Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What Is "ieyhe4eeao"?


  • This topic is locked This topic is locked
6 replies to this topic

#1 ESR

ESR

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 14 October 2007 - 01:49 PM

Hi
When I run AUTORUNS - I come across this service called : ieyhe4eeao.
It seems to attach itself to different \windows\system32\files.

Each time I delete this service (attached to some file under sys32) - it reappears on the next reboot associated with some other sys32 file.

How do I find what file is creating this service (ieyhe4eeao)?

BTW - when I run virus scans, the scanners all claim that my latop is clean....

Thanks in advance
ESR

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:13 AM

Posted 14 October 2007 - 02:08 PM

Can you give an example of the file name it attaches itself too?
Is there any description or publisher information provided in Autoruns?

Anytime you come across a suspicious file or one you cannot find any information on, submit the file to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 ESR

ESR
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 14 October 2007 - 02:49 PM

Sure - right now it is attached to: C:\Windows\System32\cy.exe

Is cy.exe part of windows XP Pro distribution?
....I don't see it in the system32 directories of my 'other' xp pro machines.....

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:13 AM

Posted 14 October 2007 - 02:53 PM

Submit it to jotti and post back the results. I suspect its related to TrojanDropper.Win32.Delf.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 ESR

ESR
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:13 AM

Posted 14 October 2007 - 06:16 PM

Being a new guy - I don't know what Jotti is?
How do I post to it??

#6 buddy215

buddy215

  • BC Advisor
  • 12,986 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:13 AM

Posted 14 October 2007 - 06:33 PM

If you click on the link Quietman7 provided for Jotti you will see you have two options. One is to provide the full file path (C:\Windows\System32\cy.exe) or you can "browse" to the file and submit it.
Jotti provides a free automated service for scanning files with multiple antimalware programs. Beats the heck out of downloading and installing different scanning programs. Both sites that Quietman7 linked to are busy at times. That is why he listed both. They also use different scanning engines.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#7 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:02:13 AM

Posted 14 October 2007 - 11:00 PM

I see you have a HJT log posted in the HijackThis Logs and Malware Removal forum.
Here is the link: http://www.bleepingcomputer.com/forums/t/112231/aim-virus-cant-remove/
You shouldn't make any changes to your system, while your HJT log is posted, as that could change the results of the posted log, making it difficult to properly clean your system.
At this point, the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

This Topic is closed.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users