Video Screencast Help

W32.Licum Virus

Created: 23 Jul 2009 • Updated: 21 May 2010 | 18 comments

I have been hammered by this virus for the last week or so, I have a bunch of installation files from Office to drivers etc which I have stored on another drive but when I goto access them it SEP says it has cleaned the files and the exe's becomes usless,
I also have alot of these files backed up to a flash drive which has been scanned as ok, so I deleted all the files off the backup drive and copied them again, did a scan and was ok, but a couple of days later the W32.Licum virus comes back, how do I pinpoint where it's coming from? nothing on C:\ is infected only D:\ where all the setup programs are stored
Thanks

Comments 18 CommentsJump to latest comment

P_K_'s picture

W32.Licum - Removal
http://www.symantec.com/security_response/writeup.jsp?docid=2005-071316-2523-99&tabid=3

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

Grant_Hall's picture

Lets start off by saying are you sure nothing on the C:\ drive is infected? Also how are you scanning these files? Just a right click and scan type of deal? If it were me this is the approach I would take. I would disconnect my D:\ drive and thumb drives completely from the computer. Next I would start my OS in safe mode and run a full scan with system restore off (virus can hide in system restore and "restore" itself). If my system was determined as clean i would load up all of those programs off of my backup thumb drive and not the D: drive. Also I would take care to make sure I only installed programs that were legit (not saying that anyone would have suspicious files but you know what I mean). Also I would make sure autorun is disabled on my machine before connecting any thumb drives or usb storage devices. I would let this go for a few days and see if the virus reappears. If it doesn't then go ahead and reconnect the D: drive. Scan it again and see what happens after a few days of it being connected.

Most import though is just the fact that you do the full system scan with system restore off in safe mode. This is outlined very well in the article posted above. Also very critical is disabling autorun. Let us know how this all goes.

Grant-

Please don't forget to mark your thread solved with whatever answer helped you : )

Paul Mapacpac's picture

Please post your Risk Log (Client Side), Open SEP, go to Logs, then View Risk Logs. Lets inspect when was the first infection.

Update your virus Defs, and run a full scan on safe mode.

Claytonb's picture

I did post my message and risk log in the above post bit it is showing as empty

Grant_Hall's picture

Give it a try again, I can delete the empty post if it doesn't work. Also you can edit your first post and supply the log as a link that way. At least I am fairly sure you can, my UI is a little different from yours so I am not positive.

Grant-

Please don't forget to mark your thread solved with whatever answer helped you : )

Claytonb's picture

How do I supply the log as a link? I have a txt file on my computer

Vikram Kumar-SAV to SEP's picture

You can upload your log using megaupload or something like that..I have seen many people on this forum using megaupload to upload big log files..

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

ben_cSEPticons_secured's picture

doing mr.Grant_Hall should be enough to removed the licum virus infections, but dont forget to update your definition to its latest before starting to fullscan your system

Claytonb's picture

I carn't even start the scan in safemode

Vikram Kumar-SAV to SEP's picture

What error are you getting in scanning in safe mode ? 

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Claytonb's picture

First of all I am running Windows 7 x64 and when I start SEP in safemode it says "It appears that the Symantec Management Client service is not running. you will not be able to manage network protection settings blah blah" so I click no not to start service because if I click yes it will say failed to start service so when I click no the main SEP window opens and clicking on full scan nothing happens I try to create a new scan but don't have any drives to select

Grant_Hall's picture

Hi Claytonb

Well technically windows 7 isn't officially supported yet. The official support date will be 1 month after windows 7 is released, but I also have windows 7 running on my home computer with SEP. I will check when I get home tomorrow (out of town now) if I can start SEP in safemode. I will have a better idea of why that isn't working and maybe a fix to get it to start in windows 7. Sorry I can't be more helpful now.

Grant-

Please don't forget to mark your thread solved with whatever answer helped you : )

Grant_Hall's picture

Hmm I got home and was able to successfully start SEP in safemode on Windows 7. However I am using WIndows 7 x86 so maybe that is the difference? One thing to consider is making a boot cd that can "scan" your drive without even having to boot to any particular hard drive. I can provide you the steps and software to do so but I have to warn you that it is not officially supported and it is somewhat of a process to do so. Symantec is in development on making a easy to use downloadable iso to do this sort of thing but for know you have to make it yourself. There is also one piece of the software that I think you have to call in to obtain so again it is somewhat of a hassle. If you want to attempt this route you can PM me or post and I will provide the necessary steps.

Cheers
Grant-

Please don't forget to mark your thread solved with whatever answer helped you : )

Claytonb's picture

I have managed to get it scanning in safemode on x64, I removed and reinstalled SEP.
So all is clean now, I still have no idea where the virus is coming from as I have sannned all my drives and computers including flash drives, so if it comes back I'll let you know.
The boot cd option is a good idea, been looking for a way to do that for years as I repair computers and the most common problems are infection.
So if you can share with me the boot cd feature that would be good

Claytonb's picture

That's ok, no hurry, also would very much like Symantec to add right click scan for x64 versions, don't know why it is still not done yet.
Is this also why the Network Protection module does not get installed on the main SEP screen? seems to install ok on Windows 7 x86

Vikram Kumar-SAV to SEP's picture

Do you have any programs installed o D drive or is it just for back up?
Disable autoplay
start-run-gpedit.msc-user configuration-administrative templates-system -turn of autoplay-enabled for all drives.
..the re-infected starts from autoplay.
Clear all temp files...Check what are the ADD ins loaded in your IE i guess 8.
Disable or remove all unknown/unwanted add ins from IE.
Empty your temp folders start-run-%temp% and c:\windows\temp.

This should help..
 

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Claytonb's picture

I only have WinRAR installed on D: actually and the first infection in the risk log was from D:\WinRAR but I have this folder on my flash drive also and have scanned the drive for viruses and it came up clean, I did manage to run a online scan of C:\ in safemode as was all clean.
It did find something on C:\ when it start reapairing 100's of exe files on D:\ which was

24/07/2009 9:00:25 a.m. W32.Licum Quarantined 4A670CF5.TMP File C:\programdata\Symantec\symantec endpoint protection\xfer\ SERVER Clayton Infected Quarantine Clean security risk Quarantine Auto-Protect scan The file was quarantined successfully.

Peterpan's picture

Have you clean your temp folder?

:-)