Help With This Log File

antonbijl · 29.10.2004, 07:16

Peter

I specifically posted it here because I thought it might help in solving the OP's original problem (since I'm having the exact same problem and have not found anything else anywhere on the Internet referring to it). You will notice that I did not ask anyone to look at my problem or my log file, I merely posted as additional information on the OP's problem.

Surely if a new unknown problem pops up it helps to have a few samples to look at so that you can identify common denominators!

Apologies for any inconvenience.

Cheers

Anton

**peterg70** · 29.10.2004, 07:43

I agree that multiple information on the same sort of problem is appreciated just posting two logs in the same thread can be very confusing especially to me.

If you don't require any assistance in removing this dog icon problem then thats fine as well.

Please feel free to comment on the problem but allow some time to investigate the problem.

antonbijl · 29.10.2004, 07:49

The file does belong to Trend Micro. See this thread: http://forums.majorgeeks.com/archive/index.php/t-43052

It is a copy of the file file C:\Program Files\Trend Micro\OfficeScan Client\Ofcdog.exe

According to the above thread, the random file naming is done intentionally by Trend Micro to make it more difficult for would-be attackers to find and kill this process.

HTH

Anton

**peterg70** · 29.10.2004, 09:37

Antonbijl

Thats good to know.
Could you post a processlist.txt for this application running to see if it can be easily identified.
This will assist us in identifying this as a safe item.

To get a processlist.txt Run Hijackthis.exe and press config->misc tools->open process manager and press the disc icon/save button.

antonbijl · 29.10.2004, 17:20

Below is my processlist.txt

You'll notice the file is now called JV190C

My previous observation that the file is in format AANNAA where A = Alpha characters and N = Numeric characters seems to be incorrect. It looks like it is actually 6 completely random alphanumeric characters.

Code:

Process list saved on 06:16:30 PM, on 2004/10/29
Platform: Windows XP SP1 (WinNT 5.01.2600)

[full path to filename]		[file version]	[company name]
C:\WINDOWS\System32\smss.exe		5.1.2600.1106	Microsoft Corporation
C:\WINDOWS\system32\winlogon.exe		5.1.2600.1106	Microsoft Corporation
C:\WINDOWS\system32\services.exe		5.1.2600.0	Microsoft Corporation
C:\WINDOWS\system32\lsass.exe		5.1.2600.1106	Microsoft Corporation
C:\WINDOWS\system32\svchost.exe		5.1.2600.0	Microsoft Corporation
C:\WINDOWS\System32\svchost.exe		5.1.2600.0	Microsoft Corporation
C:\WINDOWS\system32\spoolsv.exe		5.1.2600.0	Microsoft Corporation
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe		7.10.3077.0	Microsoft Corporation
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe		6.5.0.1030	Trend Micro Inc.
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe		6.5.0.1030	Trend Micro Inc.
C:\WINDOWS\System32\tcpsvcs.exe		5.1.2600.0	Microsoft Corporation
C:\WINDOWS\System32\snmp.exe		5.1.2600.1106	Microsoft Corporation
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe		6.5.0.1030	Trend Micro Inc.
C:\WINDOWS\TEMP\JV190C.EXE			
C:\WINDOWS\Explorer.EXE		6.0.2800.1221	Microsoft Corporation
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe		6.5.0.1030	Trend Micro Inc.
C:\Program Files\Messenger\msmsgs.exe		4.7.0.2009	Microsoft Corporation
C:\WINDOWS\System32\ctfmon.exe		5.1.2600.1106	Microsoft Corporation
C:\WINDOWS\System32\brss01a.exe		1.0.0.4	brother Industries Ltd
C:\Documents and Settings\Antonb\My Documents\My Downloads\hijackthis_198\HijackThis.exe		1.98.0.2	Soeperman Enterprises Ltd.

antonbijl · 29.10.2004, 17:27

Having posted that I notice that none of the file properties are present, I guess this is part of Trend Micro's whole philosophy with trying to hide this file from potentially malicious programs. Unfortunately, that also makes it much more difficult for friendly programs (like HJT) to identify it as safe.

**peterg70** · 30.10.2004, 04:39

hmm gonna be difficult to reconize this as safe.

Are you able to turn this function off under Office Scan temporary?

antonbijl · 30.10.2004, 10:56

We have a corporate or enterprise edition of Trend Micro. The setting that causes the random file name for the 'Officescan Watchdog' is accessed through the web-based admin console on the server under the global client settings and is called 'Enable Anti-hijack' or something of the sort.

When disabled, the process still starts on boot-up, but with the original .exe name 0FCD0G.exe in the process list below. Still no properties, but the filename is consistent (note that the file name has zero's instead of O's)

As you say, it will be difficult to identify it as safe, since they've intentionally made it hard to identify...

Code:

Process list saved on 11:50:08 AM, on 2004/10/30
Platform: Windows XP SP1 (WinNT 5.01.2600)

[full path to filename]		[file version]	[company name]
C:\WINDOWS\System32\smss.exe		5.1.2600.1106	Microsoft Corporation
C:\WINDOWS\system32\winlogon.exe		5.1.2600.1106	Microsoft Corporation
C:\WINDOWS\system32\services.exe		5.1.2600.0	Microsoft Corporation
C:\WINDOWS\system32\lsass.exe		5.1.2600.1106	Microsoft Corporation
C:\WINDOWS\system32\svchost.exe		5.1.2600.0	Microsoft Corporation
C:\WINDOWS\System32\svchost.exe		5.1.2600.0	Microsoft Corporation
C:\WINDOWS\system32\spoolsv.exe		5.1.2600.0	Microsoft Corporation
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe		7.10.3077.0	Microsoft Corporation
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe		6.5.0.1030	Trend Micro Inc.
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe		6.5.0.1030	Trend Micro Inc.
C:\WINDOWS\System32\tcpsvcs.exe		5.1.2600.0	Microsoft Corporation
C:\WINDOWS\System32\snmp.exe		5.1.2600.1106	Microsoft Corporation
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe		6.5.0.1030	Trend Micro Inc.
C:\PROGRAM FILES\TREND MICRO\OFFICESCAN CLIENT\0FCD0G.EXE			
C:\WINDOWS\Explorer.EXE		6.0.2800.1221	Microsoft Corporation
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe		6.5.0.1030	Trend Micro Inc.
C:\WINDOWS\System32\ctfmon.exe		5.1.2600.1106	Microsoft Corporation
C:\Documents and Settings\Antonb\My Documents\My Downloads\hijackthis_198\HijackThis.exe		1.98.0.2	Soeperman Enterprises Ltd.

**peterg70** · 30.10.2004, 11:14

Does TrendMicro install a service which then runs the ofcdog.exe
It seems to reinstall itself when shutdown or deleted.

Note I can't find any reference with zeros but rather with the letter O

**peterg70** · 30.10.2004, 11:49

Hmm just had another thought

antonbijl
Can you run hijackthis and select config->Misc tools->select MD5 Checksum
and generate checksum and see what you get.

Thinking I might identify it by MD5 checksum

Thema: Help With This Log File

Themen-Optionen

AW: Help With This Log File

Re: Help With This Log File

AW: Help With This Log File

Re: Help With This Log File

AW: Help With This Log File

AW: Help With This Log File

Re: Help With This Log File

AW: Help With This Log File

Re: Help With This Log File

Re: Help With This Log File

Aktive Benutzer

Aktive Benutzer

Ähnliche Themen

Computer runs slow IE doesn't launch of links...

Boese Sache eingefangen

Probleme mit Hotoffers und Co.

trusted IP range

Homesearch, D3iq32.exe

Berechtigungen