saboking
join:2003-06-24
Singapore
| SymLCSV1.exe
BOCLEAN and TDS-3 identify this file as Trojan.win32.dodgy. The file is SYMLCSV1,EXE from the following directory.
c:/programfiles/common files/symantec shared/ccpd-1c\
I believe the above two program can remove it, I wonder should I use ghost to reclone the harddisk back to the original state. Any advice. Thank you. |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
 ·RoadRunner Cable
| If you are using a Symantec product the USUAL file is located here:
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Note: The file you noted is 'similar' to the one above...
Could you navigate to the directory C:\Program Files\Common Files\Symantec Shared\CCPD-LC\ and list any exe files you have in that directory?
 |
|
saboking
join:2003-06-24
Singapore | The file is Symlcsvc, I use TDS-3 to do a scan and it say trojan file (embedded)
Now, my norton anti-virus are down. |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
·RoadRunner Cable
1 edit | said by saboking  :The file is Symlcsvc, I use TDS-3 to do a scan and it say trojan file (embedded) Now, my norton anti-virus are down. If ''Symlcsvc.exe '' is damaged your Norton will not run properly.
Would you submit that file for analysis here & post what it finds or does not find?
Jott's online analysis:
»virusscan.jotti.org/
From Symantec: [How to fix]
»service1.symantec.com/SUPPORT/sh···_sch_nam
About the 'real' Symlcsvc.exe
To check your program's activation file
On the keyboard, press Ctrl+Alt+Delete.
In Windows XP only, click Task Manager.
In the Windows Task Manager dialog box, on the Processes tab, do one of the following:
If you find the file Symlcsvc.exe, then the program's activation is working.
Go to "Section 6: Check drive space."
If you do not find the file Symlcsvc.exe, then the program's activation is not working.
Go to step 4 to download and use the Symantec tool.
Exit all running programs.
Download SymKBFix3.exe to the Windows desktop.
When the download completes, if the dialog box does not close, then click Close.
Continue with "To replace your program's activation file."
To replace your program's activation file
On the desktop, double-click the SymKBFix3.exe icon to start the application.
Click Install.
Click Next for all additional dialog boxes.
Click Finish.
Click Yes to restart the computer.
You must restart the computer before continuing to the next step, or the fix will not be successful.
--------------
|
|
saboking
join:2003-06-24
Singapore | I will try to submit the files to the website but I guess I better reformat the HDD to be on the safe side. |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
·RoadRunner Cable
| said by saboking :I will try to submit the files to the website but I guess I better reformat the HDD to be on the safe side. Before you reformat let's at least try to get this file analyzed and sent over to Symantec as well....:) |
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
4 edits | reply to saboking
said by saboking :BOCLEAN and TDS-3 identify this file as Trojan.win32.dodgy. The file is SYMLCSV1,EXE from the following directory. c:/programfiles/common files/symantec shared/ccpd-1c\ I believe the above two program can remove it, I wonder should I use ghost to reclone the harddisk back to the original state. Any advice. Thank you. In Windows Explorer, do a file properties on SYMLCSV1.EXE. Is it digitally signed by Verisign? That's your best proof that is not tampered/fake. It should be C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (shared core component with recent Symantec consumer products [I think 2004 and up]). Note the location and spelling (assuming Windows is in English and using defaults).
If not digitally signed by Verisign, it's fake/bad!
--
Ant @ The Ant Farm: »antfarm.ma.cx ... Please do not IM/e-mail me for technical support. Use the forum (I check almost daily)! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer. |
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
1 edit | reply to amysheehan
said by amysheehan :said by saboking :I will try to submit the files to the website but I guess I better reformat the HDD to be on the safe side. Before you reformat let's at least try to get this file analyzed and sent over to Symantec as well....:) Agreed. Format is too harsh. Use it as the last resort when all options have run out. Oh, and thanks for the thumb up rating in my last reply. 
