I have discovered a service running in my Services and Applications which I dont quite know the meaning of. The location is C:\WINDOWS\system32\YEDIEx.exe and there is no information on this service when I do a Google search. I cannot seem to get a definite answer on this. Anyone know what the file YEDIEx.exe does exactly? Thanks.

I couldn't find anything on it either. try exloring your program files and see if you can match it up to what program installed it if not, delete it and see what happens...... just don't empty ur trash so that it can be restored if need be. It really sounds like an adware that may be new to the market and any scans miss it because they search for KNOWN items mostly

good luck though

I too searched the known universe and could not find a thing. Nothing! The name "YEDIE" makes me believe you have a nasty, but I've got no clue what.

Please post back if you find out.

Hi zyxio,

Go to http://www.tomcoyote.org/hjt/ and download HijackThis. After starting HijackThis, click the scan button which will change into a save log button. Save the logfile and also copy and paste the results back here in this thread. Most items reported by HijackThis are valid, so don’t fix anything yet.

Hi folks!
Just found YEDIEx.exe on my Win XP Pro too and searched for it on the internet.

The only place I found anything on it was here!

Is there something new?
Should I worry about it?

So far I simply stopped the service and set it to start manual (which it keeps after a restart).

Haven't seen anything working without it.
(1 hr experience)

Like I said earlier post your HijackThis logfile. Why not? We may be able to help.

There are spyware/maleware software that does generate a random 6-letter strings.

Mark

Hi Mark!

What also concerns me is:
There is no version info.
If you browse it with a hex-tool there is no link to a thinkable source of this software!

This is the HijackThis.log (any idea what YEDIEx.exe is?):

Logfile of HijackThis v1.96.0
Scan saved at 23:44:21, on 15.08.2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\ComputerAssociates\ARCserve\msgeng.exe
C:\Programme\ComputerAssociates\ARCserve\casmrtbk.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\LogWatNT.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SCARDS32.EXE
C:\Programme\ComputerAssociates\ARCserveITDS\asdscsvc.exe
C:\Programme\ComputerAssociates\ARCserveITDS\Liccheck.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PowerDesk8\PDeskNet.exe
C:\Programme\CHIPDRIVE\WinLogon\WLAdmin.exe
C:\Programme\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
C:\WINDOWS\System\Inst.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Messenger\MSMSGS.EXE
C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\YEDIEx.exe
N:\DownLoads\HijackThis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=ftpproxy.muenster.de:3128;gopher=wwwproxy.muenster.de:3128;http=wwwproxy.muenster.de:3128;https=wwwproxy.muenster.de:3128
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Programme\WS_FTP Pro\wsbho2k0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Matrox PowerDesk 8] C:\WINDOWS\System32\PowerDesk8\PowerDesk.exe /silent
O4 - HKLM\..\Run: [WinLogon] C:\Programme\CHIPDRIVE\WinLogon\WLAdmin.exe x
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
O4 - HKLM\..\Run: [Inst] C:\WINDOWS\System\Inst.exe install
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {27FA5271-12D2-43E3-9424-365A43236EE7} (pixaco IE Drop-Upload) - http://217.17.197.101/scripts/iedropupload.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37778.1402893519
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B112E2E-93E2-478B-900D-1342EA49E0FE}: NameServer = 192.168.100.9

JLoewner,

Unfortunately there is no additional information to relate on YEDIEx.exe

--------------------
There are a couple of logfile entries that need identification.

O4 - HKLM\..\Run: [WinLogon] C:\Programme\CHIPDRIVE\WinLogon\WLAdmin.exe x
Was not able to definitively tie "WLAdmin.exe" and the program? "Chipdrive" together.

O4 - HKLM\..\Run: [Inst] C:\WINDOWS\System\Inst.exe install
This entry Inst.exe may be the Worm W32/Deloder.worm - See http://us.mcafee.com/root/genericVIL.asp?genericURL=/VirusInfo/VIL/dispVirus.asp&virus_k=100127

Mark,
WLAdmin seems to be OK (Has a matching version info, ...)and fits into the right directory
Ins.exe does not match w32/deloder worm description on the internet.
It also has a version info (Description: KC Setup XP MFC Application)

I still have no idea what YEDIEx.exe id good for.