I have some weird stuff going on with a couple of W2K machines at work... both pointing at the same kind of infection. I noticed the first after OfficeScan Corp Ed found the spyw_firstlook.a virus/spyware. This was cleaned up no problem, but since I removed some of the files manually, I lost the network connection on the PC due to a damaged LSP stack (used LSPfix to repair).

After this, all was well, but I noticed a process running in Task Manager which I know shouldn't be there. I don't still have the filename, but it was a random 6 character name, both numbers & letters. (others on second PC are NJ7793.exe, CB9E7F, FVE3EB, YX23D0, ZT6255......) I couldn't terminate the process, and couldn't delete the file from C:\winnt\temp. If I rebooted to safe mode, neither instances exist. If I reboot normally, it will come back with a different name. In all cases, the file is 1,928k in size. The source file in the Temp dir, with the same name as the running process is always 169Kb.

I've been through all the 'fix' processes - online scans, HJT, etc. (I'm very confident with HJT and know what should and shouldn't be there!) and I've also manually checked the HKLM/Software/Microsoft/Windows/Current Version/Run and similar keys. None of these showed up anything.

The whole affair is very similar to CoolWebSearch or HomeShopping or whatever, but I can't find the companion DLL's as was the case with those. Ans as said, using all the named tools in both safe and normal mode come up with nothing.

Any ideas folks?

Forgot to add - the dates for all of the files are 06/07/2004 21:07 for all of them, in case that rings a bell with anyone. (UK date format)

Thanks guys!

I still haven't got anywhere with this - the programs are still running in the background, but one user is complaining that his PC is starting to run badly. I really need some help with this one guys!!

Okay after reading the tutorial in this Sticky thread < Hijack This Tutorial And How To Post Your Log File > (http://forums.majorgeeks.com/showthread.php?t=38752)

Post your HijackThis log as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail, items in the tray, anything you can close... Close before running Hijack This!

DO NOT run Hijack This from the Desktop, a temp folder or choose to run from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

Please only one problem PC per thread too. If the problems are exactly the same you can just follow the same steps.

I have the same thing happening on my machine at work. I've looked at the .EXE with a hex editor and it seems to belong to Trend Office Scan, which is installed here. Are you running Trend?

I have the same thing happening on my machine at work. I've looked at the .EXE with a hex editor and it seems to belong to Trend Office Scan, which is installed here. Are you running Trend?

Which EXE file are you talking about? Richuu mention a bunch of files. Also valid applications would not rename their file everytime you delete it.

The randomly-named .exe found in \WINNT\temp (it's also running as an unkillable process).

The text embedded in the .exe binary references "ofcdog" and TrendMicro in several places. I'm trying to get our workstation techs to get an answer from Trend if this .exe is, in fact, spawned by OfficeScan at boot time.

I guess a case could be made that a randomly-named antivirus executable would make it harder for a malicious program to detect/disable.

I just heard from our Trend guru - it is, in fact, part of OfficeScan. The random naming of the file is an option, with the intent being as I suspected: to make it difficult for a malicious program to disable the scanner.

This is good info to know.. thank you.