--
Ant @ The Ant Farm: »antfarm.ma.cx ... Please do not IM/e-mail me for technical support. Use the forum (I check almost daily)! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer. |
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25 | reply to saboking
According to »castlecops.com/t117097-Cant_fing···_is.html ... it is a harmful file. |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
·RoadRunner Cable
| reply to antdude
said by antdude :said by amysheehan :said by saboking :I will try to submit the files to the website but I guess I better reformat the HDD to be on the safe side. Before you reformat let's at least try to get this file analyzed and sent over to Symantec as well....:) Agreed. Format is too harsh. Use it as the last resort when all options have run out. Oh, and thanks for the thumb up rating in my last reply. Could you navigate to
C:\Program Files\TDS3\Logs\May
and copy the logfile for the date that this was found by TDS-3 and post it here for us?
That would really be helpful as well...:) |
|
saboking
join:2003-06-24
Singapore | Sorry, I already started using clone to reclone the harddisk. The reason is the TDS-3 lock-up on reboot. So in order to stop further damage to my other anti-trojan program, I go ahead and reclone back to its original state. |
|
saboking
join:2003-06-24
Singapore | After reclone the hdd, the trojan still around.I try to reformat the hdd and see how it goes. |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
·RoadRunner Cable
1 edit |  reply to saboking
said by saboking :Sorry, I already started using clone to reclone the harddisk. The reason is the TDS-3 lock-up on reboot. So in order to stop further damage to my other anti-trojan program, I go ahead and reclone back to its original state. BEFORE YOU REFORMAT--
Could you try and locate the file and have it scanned online?
This trojan based on limited info is quite difficult to get rid of and I'm sure symantec would like to know more about it as it was found in their core components directory,
|
|
saboking
join:2003-06-24
Singapore | I don't think I can submitted the file to symantec.
I read through their website, it said in order to submit a sample file, they need it to be taken from the quarantee area.
But my norton anti-virus program are down. |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
·RoadRunner Cable
| How to add to quarantine: [see screenshot]
|
|
saboking
join:2003-06-24
Singapore |  Thank you, that is clear. A picture certainly worth a thousand words.  |
|
saboking
join:2003-06-24
Singapore | reply to amysheehan
Ah, even the quarantine don't work. Now, using TDS-3 on safe mode to detect the trojan and see what other files are infected. |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
·RoadRunner Cable
| said by saboking :Ah, even the quarantine don't work. Now, using TDS-3 on safe mode to detect the trojan and see what other files are infected. Don't forget to post the tds-3 log when you've finished...:) |
|
Gavin_TH
join:2003-04-03
Australia
| reply to saboking
Hi,
I can confirm this is a false alarm. The REAL symlcsvc.exe has many other files embedded within it, and this is one of them. Not sure why, but it does look like its used for updating ! If you have removed this file, you can reinstall or get the file from someone else
symlcsvc.exe MD5 94D3C8257776019A7A96AF69F62BA509
Please note there could be other versions of this file around, depending on the products users have installed. This is the only checksum for both the files I have..
TDS-3 no longer detects this, the update was issued early today. Apologies for any inconvenience, enjoy the weekend!
--
Gavin Coe
DiamondCS Analyst
»www.diamondcs.com.au
|
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
·RoadRunner Cable
3 edits | said by Gavin_TH :Hi, I can confirm this is a false alarm. The REAL symlcsvc.exe has many other files embedded within it, and this is one of them. Not sure why, but it does look like its used for updating ! If you have removed this file, you can reinstall or get the file from someone else symlcsvc.exe MD5 94D3C8257776019A7A96AF69F62BA509 Please note there could be other versions of this file around, depending on the products users have installed. This is the only checksum for both the files I have.. TDS-3 no longer detects this, the update was issued early today. Apologies for any inconvenience, enjoy the weekend! Thanks Gavin for that info. I luckily haven't seen this happen using tds-3 and Symantec products. Thanks for getting fixed as well.
The Symantec link I posted earlier has instructions for fixing a missing symclsv....
Scroll down this page:
»service1.symantec.com/SUPPORT/sh···_sch_nam
To the section:
To check your program's activation file
follow thru to end of that section....
To the section:
To replace your program's activation file
-amy- |
|
