Windows XP Home SP3. Avast! 4.8 Home build 4.8.1356. SAS 4.26.0.1004. Zone Alarm Free firewall.
During start-up system process, 5894a498-c48f-41ce-a891-b776c4c1212a.exe, runs and consumes up to 95% of CPU memory. Search engines have not idetified this process though I suspect it may an Avast! routine - most likely the rootkit scan.
Could anyone please confirm what this process really is. Virus and spyware scans indicate the system is clean.
Thank you.
That looks dodgy. As you say, Google searches (for all or part of the process name) lead only to this thread.
I doubt it’s the rootkit scan. That runs (IIRC) 8 minutes after start, and I’ve never known it to consume any significant resources at all.
Try a computer search (include hidden and system files) see if you can find it.
It most certainly has nothing to do with avast and as Tarq57 said, it looks dodgy.
If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).
Check the Task Manager and see if this is a running process, if so End Task.
It might be worth checking the startup items in MSConfig (windows key+R and type msconfig), startup tab and see if there is an entry there for it if so disable it.
Thanks for the pointers which helped me to find the answer. The ‘culprit’ is a start up file for SuperAntiSpyware and is entirely legitimate.
Sorry for wasting your time. I really should have checked hidden folders before contacting the forum. 10/10 for Avast! support.
Very good. Surprising the Google search didn’t turn it up, unless the file name is designed to morph randomly. (DrWeb’s cureit did that, to prevent malware ID-ing and disabling it.)
Had I not uninstalled SAS a couple of months ago, I may have found it (or similar) on my own computer. (Yes, I did search it.)
Now the question: Would you be so kind as to provide the path (and purpose, if known,) of this file?
C:\Program Files\SUPERAntiSpyware\5894a498-c48f-41ce-a891-b776c4c1212a.exe.
If I click on this file it brings up the SuperAntiSpyware Control Panel or an extraordinarily clever facsimile.
A scan with MBAM found nothing and an online scan using Jotti gave 19 clean results, VBA32 found ‘Win32 Shadow Service Install’. Jotti also reported:
File size: 1830128 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: c811c7d177634b3a69136d1aa2911512
SHA1: 7f1cf8d87f1b81a3e74951950028e0814ed78627
John.
Strange I have no such file in my SAS folder, see image, and I have SAS Pro which runs on startup.
Nor is there such a file in my free SAS installation. ???
I’ve now posted this poser to the SuperAntiSpyware forum. Here’s the thread.
I’ll feedback anything of interest.
John
Thanks for the update, hopefully they will get to the bottom of it quickly.
Very odd. I’ve four additional .exe files sitting in C:\Program Files\SUPERAntiSpyware. Here’s a screenshot.
http://www.mediafire.com/imgbnc.php/a4ef95f4fddc83cd459b3971a27185812g.jpg
Edited for clarity to demonstrate there were four unexplained/unexpected files in the folder.
There are 5 installed here.
BootSafe.exe
RUNSAS.EXE
SASINST.EXE
SASUpdate.exe
SUPERANTISPYWARE.EXE
plus the associated .dll files.
would be interesting to know what that is…hope you get some feedback on their forums…
ps: I think you should isolate those files until you learn more about them…and may be see if new ones are generated, isolating them being just a measure of safety for the rest of your system, just in case. You can do that manually if you have a HIPS on board.
I took a look in my own SAS folder, and I have a bunch of them. I think these are created when you run
the “Superantispyware - Alternate start” link.
See the 2 at the bottom, both 1952KB. Now, why the product doesn’t delete the old versions is
another question.
YES, just tried and got a bunch of new alerts for the file from CIS Def +; nice one 
what is this alternate link for ???
The reason to run it under an alternate name is that certain malware recognize the SAS process
by it’s executable name and stop it from running…
Now that you mention that I’m pretty sure I’ve had this with another security software long ago…but I can’t remember which one, also running an executable with different name each time to avoid termination attacks…may be it was AVG antispy, not sure…
SuperAntispyware - Alternate start calls RUNSAS.EXE, and your assumptions are correct. See http://www.superantispyware.com/supportfaqdisplay.html?faq=71.
Unless something on the machine is targetting SuperAntispyware and preventing it from running, there is no need to run RUNSAS.EXE. Of course a munged install could possibly create the same effect.
You are right. I experienced this once with the DrWebCureIt program about two weeks ago. After a customary program update before use, noticed the usual executable was replaced with a strange alphanumeric. It did perform without any untoward incident, though.
Remembered reading advice here in the forums to manually rename the .exe file but, in this case, it appeared to have changed clothes on its own.