SYSTEM process running in the Windows/Temp directory?

[Crazy Horse]

1 At every startup a system process is running in the Windows/Tem dir.
2 It has a favicon showing a green running dog, but the filename is
different every time.
3 The filename always consists of 6 upper case chars and digits + .EXE
(NA54GR.EXE)
4 The filesize is normally app. 2720 bytes, but is occasionally smaller.
5. When the process is stopped manually, the file is deleted automatically.

No spyware/trojan/virus scanner report attack.

Anyone seen it before?

 

[Chris]

Do you have Trendmicro OfficeScan? It changes its name every startup so it
cannot be hijacked.

Chris

 

[Robinb]

if you do not have the tremdmirco office scan, download superantispyware and
run it and see if it finds anything

robin

 

[Engel]

Hello CH,

If you are running SP2, open IE--->Tools--->Manage Add-ons, and uncheck any
BHO's that you don't recºgnize.
<http://inetexplorer.mvps.org/data/addons.htm>

You can also use the System Explorers to look at BHO's and block them--it
also shows known and unknown fºr BHO's..
<http://www.microsoft.com/windowsxp/using/web/sp2_addonmanager.mspx> .

I hope this post is helpful.

Let us know how it works ºut.
- -- --


PRAISE
Praise undeserved is satire in disguise. -----Pope

 

[Crazy Horse]

Thanks, Chris.

Yes, I have Trend Micro Client/Server Security Agent running. I'll look into
it and post back as soon as I can verify if this is the case.

CH

 

[Crazy Horse]

Reply from Trend Micro:
......
Yes, it is very likely the watchdog program that is taking care the realtime
scan is not stopped by a malware.

The name of the original file is:
C:\%path to location of Trend Micro OfficeScan Client folder%\OfcDog.exe

.....

Case closed.

Thanks, all.

CH