I am using Symantec Endpoint Protection ver. 11.0.6000.550.  

    I keep on getting notice that Symantec has quarantine a bunch of  DWH****.tmp files.

    I found this page <<http://securityresponse.symantec.com/security_response/detected_writeup.jsp?name=Trojan.Gen.2>> on Symantec website and have tried it without success.



  • 2.  RE: Trojan.Gen.2

    Broadcom Employee
    Posted Nov 30, 2010 10:44 PM

    the issue is fixed in the RU6 MP1, upgrade the client to RU6 MP1 and let know if it solves your problem

    DWHxxxx.tmp files are scanned and re-detected when new definitions arrive or during a scheduled scan

    Fix ID: 1925607

    Symptom: DWHxxxx.tmp files are scanned and re-detected when new definitions arrive or during a scheduled scan.

    Solution: After extracting a quarantined item to a temp file, the file is deleted immediately after it is processed.

     

    http://www.symantec.com/business/support/index?page=content&id=TECH103087&locale=en_US 



  • 3.  RE: Trojan.Gen.2

    Posted Dec 01, 2010 12:30 AM

    Look for the Fix ID 1925607. This issue is FIXed in RU6



  • 4.  RE: Trojan.Gen.2

    Trusted Advisor
    Posted Dec 01, 2010 06:43 AM

    RU6 MP1 will fix some of the clients getting this issue but there are instances of people getting this issue even after upgrading to RU6 MP1.

    Check your system for programs that auto index new items like windows indexing options (Control Panel > Indexing Options) and turn them off from indexing.

    These temp files are created by SEP when it rescans the quarantined files after a definition update, and the indexing scans them at the same time causing SEP to identify the temp file created as a new Trojan and re-quarantines the new file creating duplicates.



  • 5.  RE: Trojan.Gen.2

    Posted Dec 01, 2010 09:53 PM

    Thank you for your help I installed the upgrade and have not seen it pop up in the last hours.  Thank you all for your help.



  • 6.  RE: Trojan.Gen.2

    Posted Jan 04, 2011 01:29 PM

    Hi, my OS is XP, SP2 and my Symantec AntiVirus is 10.1.8.8000.  Recently, my machine keeps pops up SAV notification which is telling Risk found file named APQ*.tmp have been quanrantined successfully.    Please help how to stop poping up the notification.

    Thank you very much for any help,

     



  • 7.  RE: Trojan.Gen.2

    Posted Jan 07, 2011 09:17 AM

    I have NIS 2008 installed and despite following the instructions, I get a message that NIS cannot remove this visus. Is there a fix in NIS 2008 or an upgrade to 2010/2011 my only option?  Thanks



  • 8.  RE: Trojan.Gen.2

    Posted Jan 07, 2011 09:49 AM

    @ Smittywitty,

    Have you tried scanning in Safe-mode?

     

    Also try the Norton Power Easer Tool to remove these pesky bugs.

    http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default

     

    In the future you should post NIS inssues in the Norton COmmunity. This forum is for Enterprise Product support.

    http://community.norton.com/norton/

    Best,

    Thomas



  • 9.  RE: Trojan.Gen.2

    Posted Jan 07, 2011 01:52 PM

    Sorry for the wrong forum post. A search on Google dropped me right here. No, I have not tried a safe-mode scan. Will do that tonight. If that doesn't work I will then try the link to Power Eraser you provided. Thanks for your help.



  • 10.  RE: Trojan.Gen.2

    Posted Feb 28, 2011 11:30 PM

    Hello, I'm still having this trojan gen2 virus warning even after upgrading to the latest version. The computer has been rebooted since the upgrade was applied using SEPM. I can see the latest version is installed in both the SEPM console and the installed programs list in Windows.

    Someone also suggested WIndows indexing could be causing the problem. Indexing is turned off for the AppData directory (which is where the user temp directory is located.

    Any other ideas?



  • 11.  RE: Trojan.Gen.2

    Posted Mar 01, 2011 01:58 PM

    @ StAlphonzo, Did you try running the SERT utility to remove this threat?

    http://www.symantec.com/business/support/index?page=content&id=TECH131732&locale=en_US

     

    SERT Video - https://www-secure.symantec.com/connect/videos/symantec-endpoint-recovery-tool-sert



  • 12.  RE: Trojan.Gen.2
    Best Answer

    Trusted Advisor
    Posted Mar 01, 2011 02:32 PM

    Hello,

    Have check the Security Featured Thread

    Generic Trojan - DWH*.tmp in Temp folder

    https://www-secure.symantec.com/connect/forums/generic-trojan-dwhtmp-temp-folder

     

     

    If such detections continue after deleting old .tmp files and updating to SEP 11 RU6a, see the following:

    Stop the Symantec service

    • Symantec Endpoint Protection

      • Click Start, then Run
      • Type: smc -stop
      • Click OK

     

     

  •  

    •  

     

    Deleting the files

    NOTE: The following instructions are to be done from the Command Prompt as attempting to perform the deletions from the Windows user interface may result in delays and application hangs due to the large amount of files that can reside in these locations. Please note that these instructions will delete the files in the targeted directories, not the directories themselves. Do not remove the directories themselves, only the contents of those directories.

