Seite 2 von 3 ErsteErste 123 LetzteLetzte
Ergebnis 11 bis 20 von 21

Thema: Help With This Log File

  1. #11
    antonbijl
    Gast

    AW: Help With This Log File

    Peter

    I specifically posted it here because I thought it might help in solving the OP's original problem (since I'm having the exact same problem and have not found anything else anywhere on the Internet referring to it). You will notice that I did not ask anyone to look at my problem or my log file, I merely posted as additional information on the OP's problem.

    Surely if a new unknown problem pops up it helps to have a few samples to look at so that you can identify common denominators!

    Apologies for any inconvenience.

    Cheers

    Anton

  2. #12
    Vielschreiber
    Registriert seit
    23.10.2004
    Beiträge
    344

    Re: Help With This Log File

    I agree that multiple information on the same sort of problem is appreciated just posting two logs in the same thread can be very confusing especially to me.

    If you don't require any assistance in removing this dog icon problem then thats fine as well.

    Please feel free to comment on the problem but allow some time to investigate the problem.

  3. #13
    antonbijl
    Gast

    AW: Help With This Log File

    The file does belong to Trend Micro. See this thread: http://forums.majorgeeks.com/archive/index.php/t-43052

    It is a copy of the file file C:\Program Files\Trend Micro\OfficeScan Client\Ofcdog.exe

    According to the above thread, the random file naming is done intentionally by Trend Micro to make it more difficult for would-be attackers to find and kill this process.

    HTH

    Anton

  4. #14
    Vielschreiber
    Registriert seit
    23.10.2004
    Beiträge
    344

    Re: Help With This Log File

    Antonbijl

    Thats good to know.
    Could you post a processlist.txt for this application running to see if it can be easily identified.
    This will assist us in identifying this as a safe item.

    To get a processlist.txt Run Hijackthis.exe and press config->misc tools->open process manager and press the disc icon/save button.

  5. #15
    antonbijl
    Gast

    AW: Help With This Log File

    Below is my processlist.txt

    You'll notice the file is now called JV190C

    My previous observation that the file is in format AANNAA where A = Alpha characters and N = Numeric characters seems to be incorrect. It looks like it is actually 6 completely random alphanumeric characters.

    Code:
    Process list saved on 06:16:30 PM, on 2004/10/29
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    
    [full path to filename]		[file version]	[company name]
    C:\WINDOWS\System32\smss.exe		5.1.2600.1106	Microsoft Corporation
    C:\WINDOWS\system32\winlogon.exe		5.1.2600.1106	Microsoft Corporation
    C:\WINDOWS\system32\services.exe		5.1.2600.0	Microsoft Corporation
    C:\WINDOWS\system32\lsass.exe		5.1.2600.1106	Microsoft Corporation
    C:\WINDOWS\system32\svchost.exe		5.1.2600.0	Microsoft Corporation
    C:\WINDOWS\System32\svchost.exe		5.1.2600.0	Microsoft Corporation
    C:\WINDOWS\system32\spoolsv.exe		5.1.2600.0	Microsoft Corporation
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe		7.10.3077.0	Microsoft Corporation
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe		6.5.0.1030	Trend Micro Inc.
    C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe		6.5.0.1030	Trend Micro Inc.
    C:\WINDOWS\System32\tcpsvcs.exe		5.1.2600.0	Microsoft Corporation
    C:\WINDOWS\System32\snmp.exe		5.1.2600.1106	Microsoft Corporation
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe		6.5.0.1030	Trend Micro Inc.
    C:\WINDOWS\TEMP\JV190C.EXE			
    C:\WINDOWS\Explorer.EXE		6.0.2800.1221	Microsoft Corporation
    C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe		6.5.0.1030	Trend Micro Inc.
    C:\Program Files\Messenger\msmsgs.exe		4.7.0.2009	Microsoft Corporation
    C:\WINDOWS\System32\ctfmon.exe		5.1.2600.1106	Microsoft Corporation
    C:\WINDOWS\System32\brss01a.exe		1.0.0.4	brother Industries Ltd
    C:\Documents and Settings\Antonb\My Documents\My Downloads\hijackthis_198\HijackThis.exe		1.98.0.2	Soeperman Enterprises Ltd.

  6. #16
    antonbijl
    Gast

    AW: Help With This Log File

    Having posted that I notice that none of the file properties are present, I guess this is part of Trend Micro's whole philosophy with trying to hide this file from potentially malicious programs. Unfortunately, that also makes it much more difficult for friendly programs (like HJT) to identify it as safe.

