Video Screencast Help

Trend Micro OfficeScan Event

Created: 04 Apr 2012 | 3 comments

Now on two separate computers, the first yesterday afternoon, and the second this morning, I am intermittently getting blocked urls.

The symbols "" (UTF-8 stuff) show up on the page.

Parts of it are as follows: (I replaced the actual url with x's).

 

 

Trend Micro OfficeScan Event
 
 
 
 
 
  URL Blocked
 
 
 
The URL that you are attempting to access is a potential security risk. Trend Micro OfficeScan has blocked this URL in keeping with network security policy.
 
URL: http://www.xxxxx.cfm
 
Risk Level: High
 
Details: For more information about this URL or to report it to Trend Micro for reclassification,visit http://reclassify.wrs.trendmicro.com.
 
 
 
 
 
 
Trend Micro OfficeScan 10

Thing is, I have not installed any Trend Micro products on either of these two systems, Following TrendMicro's steps to uninstall, I cannot find TrendMicro in my Startup area, in Program Files (x86), or in HKLM\Software. DLLs that are supposed to exist in System32 are not there. It is also not listed in Programs and Features.

My virus definitions are up to date. I have run scans using Microsoft Essentials, Microsft Security Scan, malwarebytes freeware, and Symantec and all are clean.

I am suspicious because:

  1. I have never installed Trend Micro on my machines (that I know of).
  2. Trend Micro does not appear to be in the appropriate places if it was properly installed.
  3. The site blocking is intermittent.

I have surfed for some info on this and at least as of the moment, I do not see any reports of this product being made available by my ISP and it does not appear to be installed on my system.

If this is a real TrendMicro product, I do not appreciate them installing it on my machines
a) without my permission, and
b) in a way that cannot be un-installed.

Giving TrendMicro the benefit of the doubt, this has got to be an infection - but why has no one else complained about this yet?

I would appreciate any clarification available.

Thanks,
Bob.

Comments 3 CommentsJump to latest comment

BobH2's picture

I have just spoken with a Trend Micro support person who has confirmed that Trend Micro does not surreptitiously install their products, and that indeed, if it was installed on systems, it would require an explicit install, and would show up under HKLM\Software and in Program Files (x86), etc.

He also confirmed that it is not supplied by ISPs and is not installed on websites to protect against bad pages. He suspects this may be an infection.

I have given him this link and they will apparently investigate.

Bob.

Thomas K's picture

I suggest running some additional scans. Start with the Power Eraser and lets see if anything gets picked up.

If you have Symantec Endpoint installed, you are entitiled to the SERT utility . This tool is a bootable CD that can scan and remove malware.

 

 

BobH2's picture

Thomas,

Trend Micro had me run their Case Diagnostic Tool which confirmed I do not have any Trend Micro product installed.

They also did a webex to confirm that there were no entries in HKLM, Program Files (x86), etc. and saw the blocking screens. Although they are apparently quite similar to their product, they are not identical. The UTF-8 characters are apparently not characteristic of the real OfficeScan product.

In addition, when I tried to look at an email he sent in Outlook 2007, the email titles started to disappear and some text displayed in the email bodies about blocked by trend micro but it was too quick and I closed Outlook immediately.

I am running Power Eraser now.

Thanks,
Bob.