Re: What are authentic microsoft files?

From: Malke (
Date: 03/31/05

Date: Thu, 31 Mar 2005 05:42:07 -0800

Johnnie Peterson wrote:

> My security alert asks me to allow yetenyve.exe to connect to a DNS
> server. Why would I?
> Other than it's located in C:\WINNT\system32\, I have no way of
> knowing if this is a microsoft file thatshould be running or not.
> Is there a list somewhere of what microsoft has (and what it does)?
> This should be easy to provide and it would be sooooo helpful.
> Until then I'll deny requests I guess.

There are hundreds, if not thousands, of legitimate files on a Windows
system. There are two easy ways to determine the legitimacy and
provenance of a file. The first is to right-click the file and look at
its properties. Legitimate files will usually have a Version with the
mftr.'s name. MS 32-bit files always say "Microsoft Corporation". The
second way is to simply Google the name of the file. When Google
returns no links - as is the case with "yetenyve.exe" - there is a high
probability that the file is malware.

It is quite common for malware file names to be random and odd, like
yours is. You should scan for and remove malware. Here are general
removal steps. It is crucial that you do all work with updated tools in
Safe Mode.

First delete all Temporary and Temporary Internet Files. Then:

1) Scan in Safe Mode with current version (not earlier than 2004)
antivirus using updated definitions.

Before you remove malware, get LSPFix or WinSockFix for XP - see links

2) Remove spyware with Spybot Search & Destroy and Ad-aware. These
programs are free, so use them both since they complement each other.
There is a new version of CWShredder from Intermute. I would not
install the other Intermute programs, however. Alternately, there are
CoolWebSearch malware removal steps at SilentRunners.

Be sure to update these programs before running, and it is a good idea
to do virus/spyware scans in Safe Mode. Make sure you are able to see
all hidden files and extensions (View tab in Folder Options).

If the malware remains even after you used Ad-aware and Spybot, you can
scan with HijackThis. HijackThis is an excellent tool to discover and
disable hijackers, but it requires expert skill. See below for
HijackThis links, including sites where you can post your HJT logs. A
combination of HijackThis and About:Buster works well in removing the
About:Blank homepage hijacker. Again, this is an expert tool and
novices should get help with it.

3) If you are running Windows ME or XP, you should disable/enable System
Restore after the system is clean because malware will be in the
Restore Points. With ME, you must disable System Restore completely.
With XP, you can delete all but the most recent (presumably clean)
System Restore point from the More Options section of Disk Cleanup

4) Make sure you've visited Windows Update and applied all security
patches. Do not install driver updates from Windows Update.

5) Run a firewall.

Links to help with malware:

Software/Methods: - Spybot Search & Destroy - Ad-aware - HijackThis - SilentRunners - Repair Winsock 2 settings after
removing spyware - WinsockXPFix.exe

HijackThis: - HijackThis tutorial by Jim
Eshelman - forums - Spyware Warrior HijackThis

General: - look under "Security" for various forums - The Parasite Fight


MS MVP - Windows Shell/User
In Memoriam - MVP Alex Nichol
The world is diminished without him.