My laptop was infected by a virus recently. My Java installation was out of date (so much for auto-update!) and I browsed to a page containing malicious advertisements which downloaded a virus. I immediately stopped what I was working on and cleaned off the computer. After spending a couple hours on it, I was reasonably certain the virus was gone.
Unfortunately, I started getting messages from Symantec Auto-Protect telling me that it had found an infected file in my temporary directory. Since that was where the infection started, I began to worry that I hadn’t completely eliminated the virus. So I rebooted into safe mode, re-scanned, etc. Nothing found!
This was puzzling, but I figured I would just continue to work like normal. Unfortunately, today the popups from Auto-Protect started again. Originally I thought that one of the sites I was visiting was infected: however, when I closed the site in question, the alerts continued. Finally, I Googled, hoping to find a solution. All I knew was that the filename was random-ish (DWH*.tmp) and that Norton was describing the virus as Trojan.gen (Norton’s generic term for “a trojan horse of some kind”).
Luckily, I ended up stumbling upon my answer. It was written by a Symantec employee in response to a topic about the issue:
The DWH files are temp files that are created by our process called defwatch.exe. These files are quarantined threats that we pull out of quarantine to scan during a quick scan. This usually happens when new defs are applied…What we have seen in most cases, is the indexing service, or some other real-time scanner is touching the file and then auto-protect is re-scanning it.
So, mystery solved! The files I was seeing where actually quarantined versions of the viruses I had eliminated earlier. A couple clicks to empty my quarantine and I wasn’t getting any more alerts. Very satisfying.