Jump to content
Sign in to follow this  


Recommended Posts


one of the spyware programs I use (PCTools Spyware doctor) in addition to SAS detected infections by a file called nircmd. Is this a program that is used by the SAS engine?

If not is it ok to delete it?


Share this post

Link to post
Share on other sites

Nircmd is not a SAS or SAS PRO file.

NirCmd is a command-line utility that allows writing to and deletion of values and keys in the registry. BOClean targets nircmd.exe while CF is unpacking, and while it's trying to run. Panda, Sophos and others target NirSoft tools as well.

Certain files that are part of the combofix tool such as nircmd.exe may at times be detected by some anti-virus as a "RiskTool", "Hacking tool, "Potentially unwanted tool" or even "Spyware-Adware". Anti-virus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user or even remove them.

Such programs may have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. Potentially unwanted does not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others.

I recommend that you let SAS quarantine it. Keep it in quarantine for a week or so to make sure that you do not encounter a legitimate program on your system that uses this utility.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this