Spyware Blocking SAS in General Questions Posted August 27, 2009 Quick followup to my last post. I am not out of the woods yet. I discovered that while SAS is running and scanning, the SAS executable file is 'modified'. The initial scan completes because the SAS process is in memory but any attempts to run it again will result in : "Windows cannot access the specified device". There are two workarounds to this: 1) uninstall SAS, manually remove the infected SAS executable left behind and reinstall (although this will allow for only one scan before the infection happens again) -or- 2) After installing SAS, copy the executable to another directory or drive. After the file is modified by the infection during the scan, rename it and then copy the good version into the C:\Program Files\SUPERAntiSpyware directory to perform additional scans. I am assuming the infection corrupts the SAS file vs changing its attributes - if anyone knows more about this please pass it on. Unfortunately the last successful complete scan of SAS did not detect any new infected files even though the executable was modified during execution so I have not eliminated all the sources of the infection. A couple of other things I discovered about this Trojan: 1) Adobe Reader versions before 7.0 are subject to infection. I uninstalled AR 6 and Adobe Audition 1.5 (the Audition executable was flagged as possibily infected when running Sophos, probably because it had no owner after being modified) 2) I'm guessing McAfee scanning fails to run because the scanner executable 'mcods.exe' was modified /corrupted the same way the SAS executable was. I will have to reinstall McAfee. mcods.exe turns up as a suspect file in my Sophos scan.