Page 1 of 2

[SOLVED] [04316563] Is EJY.EXE a threat, or an actual MicroSoft Program?

Posted: Tue, 05 Apr 2016, 14:48
by Canon_Man
There is limited information on the Web about EJY.EXE, an executable that appears to be hiding in C: ProgramData

I found it running on my PC this morning after a bout with two malicious files last night as outlined below.

I have both Windows Defender and Panda running, and while downloading a video clip from a known Torrent site both virus software programs found and neutralized files.

Panda found and neutralized an 'UNKNOWN.EXE' program threat, and placed it in quarantine.

Windows Defender identified another file as a named TROJAN (don't know the name now) and placed it in quarantine. The file had also disabled Windows Defender until I re-booted.

On re-boot I deleted both files from their quarantine locations.

After doing this I ran another virus scan with both programs and they came up empty.

However, although EJY.EXE was not mentioned by either virus scan program, EJY.EXE was running when the PC booted this morning.

After doing a Web search for EJY.EXE and finding limited, questionable explanations for what is was, I ended it in Task Manager, found it in Startup and disabled it. It appears to be stored in C: ProgramData, but is not visible.

Registry Editor appears to be running, did stop and restarted once and has now been running for over 20 minutes doing a search for EJY.EXE.

I'm guessing that EJY.EXE is in fact a malicious file and has hidden itself in Registry and elsewhere.

Going to run another Virus Scan using MalwareBytes to see if it finds anything.

Thoughts anyone?

Re: Is EJY.EXE a threat, or an actual MicroSoft Program?

Posted: Tue, 05 Apr 2016, 15:24
by VirusBuster
If you suspect the file could be malware please have a look to this thread
How to report malware issues

Run also an additional scan with Panda Cloud Cleaner

Re: Is EJY.EXE a threat, or an actual MicroSoft Program?

Posted: Tue, 05 Apr 2016, 16:35
by Canon_Man
In the last two weeks I have tried to run a successful Panda Cloud scan, but toward the end it generally aborts with a message that is recorded in the system Event Log. Thinking it might be a resource issue with access rights for read/write I tried giving the proc additional security authorization, but that did not solve the problem.

It has only run successfully twice; - each time it did run was immediately after uninstalling and reinstalling Panda.

As for reporting the file, I will follow the instructions in the link provided.

Thanks.

Re: Is EJY.EXE a threat, or an actual MicroSoft Program?

Posted: Tue, 05 Apr 2016, 16:47
by Canon_Man
After viewing the link, I'm not sure that this is a virus issue not found by Panda, or if a file may contain a virus.

I am reasonably certain that the EJY.EXE proc was not there until yesterday.

It was stored as a system hidden file, but changing the view allowed me to find the folder and the .EXE.

What I don't know is whether it should be in the ProgramData directory or not.

The EJY folder is currently moved to another directory, the startup menu item has been disabled, and according to the 'startup impact' summary in Task Manager, being in this state poses no immediate harm to the PC.

I'm going to check our other PC's to see if this file exists.

If not, I will simply leave it disabled where it is (actually stored it in the Panda Security sub Directory for now).

BTW, MalwareBytes found nothing.

Re: Is EJY.EXE a threat, or an actual MicroSoft Program?

Posted: Tue, 05 Apr 2016, 17:50
by VirusBuster
With this information I would say that at least its a suspicious file, so please rename it to ejy.exe_ so that you can't unintentionally execute it password compress it and send it to our labortory as instructed

Re: Is EJY.EXE a threat, or an actual MicroSoft Program?

Posted: Tue, 05 Apr 2016, 17:57
by Canon_Man
Thanks for the reply.

Turned 'hidden system files' ON, - EJY.EXE does not exist on 2 other Windows 10 PCs we have.

Will follow the link and try to compress the folder/file, but it is 168Mb in size.

Just one question: How do you compress the file?

Seems to me it will still be too big to go through.

Re: Is EJY.EXE a threat, or an actual MicroSoft Program?

Posted: Tue, 05 Apr 2016, 23:56
by Canon_Man
I managed to compress it by 66% to 68.4 Mb, but his is way too big to travel through email.

I am beginning to believe that the size of file indicates the the contents is not all executable, that the virus is craftily embedded in a video file. The target download size of the original video was 209 Mb, about right for a 40 minute video clip from TV.

When I opened the video last night it was a video, just not what I had downloaded. When I went back to the torrent site last night 20 minutes later, the file had been flagged as fake and could not be found using the normal search. I used the original link in my browser to find it and that is how I discovered it had been flagged.

When I was pulling it down I noticed that there were about 60 or 70 leeches and 30 or more seeds, so my guess is at least a couple hundred people got a bad file with some cleanup work to do before the file was taken down.

The site, and the user who posted the file are both well known and have been trusted in the past. Guess not anymore.

Since the file is way too big to send anywhere I may move it to thumb drive and label the drive accordingly for now.

Re: Is EJY.EXE a threat, or an actual MicroSoft Program?

Posted: Wed, 06 Apr 2016, 09:34
by VirusBuster
You can use our FTP Uploader to send us the file

Re: Is EJY.EXE a threat, or an actual MicroSoft Program?

Posted: Wed, 06 Apr 2016, 12:37
by Canon_Man
Good morning.

File has been uploaded.

Approximately 168 Mb, - Contents: - two folders, and one executable called EJY.EXE

EJY.EXE was queued in Startup originally and hidden in ProgramData.

Second folder - UNKNOWN, was also hidden in ProgramData but the contents were quarantined by Panda when the video was viewed.

Re: Is EJY.EXE a threat, or an actual MicroSoft Program?

Posted: Wed, 06 Apr 2016, 17:27
by VirusBuster
Sorry but the uploaded file has a size of 0KB so nothing was uploaded
Can you upload it to any online storage server such as MediaFire, MEGA, WeTransfer... and provide us the download link?