     

    Open the Command Prompt

    Deleting files from User Temp folder

      • Click Start, then Run
      • Type: cmd
      • Click OK

       

      1. Type the following command in Command Prompt. (The following string will vary depending on the user name.) Replace "<nameofuser><NAMEOFUSER>" with the username of the desired Windows user you wish to empty the temp folder for:

        • Windows 2000/XP/2003
          DEL /F /Q "C:\Documents and Settings\<NAMEOFUSER><nameofuser>\Local Settings\Temp"</nameofuser>
        • Windows Vista/7/2008
          DEL /F /Q "C:\Users\<nameofuser><NAMEOFUSER>\AppData\Local\Temp"</nameofuser>
        </nameofuser>
      2. Deleting the contents of the temp folder at the root of C:\
        • Type the following command in Command Prompt:

          DEL /F /Q C:\temp
      3. Deleting the contents of the Windows Temp folder
        • Type the following command in Command Prompt:

          DEL /F /Q C:\WINDOWS\Temp
      4. Deleting the contents of the xfer and/or xfer_temp directories
        • Type the following command in Command Prompt:
            • Windows 2000/XP/2003
              DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\"

              DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer              \"
            • Windows Vista/7/2008
              DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp\"

              DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer              \"

     

    The Quarantine Folder


    NOTE: The following instructions are to be done from the Command Prompt as attempting to open the Quarantine folder in the Windows user interface may result in delays and Windows Explorer application hangs due to the large amount of files that can reside there.

     

      Delete the Quarantine Folder

      Type the following commands in the Command Prompt:

        • Windows 2000/XP/2003
          DEL /F /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

          RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
        • Windows Vista/7/2008
          DEL /F /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

          RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

        Recreate the Quarantine Folder

        Type the following command in Command Prompt:

          • Windows 2000/XP/2003
            MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
          • Windows Vista/7/2008
            MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

        Start the Symantec service

        • Click Start, then Run
        • Type: smc -start
        • Click OK


         

         

           

           

        • If you have frequent recurrences of this issue and would like to disable re-scanning of the quarantine folder please follow these steps:

          •  

           

           

           


        • Disable re-scanning of quarantine files.

          From the SEP-Manager:
          - Edit the Antivirus and Antispyware policy of affected clients.
          - In the policy editor click "Quarantine" on the left-hand menu.
          - On the general tab click "Do nothing" under the heading "When new Virus Definitions Arrive"

          •  

           

           

           



      • 13.  RE: Trojan.Gen.2

        Posted Mar 03, 2011 12:37 PM

        Your solution solved the problem for us. Thanks a ton.



      • 14.  RE: Trojan.Gen.2

        Posted Apr 29, 2011 07:47 PM

        This Trojan.Gen.2 which infected a file name scanquery.dll
        which located in c:\program files\scanquery\scanquery.dll

        is't that part norton file?? after restart and it still not resolve.
        any suggestion?



      • 15.  RE: Trojan.Gen.2

        Trusted Advisor
        Posted May 02, 2011 06:08 AM

        Hello,

        c:\program files\scanquery\scanquery.dll is not a part of Norton.

        This sounds like a threat itself.

        Please follow the Steps provided in the Article provided to check if there are any more threats on your machine :

         

        Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. 
         
         
         
         


      • 16.  RE: Trojan.Gen.2

        Posted May 02, 2011 10:49 AM

        The only thing I would suggest is also deleting the Java cache folders.



      • 17.  RE: Trojan.Gen.2

        Posted May 02, 2011 11:00 AM

        @ AndersonAng, Threat Expert reports scanquery.dll as a threat..

        http://www.threatexpert.com/reports.aspx?find=scanquery.dll&x=0&y=0

         

        Try downloading the latest rapid release definitions and run a full scan in safe-mode. Let us know if the threat gets detected and cleaned. As Mithun stated, submit the file(s) to Symantec for analysis ASAP.



      • 18.  RE: Trojan.Gen.2

        Posted Oct 07, 2011 08:28 AM

        I am using symantec endpoint protection 12.1, one of my system is showing trojan.gen.2 infection in

        C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\SRTSP\Quarantine\APQ1893.tmp

        kindly help

         

        Anil Kumar