wowexec.exe & _minst.exe
My system is still acting weird as outlined in my Trojanwin32.dialer.exe thread. Today I opened my task manager and found three processes I don't quite think should be there.
wowexec.exe (found in my windows\system32 folder)
_minst.exe (Search found only a file named FDMINST.exe-2c8478e1.fp in C:\windows\prefetch)
ntvdm.exe found in each of the above folders
What are these files. wowexec.exe seems particularily suspicious
re: Ntvdm.exe and Wowexec.exe
WOW Environment Remains in Memory After Quitting 16-Bit Program
http://support.microsoft.com/default...b;en-us;181333
Also:SUMMARY
When you start a 16-bit program on a computer running Windows NT, the Ntvdm.exe and Wowexec.exe processes start. After you quit the 16-bit program, the Ntvdm.exe and Wowexec.exe processes remain in memory.
Windows NT Subsystems and Associated Files
http://support.microsoft.com/default...b;en-us;105992
Window on Windows (WOW)
WOWEXEC.EXE - Handles the loading of 16-bit Windows-based applications.
WOW32.DLL - Dynamic Link Library of the WOW application environment.
NTVDM.EXE - VDM Component.
NTVDM.DLL - VDM Component.
NTIO.SYS - VDM Component.
REDIR.EXE - VDM Component.
VDMREDIR.DLL - Redirector for WOW environment.
KRNL386.EXE - Used by WOW on x86 based systems.
KRNL286.EXE - Used by WOW on non x86 based systems.
GDI.EXE - Modified version of Windows 3.10 GDI.EXE.
USER.EXE - Modified version of Windows 3.10 USER.EXE.
Last edited by md usa spybot fan; 2005-12-08 at 05:26.
Getting an answer is one thing, learning is another.
Microsoft Windows XP Home Edition running on a 2.40GHz IntelŪ PentiumŪ 4 Processor with 512 MB of RAM and a 533 MHz System Bus.
Thanks
Good thing I didn't do anything dumb like removing the files. I have been experimenting with WinQuake and JFduke and I believe at least one of them opened the 16 bit application mentioned above. Thanks for the info.
Posting Permissions
Reply With Quote