Author Topic: Unrecognised start-up process.  (Read 5905 times)

0 Members and 1 Guest are viewing this topic.

Offline Beefheart

  • Newbie
  • *
  • Posts: 10
Unrecognised start-up process.
« on: October 22, 2009, 10:07:56 PM »
Windows XP Home SP3. Avast! 4.8 Home build 4.8.1356. SAS 4.26.0.1004. Zone Alarm Free firewall.

During start-up system process, 5894a498-c48f-41ce-a891-b776c4c1212a.exe, runs and consumes up to 95% of CPU memory. Search engines have not idetified this process though I suspect it may an Avast! routine - most likely the rootkit scan.

Could anyone please confirm what this process really is. Virus and spyware scans indicate the system is clean.

Thank you.
 

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: Unrecognised start-up process.
« Reply #1 on: October 22, 2009, 11:07:00 PM »
That looks dodgy. As you say, Google searches (for all or part of the process name) lead only to this thread.

I doubt it's the rootkit scan. That runs (IIRC) 8 minutes after start, and I've never known it to consume any significant resources at all.

Try a computer search (include hidden and system files) see if you can find it.
WindowsXP Home SP3,Avast Free 5.1.889,Windows Firewall, Autorun Eater,Firefox w/Noscript+ /Adblock+/Better Privacy, IE8 all zones except MS Update set to "untrusted" settings,MVPS Host file.SecuniaPSI.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82057
  • No support PMs thanks
Re: Unrecognised start-up process.
« Reply #2 on: October 22, 2009, 11:43:27 PM »
It most certainly has nothing to do with avast and as Tarq57 said, it looks dodgy.

If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Check the Task Manager and see if this is a running process, if so End Task.

It might be worth checking the startup items in MSConfig (windows key+R and type msconfig), startup tab and see if there is an entry there for it if so disable it.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.8.2393 (build 19.8.4793.541) UI-1.0.415/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline Beefheart

  • Newbie
  • *
  • Posts: 10
Re: Unrecognised start-up process.
« Reply #3 on: October 23, 2009, 10:50:34 AM »
Thanks for the pointers which helped me to find the answer. The 'culprit' is a start up file for SuperAntiSpyware and is entirely legitimate.

Sorry for wasting your time. I really should have checked hidden folders before contacting the forum. 10/10 for Avast! support.

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: Unrecognised start-up process.
« Reply #4 on: October 23, 2009, 11:05:28 AM »
Very good. Surprising the Google search didn't turn it up, unless the file name is designed to morph randomly. (DrWeb's cureit did that, to prevent malware ID-ing and disabling it.)
Had I not uninstalled SAS a couple of months ago, I may have found it (or similar) on my own computer. (Yes, I did search it.)

Now the question: Would you be so kind as to provide the path (and purpose, if known,) of this file?
WindowsXP Home SP3,Avast Free 5.1.889,Windows Firewall, Autorun Eater,Firefox w/Noscript+ /Adblock+/Better Privacy, IE8 all zones except MS Update set to "untrusted" settings,MVPS Host file.SecuniaPSI.

Offline Beefheart

  • Newbie
  • *
  • Posts: 10
Re: Unrecognised start-up process.
« Reply #5 on: October 23, 2009, 11:59:52 AM »
Now the question: Would you be so kind as to provide the path (and purpose, if known,) of this file?

C:\Program Files\SUPERAntiSpyware\5894a498-c48f-41ce-a891-b776c4c1212a.exe.

If I click on this file it brings up the SuperAntiSpyware Control Panel or an extraordinarily clever facsimile.

A scan with MBAM found nothing and an online scan using Jotti gave 19 clean results, VBA32 found 'Win32 Shadow Service Install'. Jotti also reported:

File size:     1830128 bytes
Filetype:     PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5:            c811c7d177634b3a69136d1aa2911512
SHA1:    7f1cf8d87f1b81a3e74951950028e0814ed78627

John.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82057
  • No support PMs thanks
Re: Unrecognised start-up process.
« Reply #6 on: October 23, 2009, 03:09:06 PM »
Strange I have no such file in my SAS folder, see image, and I have SAS Pro which runs on startup.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.8.2393 (build 19.8.4793.541) UI-1.0.415/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline Gopher John

