Trojan found in Symantec shared files, Symantec core component...?

Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.

WickedGirl,

 

I see that you submitted the file to us earlier today. Your tracking number is '9893668'. You'll receive another email from us once the file has been analysed.

 

Thanks

- DesiT

Hello! After seeing a suspicious file in both Task Manager and my Local\Temp file, I decided to upload the file to Jotti's online virus scan service to check it out. The file came back as a possible Trojan called Trojan.Downloader.Small.ciz. The file is actually found in C:\Program Files (x86)\Common Files\Symantec Shared\CCPD-LC and is the symlcsvc.exe file that shows as Symantec's core component. What got my attention with this file is that it also showed up in my Local\Temp file renamed symlcsvc1.exe. Is this a trojan? If so, how did it get past Norton into Norton's own file area?

 

I am running Vista 64bit OS Norton Internet Security 2008. All updates, both Windows and Symantec, are in place and the program is running with all options enabled and Windows Defender and Firewall turned off so as not to cause a conflict.

 

Thank you in advance.

WickedGirl,

 

The file you submitted had an MD5 hash value of 438fafe708c93b2236fc26b6f2bd5fd0 and was the original file from Symantec. This file is digitally signed by us. This file is not malicious.

 

Please go ahead and submit the file 'symlcsvc1.exe' that you found in the Local\Temp folder. Once done, post the 'Tracking' number here.

 

Regards,

- DesiT

I noticed something like this today, on my older system with windows xp home, in task manager, It will have one copy of symlcsvc.exe running then for a second or so, a second one called symlcsv1.exe will come up and then just one again.  Checked to make sure it's digitally signed and it was, but i could not find the other one called symlcsv1.exe on the system . I looked on my system for symlcsv1.exe but it's gone. but there a symlcsv1.exe in my C:\WINDOWS\Prefetch\symlcsv1.exe1A268432.pf so I have no clue if that was digitally signed because it's gone.

 

WickedGirl what folder did you find symlcsv1.exe in?  because if I search I can't find a copy.

 

scanning in safe mode right now. not sure  does symlcsvc update at times.

Message Edited by jarrycanada on 09-02-2008 04:15 PM

I  think I just asnwered my own question but I would sleep better tonight if a nice person at symantec would please verify.

 

Wickedgirl please look in C:\Program Files\Common Files\Symantec Shared\CCPD-LC

 

in there, there should be a htm folder, called ez_log.htm or html  open it and read, something around the lines of this.

08.05.2008 14:50:01:671 2496 NT based operating system detected.
08.05.2008 14:50:01:671 2496 Installation initiated.
08.05.2008 14:50:01:671 2496 Deleting file C:\WINDOWS\system32\symlctnk.dll
08.05.2008 14:50:01:671 2496 Deleting file C:\WINDOWS\system32\symlcnet.dll
08.05.2008 14:50:01:671 2496 Deleting file C:\WINDOWS\system32\symlcsvc.exe
08.05.2008 14:50:01:671 2496 Deleting file C:\DOCUME~1\YOUR NAME HERE\LOCALS~1\Temp\\symlcsv1.exe
08.05.2008 14:50:02:843 2496 Installation successful.
08.05.2008 14:50:04:828 2492 Service started.

 

but there should just be one good old version of this and it should be in the same folder as this little log I just posted part of.

Message Edited by jarrycanada on 09-02-2008 03:43 PM
1 Like

WickedGirl,

 

jarrycanada is right. This file is a core component of the Norton software installation and is run as a service called 'Symantec Core LC'.

 

These files should have been digitally signed by Symantec. Can you confirm if this is indeed the case?

 

Regards,

- DesiT

The weird part is and maybe you should point this out to the big boys upstairs is why is it popping up in task manager? it seemed to do with autoupdate i guess.

 

WickedGirl did that file, show and then disappear, in your ask manager? what virus scanner did you scan it? I would recommend you try scanning with virustotal.com it will let you just scan it with every virus scanner known to man.

 

Mine came back clean,

Message Edited by jarrycanada on 09-03-2008 03:30 PM

Hello.

 

Please Submit this File to symantec Security Response: http://www.symantec.com/business/security_response/submitsamples.jsp

 

I would suggest that you run LiveUpdate, boot in to Safe Mode and do a Full System Scan.