  7. #17
    Vielschreiber
    Registriert seit
    23.10.2004
    Beiträge
    344

    Re: Help With This Log File

    hmm gonna be difficult to reconize this as safe.

    Are you able to turn this function off under Office Scan temporary?

  8. #18
    antonbijl
    Gast

    AW: Help With This Log File

    We have a corporate or enterprise edition of Trend Micro. The setting that causes the random file name for the 'Officescan Watchdog' is accessed through the web-based admin console on the server under the global client settings and is called 'Enable Anti-hijack' or something of the sort.

    When disabled, the process still starts on boot-up, but with the original .exe name 0FCD0G.exe in the process list below. Still no properties, but the filename is consistent (note that the file name has zero's instead of O's)

    As you say, it will be difficult to identify it as safe, since they've intentionally made it hard to identify...

    Code:
    Process list saved on 11:50:08 AM, on 2004/10/30
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    
    [full path to filename]		[file version]	[company name]
    C:\WINDOWS\System32\smss.exe		5.1.2600.1106	Microsoft Corporation
    C:\WINDOWS\system32\winlogon.exe		5.1.2600.1106	Microsoft Corporation
    C:\WINDOWS\system32\services.exe		5.1.2600.0	Microsoft Corporation
    C:\WINDOWS\system32\lsass.exe		5.1.2600.1106	Microsoft Corporation
    C:\WINDOWS\system32\svchost.exe		5.1.2600.0	Microsoft Corporation
    C:\WINDOWS\System32\svchost.exe		5.1.2600.0	Microsoft Corporation
    C:\WINDOWS\system32\spoolsv.exe		5.1.2600.0	Microsoft Corporation
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe		7.10.3077.0	Microsoft Corporation
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe		6.5.0.1030	Trend Micro Inc.
    C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe		6.5.0.1030	Trend Micro Inc.
    C:\WINDOWS\System32\tcpsvcs.exe		5.1.2600.0	Microsoft Corporation
    C:\WINDOWS\System32\snmp.exe		5.1.2600.1106	Microsoft Corporation
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe		6.5.0.1030	Trend Micro Inc.
    C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\0FCD0G.EXE			
    C:\WINDOWS\Explorer.EXE		6.0.2800.1221	Microsoft Corporation
    C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe		6.5.0.1030	Trend Micro Inc.
    C:\WINDOWS\System32\ctfmon.exe		5.1.2600.1106	Microsoft Corporation
    C:\Documents and Settings\Antonb\My Documents\My Downloads\hijackthis_198\HijackThis.exe		1.98.0.2	Soeperman Enterprises Ltd.

  9. #19
    Vielschreiber
    Registriert seit
    23.10.2004
    Beiträge
    344

    Re: Help With This Log File

    Does TrendMicro install a service which then runs the ofcdog.exe
    It seems to reinstall itself when shutdown or deleted.

    Note I can't find any reference with zeros but rather with the letter O

  10. #20
    Vielschreiber
    Registriert seit
    23.10.2004
    Beiträge
    344

    Re: Help With This Log File

    Hmm just had another thought

    antonbijl
    Can you run hijackthis and select config->Misc tools->select MD5 Checksum
    and generate checksum and see what you get.

    Thinking I might identify it by MD5 checksum

Seite 2 von 3 ErsteErste 123 LetzteLetzte

Aktive Benutzer

Aktive Benutzer

Aktive Benutzer in diesem Thema: 1 (Registrierte Benutzer: 0, Gäste: 1)

Ähnliche Themen

  1. Antworten: 15
    Letzter Beitrag: 16.03.2005, 01:43
  2. Boese Sache eingefangen
    Von botzele im Forum Archiv
    Antworten: 35
    Letzter Beitrag: 17.02.2005, 20:03
  3. Probleme mit Hotoffers und Co.
    Von Honk im Forum Archiv
    Antworten: 26
    Letzter Beitrag: 08.02.2005, 22:20
  4. trusted IP range
    Von benny im Forum Archiv
    Antworten: 49
    Letzter Beitrag: 05.01.2005, 17:17
  5. Homesearch, D3iq32.exe
    Von Christian im Forum Archiv
    Antworten: 9
    Letzter Beitrag: 08.09.2004, 00:51

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein
  •