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2094
Re: Unrecognised start-up process.
« Reply #7 on: October 23, 2009, 05:48:52 PM »
Nor is there such a file in my free SAS installation. ???
AMD A6-5350M APU with Radeon HD Graphics, 8.0GB RAM, Win7 Pro SP1 64bit, IE11
i7-3610QM 2.3GHZ, 8.0GB Ram,  Nvidia GeForce GT 630M 2GB, Win7 Pro SP1 64bit, IE 11
Common to both: Avast Premium Security 19.7.2388, WinPatrol Plus, SpywareBlaster 5.5, Opera 12.18, Firefox 68.0.2, MBam Free, CCleaner

Offline Beefheart

  • Newbie
  • *
  • Posts: 10
Re: Unrecognised start-up process.
« Reply #8 on: October 23, 2009, 06:34:57 PM »
I've now posted this poser to the SuperAntiSpyware forum. Here's the thread.

I'll feedback anything of interest.

John

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82057
  • No support PMs thanks
Re: Unrecognised start-up process.
« Reply #9 on: October 23, 2009, 07:13:14 PM »
Thanks for the update, hopefully they will get to the bottom of it quickly.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.8.2393 (build 19.8.4793.541) UI-1.0.415/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline Beefheart

  • Newbie
  • *
  • Posts: 10
Re: Unrecognised start-up process.
« Reply #10 on: October 23, 2009, 08:19:00 PM »
Strange I have no such file in my SAS folder, see image, and I have SAS Pro which runs on startup.

Very odd. I've four additional .exe files sitting in C:\Program Files\SUPERAntiSpyware. Here's a screenshot.




Edited for clarity to demonstrate there were four unexplained/unexpected files in the folder.
« Last Edit: October 23, 2009, 09:02:44 PM by Beefheart »

Offline Gopher John

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2094
Re: Unrecognised start-up process.
« Reply #11 on: October 23, 2009, 08:47:24 PM »
Strange I have no such file in my SAS folder, see image, and I have SAS Pro which runs on startup.

Very odd. I've four .exe files sitting in C:\Program Files\SUPERAntiSpyware. Here's a screenshot.


There are 5 installed here.
BootSafe.exe
RUNSAS.EXE
SASINST.EXE
SASUpdate.exe
SUPERANTISPYWARE.EXE

plus the associated .dll files.
AMD A6-5350M APU with Radeon HD Graphics, 8.0GB RAM, Win7 Pro SP1 64bit, IE11
i7-3610QM 2.3GHZ, 8.0GB Ram,  Nvidia GeForce GT 630M 2GB, Win7 Pro SP1 64bit, IE 11
Common to both: Avast Premium Security 19.7.2388, WinPatrol Plus, SpywareBlaster 5.5, Opera 12.18, Firefox 68.0.2, MBam Free, CCleaner

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9443
Re: Unrecognised start-up process.
« Reply #12 on: October 23, 2009, 09:18:31 PM »
would be interesting to know what that is...hope you get some feedback on their forums...

ps: I think you should isolate those files until you learn more about them...and may be see if new ones are generated, isolating them being just a measure of safety for the rest of your system, just in case. You can do that manually if you have a HIPS on board.

« Last Edit: October 23, 2009, 09:32:32 PM by Logos »
w7 - ais7

Offline davexnet

  • Poster
  • *
  • Posts: 527
Re: Unrecognised start-up process.
« Reply #13 on: October 23, 2009, 09:56:20 PM »
I took a look in my own SAS folder, and I have a bunch of them.  I *think* these are created when you run
the "Superantispyware - Alternate start" link.

See the 2 at the bottom, both 1952KB.  Now, why the product doesn't delete the old versions is
another question.

http://img514.imageshack.us/img514/3198/saspk.jpg
AMD FX-4300 4GB DDR3
avast free 2279 (Windows XP), MBAM free

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9443
Re: Unrecognised start-up process.
« Reply #14 on: October 23, 2009, 10:01:39 PM »
I took a look in my own SAS folder, and I have a bunch of them.  I *think* these are created when you run
the "Superantispyware - Alternate start" link.

See the 2 at the bottom, both 1952KB.  Now, why the product doesn't delete the old versions is
another question.

http://img514.imageshack.us/img514/3198/saspk.jpg

YES, just tried and got a bunch of new alerts for the file from CIS Def +; nice one  ;)
what is this alternate link for ???
« Last Edit: October 23, 2009, 11:05:49 PM by Logos »
w7 - ais7