A problem after a crash

[JD]

Hi Experts

I have a computer that I set up about a year ago
and it has a C: drive with a strange folder
Windows. Just below it is another folder WINNT -
for the installed Win2K. The Windows folder has a
few files e.g. bnwork.exe, conmser.exe, gjgx.vbe,
gjht.vbe, my2.ini, winnetest.exe, and a few more.
This drive is NTFS.

A few days ago my computer crashed - first time in
about 9 months - and since then I keep getting
warnings about the gjht.vbe. "The system cannot
find the file specified." This .vbe is still there
but has only 294 bytes and was probably hit by the
crash. The other vbe. has 2.31kB.

In this Windows folder there is also a System32
folder with subfolders: chrome, components,
cookie, greprefs, ipc, plugins, res and, finally,
Update. I can't even remember how this Windows
folder got there.

Can anyone recognize this situation? I have
several NTFS drives on the machine and one FAT32,
but the C: drive is on an NTFS.

Help appreciated

 

[Paul]

Hi Experts

I have a computer that I set up about a year ago and it has a C: drive
with a strange folder Windows. Just below it is another folder WINNT -
for the installed Win2K. The Windows folder has a few files e.g.
bnwork.exe, conmser.exe, gjgx.vbe, gjht.vbe, my2.ini, winnetest.exe, and
a few more. This drive is NTFS.

A few days ago my computer crashed - first time in about 9 months - and
since then I keep getting warnings about the gjht.vbe. "The system
cannot find the file specified." This .vbe is still there but has only
294 bytes and was probably hit by the crash. The other vbe. has 2.31kB.

In this Windows folder there is also a System32 folder with subfolders:
chrome, components, cookie, greprefs, ipc, plugins, res and, finally,
Update. I can't even remember how this Windows folder got there.

Can anyone recognize this situation? I have several NTFS drives on the
machine and one FAT32, but the C: drive is on an NTFS.

Help appreciated

microsoft.public.windowsxp.general
microsoft.public.win2000.general

Perhaps groups like that, would have more people who would recognize those
files. I tried a search on one of them, and didn't get any substantial hits.
Due to the lack of hits in a search engine, I'm going to have to guess
"malware" for those "few files".

My WinXP partition looks like

C:
Windows
Driver Cache
System
System32
Temp
Program Files

My Win2K partition has

C:
Windows
Driver Cache
System
System32
Temp
Program Files

Those are very quick snapshots of the structure, without listing all the
directories of interest. I'm currently searching for a WINNT somewhere, but
not finding it. There are plenty of references to WINNT in driver downloads,
but that is about it.

My installs are on separate disks, which could account for the differences.
Maybe other weirdness happens, if they're on the same partition (upgrade
install). Someone in a Microsoft.* group would likely know.

Things like chrome, components, and plugins, smells like a browser you installed
at some point. I have a "greprefs" in a Firefox install, but a number of browsers
share that kind of stuff.

Paul

 

[JD]

microsoft.public.windowsxp.general
microsoft.public.win2000.general

Perhaps groups like that, would have more people who would recognize those
files. I tried a search on one of them, and didn't get any substantial
hits.
Due to the lack of hits in a search engine, I'm going to have to guess
"malware" for those "few files".

My WinXP partition looks like

C:
Windows
Driver Cache
System
System32
Temp
Program Files

My Win2K partition has

C:
Windows
Driver Cache
System
System32
Temp
Program Files

Those are very quick snapshots of the structure, without listing all the
directories of interest. I'm currently searching for a WINNT somewhere, but
not finding it. There are plenty of references to WINNT in driver
downloads,
but that is about it.

My installs are on separate disks, which could account for the differences.
Maybe other weirdness happens, if they're on the same partition (upgrade
install). Someone in a Microsoft.* group would likely know.

Things like chrome, components, and plugins, smells like a browser you
installed
at some point. I have a "greprefs" in a Firefox install, but a number of
browsers
share that kind of stuff.

Paul

Thanks again Paul.

I renamed that Window to WindowC and there is some
squawking
from my firewall and a few other sources. Will
keep monitoring.

 

[JD]

Thanks again Paul.

I renamed that Window to WindowC and there is some squawking
from my firewall and a few other sources. Will keep monitoring.

I just had a thought. Microshaft regularly
"updates" my Win2K and
IE. They might have added that oddball Windows
material.

 

[JD]

Doubtful, they look like malware.

Check the file creation dates and do a file search for other
files created around the same time, there may be other
suspicious ones you need to remove.

Run a malware and antivirus scanner, but it is often easier
to pull the whole drive out and scan it on another system so
there isn't any malware running at the time which often
tries to protect and reproduce itself.

Thank you Kony for your usual enlightening
response. I did some more
exploring.

The files I last looked through were in the
Windows folder on the C: drive
and there were 5 .exes there. The last one was
winnetest.exe. Below
that there is a System32 folder with some more
interesting things.
I looked through the files again and just below
System32 is a
Browser folder with many .dll files but also, to
my surprise, with
the FFox symbol and with oke.exe immediately to
the right of it.

Apparently this whole thing was a "plant" of FFox,
without my permission.
What liberties FF takes! I also noticed that
every time I set a blank
startup page, FFox overrides it with it's big red
symbol and a search box.

In any case, the program in question is dormant.
It's doing nothing as far
as I can tell. No whining since I changed the name
Windows.

Comments please

Thanks!

 

[Paul]

Thank you Kony for your usual enlightening response. I did some more
exploring.

The files I last looked through were in the Windows folder on the C: drive
and there were 5 .exes there. The last one was winnetest.exe. Below
that there is a System32 folder with some more interesting things.
I looked through the files again and just below System32 is a
Browser folder with many .dll files but also, to my surprise, with
the FFox symbol and with oke.exe immediately to the right of it.

Apparently this whole thing was a "plant" of FFox, without my permission.
What liberties FF takes! I also noticed that every time I set a blank
startup page, FFox overrides it with it's big red symbol and a search box.

In any case, the program in question is dormant. It's doing nothing as far
as I can tell. No whining since I changed the name Windows.

Comments please

Thanks!

Upload the files to virustotal.com and have them scanned.

Paul

 

[JD]

Upload the files to virustotal.com and have them scanned.

Paul

Thanks Paul.

There are too many files to be scanned, scanning
is slow, and I have
to upload them one by one.

 

[Paul]

Thanks Paul.

There are too many files to be scanned, scanning is slow, and I have
to upload them one by one.

bnwork.exe, conmser.exe, gjgx.vbe, gjht.vbe, winnetest.exe ???

I would at least scan the three .exe files, purely out of curiosity.

Paul