Jump to content
Eric H.

Weird .exe running, is SAS compromised?

By Eric H., in General Questions

Recommended Posts

Eric H.   

Eric H.
Posted

Whenever I start SAS, I see a weird.exe in the Task Manager, the name looks like

xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx.exe

where the 'x' are all hex digits.

I can't remember seeing this before. Is this normal, or has my machine been compromised?

version 4.53

thanks,

eric

Share this post

Link to post
Share on other sites

Seth   

Seth
Posted

Hi Eric.

Make sure SAS is fully updated and run a complete scan. If the file remains, post its name in this thread. You can also run a search for the file and submit it to VirusTotal:

http://www.virustotal.com/

Share this post

Link to post
Share on other sites

Eric H.   

Eric H.
Posted

If the file remains, post its name in this thread.

It's a different set of hex digits each time, which is what makes me think

the machine is toasted.

Share this post

Link to post
Share on other sites

Seth   

Seth
Posted

It's a different set of hex digits each time

That's not sounding good.

If it remains after the SAS update and complete scan. Then download HijackThis and choose "Do a system scan and save the log file". Post that log in your next reply.

http://free.antivirus.com/hijackthis/

Share this post

Link to post
Share on other sites

Eric H.   

Eric H.
Posted

That's not sounding good.

If it remains after the SAS update and complete scan. Then download HijackThis and choose "Do a system scan and save the log file". Post that log in your next reply.

http://free.antivirus.com/hijackthis/

Current one running is c29a40c0-b556-43d0-9e3e-667c1d383454.exe

and that .exe file (along with a few other similiarly named .exe) is actually

just sitting in c:\Program Files\SUPERAntiSpyware.

Maybe it is SAS doing something to stealth itself against the bad

guys trying to find it and kill it?

(OK, that's a stretch, but one can hope, right?)

Share this post

Link to post
Share on other sites

Eric H.   

Eric H.
Posted

Current one running is c29a40c0-b556-43d0-9e3e-667c1d383454.exe

the scan is running now, and that exe is taking up all the cpu, so maybe it is just a cloaked SAS program?

Share this post

Link to post
Share on other sites

Seth   

Seth
Posted

the scan is running now, and that exe is taking up all the cpu, so maybe it is just a cloaked SAS program?

To the best of my knowledge, that's not part of SAS. Nor do any of my computers have those type of files in the SAS folder. Confirmed that in Task Manager while running scans as well.

If needed, use SAS's Threat Check:

https://www.superantispyware.com/superantispyware_threatcheck.html

Share this post

Link to post
Share on other sites

Eric H.   

Eric H.
Posted

To the best of my knowledge, that's not part of SAS. Nor do any of my computers have those type of files in the SAS folder. Confirmed that in Task Manager while running scans as well.

If needed, use SAS's Threat Check:

https://www.superantispyware.com/superantispyware_threatcheck.html

Submitted a check.

Also tried uninstalling and reinstalling SAS.

Still get the same weird hex .exe files showing up in Task Manager, and in Program File\SUPERAntiSpyware.

Where would I submit one of those .exes for someone to look at?

Share this post

Link to post
Share on other sites

bohemianroxie   

bohemianroxie
Posted

124368a9-24cf-459e-ba19-a5bcb6c1ad76.com MS-DOS application does run in my task manager (although the string is not completely visible there).

I finally found it in my SAS program files folder.

Everything comes up clean on my computer from sas, avast, malwarebytes..and even a few other scans... and I'm having no issues.

But this might be similar.

Share this post

Link to post
Share on other sites

SAS Customer Service   

SAS Customer Service
Posted

124368a9-24cf-459e-ba19-a5bcb6c1ad76.com MS-DOS application does run in my task manager (although the string is not completely visible there).

I finally found it in my SAS program files folder.

Everything comes up clean on my computer from sas, avast, malwarebytes..and even a few other scans... and I'm having no issues.

But this might be similar.

It would seem that you are runnin the alternate start of SUPERAntiSpyware as it will rename superantispyware.exe to a random file name so that malware has less of a chance of blocking the application.

Share this post

Link to post
Share on other sites

bohemianroxie   

bohemianroxie
Posted

It would seem that you are runnin the alternate start of SUPERAntiSpyware as it will rename superantispyware.exe to a random file name so that malware has less of a chance of blocking the application.

Yeah, I didn't do that intentionally...but I think I like it. Makes sense to me.

I've looked high and low and never seen it mentioned anywhere.

Incognito.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go To Topic Listing
×
×
  • Create New...