• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
Locked
0

What is sualofw.exe used for?

New Here ,
Nov 05, 2014 Nov 05, 2014

Copy link to clipboard

Copied

I believe this was installed when I was updating flash player.  It is a constantly running process.  Says it's under Google Chrome, but the file location is under Adobe.  I think I accidentally left a couple of those check box options checked during the install, so I quickly canceled, unchecked and started install again.

I did de-install flash player and re-install, but executable still there and still running.  I am not using Google Chrome - only use it sparingly.  Have de-installed and re-installed it too.

Am I going to need to de-install Adobe Reader too?

Views

240

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Nov 05, 2014 Nov 05, 2014

Copy link to clipboard

Copied

What is your operating system?

How exactly did you update Flash Player?

And where exactly is that file located?  "under Adobe" sounds suspicious!

Curious: why did you post your question in the rather obscure Acrobat.com Developers forum?

[topic moved to Flash Player forum]

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Nov 06, 2014 Nov 06, 2014

Copy link to clipboard

Copied

Windows 7

I was prompted to update Flash Player so I responded to the update.  I clicked install then noticed it had a couple of check boxes checked, so I stopped it, unchecked them (set Google as main browser and something else), then started it again.  Thought that maybe something halfway installed or something.  When I found this file/process running a lot and saw that it was under Adobe, I tried to think what could have happened and remembered this situation.  The date on the file is about when I did this.

Yes it does sound strange which is why I am asking.  It has been a running process on my computer for a couple of days.  Now it's not, but the file is still there.

C:\users\<my name>\AppData\LocalLow\Adobe\ppyrzfzevlgy\uphqqlhshmzg\sualofw.exe

Forum: None of the options seemed like the right one so I just picked a "developer" thinking they could help the most.

Thank you for replying back and helping.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Nov 06, 2014 Nov 06, 2014

Copy link to clipboard

Copied

If you right-click on that file and choose Properties, is there a Digital Signatures tab?  If So, can you choose the item and hit details and provide a screenshot?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Nov 07, 2014 Nov 07, 2014

Copy link to clipboard

Copied

Jeromie,

Thank you.  See below.  Does it look OK?

    

Pat,

See Digital Signatures above.  Do you think maybe those directories were temporary and since I canceled and restarted they didn't delete? 

I obviously can't go back and look, but the way I remember it was a typical upgrade alert from Adobe (reader or flash player).  I do have my settings set for it to ask me first.

Any suggestions about how to and if I should get rid of any of those directories?

What started all of this was some suspicious printing.  Saw this funny process running and looked it up.  Lead us to Adobe as it's in that directory.  Looked at date and saw it was close to when I did the install, cancel and install.  We did full computer scans on all 3 computers on network.  We use Norton.  It did ask us to reboot to finish "security" stuff.  The good news is the process (the .exe) isn't running any more, but it concerns me that it's still there if it shouldn't be. 

Thank you again !!!!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Nov 07, 2014 Nov 07, 2014

Copy link to clipboard

Copied

I have to be honest, I work on Flash Player and not the bundled software that gets included by our distribution team.  This stuff gets added downstream, so I don't know a lot about it personally.

I don't see any activity on C:\users\<user>\AppData\LocalLow\Adobe\ when doing the installation from http://get.adobe.com/flashplayer using Internet Explorer on Win7, when installing the optional Chrome Toolbar and Browser, and it's fairly common for malware (even when it has nothing to do with Flash) to stash files under Adobe directories, because they're almost universally present and it makes the exploit files look more legitimate.

If the file is malicious, it's highly unlikely that it came from our installer.  Our distribution mechanisms are tightly controlled, as are Google's.  The fact that the binary appears to have a valid Google signature issued by VeriSign is comforting, but I'd like to see the data in the Details and Certification Path tabs, just to make sure nothing is out of the ordinary.  If there's a root CA from Pakistan or something in the approval chain, that would be a good reason to dig deeply into this.

Just to be on the safe side, I'd highly recommend uploading the executable to virustotal.com.  It scans the file against a whole bunch of virus scanning engines, and they provide intelligence on new exploits back to the industry when new variants are discovered.  Please let me know what you find out.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Nov 07, 2014 Nov 07, 2014

Copy link to clipboard

Copied

  

Thank you.  Do you think this is something I should purse with Google?  I'll and take a look at VirusTotal.  Thanks again.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Nov 07, 2014 Nov 07, 2014

Copy link to clipboard

Copied

LATEST

Can you just post the cert?  (Just hit CopyToFile on that certificate page).

Everything looks reasonably legit.  I'd just send it to VirusTotal to be safe.  If it matches any known signature, you'll get a hit.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Nov 06, 2014 Nov 06, 2014

Copy link to clipboard

Copied

RDawson wrote:

C:\users\<my name>\AppData\LocalLow\Adobe\ppyrzfzevlgy\uphqqlhshmzg\sualofw.exe

That is definitely not a place where any Adobe software would place anything, let alone an executable.

You may have been tricked by a website (or local malware) into what appeared to be a Flash Player update, but in fact installed malware on your system.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines