So I have this Win7 machine that I only use for playing Windows games (Steam, Epic & Gog front ends all installed), occasionally streaming (OBS & Datapath capture utils installed), light browsing (e.g. looking up walkthroughs & cheat codes for said games like it's 2005), and running some demoscene prods.

I booted it up an hour ago and went off to do other things. When I got back there was a window reporting that "pidgen.exe" had crashed. I had no idea what this was, so I opened the task manager and killed two instances of it. A quick HDD search found it was being launched by "Pidgen.vbe" which was in the start menu/startup folder.

Here's Pidgen.vbe:

1Set objShell = CreateObject("Shell.Application")
2objShell.ShellExecute "C:\Users\jay\AppData\Roaming\Pidgen\Pidgen." & "exe", "", "", "", 1

/Users/jay/AppData/Roaming/Pidgen/Pidgen.exe exists but I won't upload it here for obvious reasons. It shows the icon for the chat client Pidgin (note: two 'i's and no 'e') and even reports itself to be copyright the Pidgin dev team in the exe properties, but it's misspelled and I certainly never installed that client. It also doesn't show up in add/remove programs.

It looks like the exe/vbe combo was created back in January which is more-or-less when I first set this Windows install up. I also found it in the same location in the archive of the previous machine that this one replaced.

Windows Defender scan with updated defs finds nothing. There is a legit Windows component called PidGen, but I seriously doubt it would be run from a VBE script in the start menu & this whole thing looks super shonky. Searching the HDD for "pidgen*.*" yields said exe, the vbe launch script, a few references to the Windows service (pidgenx.dll), and a whole bunch of crash reports & dumps for Pidgen.exe.

Searching Google or DuckDuckGo for "pidgen.vbe" yielded no results. Well, now they'll probably find this thread.

This machine has a legit Windows install; I don't torrent or p2p or anything like that and I haven't installed any really dodgy cracks or whatever. I only run Firefox for a browser on it with some pretty hefty ad-block & countermeasures, including a Hosts file that I update every so often. That said, it's not a mission-critical machine so I'm not super careful about vetting shareware/freeware stuff. It's entirely possible it was slipped in with something I installed and I just didn't notice, or it was even added as a legit part of some program installer. Removing it from the startup applications doesn't seem to have broken anything.

So what is it? Like I said, Windows Defender didn't find anything. I'm leaning more towards "crapware" than "malware" (i.e. it got bundled in with something), but do I need to go nuclear on the system? Anyone know where it came from?