Solved

Temp Folder keeps creating random files that are appearing as Trojan

Posted on 2010-08-24
9
4,026 Views
Last Modified: 2013-12-09
Trojan.Gen

C:\Users\John\AppData\Local\Temp

I am looking at this directory right now which is creating heaps of .tmp files (DWH9974.tmp) which my antivirus (Symantec Endpoint) is auto quarantining them as malicious, saying they are Trojans. This is constantly occuring on my system.

Do you think these are ligitimate viruses or just False Positives?
What is this directory usually used for?
0
Comment
Question by:CiaranDe
9 Comments
 
LVL 5

Expert Comment

by:DanMar
ID: 33509286
It is the location for temporary files.  You can see a user's temporary directory by browsing %temp%.
Viruses may create files here as they unpack and be picked up by AV software.  If this does not stop you will need to scan the PC with Antispyware software e.g. Lavasoft Adaware to remove the malware.
You can also run msconfig.exe and check the startup folder.  Some viruses may attempt to installations upon reboot.
0
 

Expert Comment

by:capodie
ID: 33511396
Try using Malwarebytes and spybot. They seem to catch additional malware apps that AVs miss.
0
 
LVL 22

Expert Comment

by:optoma
ID: 33514926
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 33519932
First, run a temp file cleaner, TFC (Temp File Cleaner) or any temp cleaner you prefer, CCleaner, ATF Cleaner etc.
http://oldtimer.geekstogo.com/TFC.exe 

Then run the suggested tools like MalwareBytes, TDSSKiller or ComboFix etc and show us the logs.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 33526691

Please download SuperAntiSpyware Free & Download Hijackthis

http://downloads.superantispyware.com/downloads/SUPERAntiSpyware.exe
www.hijackthis.de

Install the program
Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next <-- Important
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)

Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.
Run Hijackthis, install it and run then post your log here please.
0
 

Author Comment

by:CiaranDe
ID: 33527758
You have all given me some great solutions. I appreciate this.

Now can someone please explain to me more about the trojan. How do they keep appearing in temp folder? there being installed from another location?
0
 
LVL 5

Expert Comment

by:DanMar
ID: 33530122
The temp (%temp%) folder is usually where applications unpack whilst installing.  If you see access denied messages when attempting to clean this folder out it is due to the virus or application locking the file.  Ideally you need to remove the malware so it stops trying to repeatadly reinstall.  Apart from the Endpoint application you should also run other applications e.g. Lavasoft Ad-Aware, Avast Antivirus, Spybot Seach & Destroy, Malwarebytes Antimalware are some that are free.
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 33537004
I believe usually Malware in general likes to use the System restore folder which is hidden in C & D drive and protected from use deletion command.

This is why most of the manual removal instructions would recommend users to disable system restore to delete everything saved within these folders esp malware that keeps generating such files. However it's dangerous to disable system restore since you might need to roll back action in case of failure in any of processes you are applying to get rid of the infection.

Still yet there's another program that does save restore points that runs with Cobmofix.
0
 
LVL 12

Accepted Solution

by:
jmlamb earned 500 total points
ID: 33633402
What version of SEP is installed? This is a known issue and resolved in version RU6MP1.

DWHxxxx.tmp files are scanned and re-detected when new definitions arrive or during a scheduled scan
Fix ID: 1925607
Symptom: DWHxxxx.tmp files are scanned and re-detected when new definitions arrive or during a scheduled scan.
Solution: After extracting a quarantined item to a temp file, the file is deleted immediately after it is processed.

There is an initial infection on the system, which SEP is detecting. The scan and redetection of the TMP file created is the defect. And is further exacerbated when a new TMP file is created for the redetection triggering a loop.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some site administrators might be considering how to filter incoming traffic to a site by identifying the domains or networks of the traffic source, in the same way that a spam filter does on an email server, such as blocking all emails sent from th…
OVERVIEW This guide provides information on the process performed when the Symantec Endpoint Protection (SEP) client checks in with the Symantec Endpoint Protection Manager (SEPM). AUDIENCE Information Technology personnel responsible for suppo…
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now