We're doing some vulnerability remediation and grpconv.exe keeps coming up. The file is located in c:\windows\system32\. I am aware that grpconv.exe is used to convert legacy start menu items to a newer format. This is a Windows Server 2003 SP2 system, and so grpconv.exe is not needed on the server.
If I delete or rename c:\windows\system32\grpconv.exe, the file reappears after a few seconds. That's a clear warning sign. However, neither a Trend Micro manual scan or HijackThis reports anything odd on this system.