PG and Norton Systemworks Question

Discussion in 'ProcessGuard' started by richrf, Oct 5, 2004.

Thread Status:
Not open for further replies.
  1. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi guys,

    I am still trying to figure out whether I have a little nasty on my computer. Funny little things keep happening. Maybe it is nothing .. but maybe it is something. I'm doing all kinds of scans but I have a question concerning PG and Systems work.

    At startup, a program called symlcsv1.exe is requesting permission to execute from \document and settings\user name\local\temp\symlcsv1.exe. If I don't give permission, it goes into a loop that I cannot get out of. If I give permission, which I do on a one-time basis, a program called symlcsv.exe asks for permission to execute.

    Does this sound legit? It seems a bit odd to me.

    Thanks for any advice.

    Rich
     
  2. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi,

    "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe "
    is related to Norton, but "symlcsv1.exe" seems a mimic, possibly a spyware.

    If you deny it to launch "always", does your norton products still works ?

    regards,

    gkweb.
     
  3. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi gkweb,

    No. PG goes into a loop until I give it one-time permission.

    I noticed that symlcsvs.exe (the core engine) was recently modified which seemed stranged since it was not modified recently on my other machine. I have completely uninstalled NAV as well as cleaning up any residual folders in Program Files\Symantec and Program Files\Common\Symantec. I have now re-installed and the request for the symlcsv1 seems to have disappeared for now. I will see what happens.

    If you have any other idea, I would very much appreciate it.

    Rich
     
  4. LuckMan212

    LuckMan212 Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    252
    sounds like a trojan. do you still have "symlcsv1.exe"? if you do, you should email a copy of it to DCS for further anaysis. Do you have TDS-3? have you scanned?
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Richf, Yes this is worrying, I think it would also be prudent to post a HiJackThis log.
    You can find the download here:
    http://www.thespykiller.co.uk/
    Please run HJT from it's own folder and paste a copy of the log in your next post. We will then ask the experts to take a look.

    Pilli
     
  6. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Sorry. While I was going through my process, I did not think to save it somewhere. In fact, all I was thinking about was getting rid of it. However, since it just happened, I may be able to recover it from my disk. If you have a procedure, I can try to recover it.

    Regards,
    Rich
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    richf, Look in your deleted items folder as it may be in there, whilst in the deleted items folder, right click it and send to compressed file, this will create a .zp file which you should then email to support@diamondcs.com.au
    You could also do a search using desktop explorer by entering the file name and searching "My computer" for any other copies.

    Don't forget to do an HJT log. :)

    Thanks. Pilli
     
  8. Did anyone ever figure this one out? I have that same file appearing from time-to-time now, and Regrun shutdown monitoring always finds a delayed delete request during shutdown (for the file in the temp folder).
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
Thread Status:
Not open for further replies.