8 Replies Latest reply on Nov 7, 2014 12:56 PM by jeromiec83223024

    What is sualofw.exe used for?


      I believe this was installed when I was updating flash player.  It is a constantly running process.  Says it's under Google Chrome, but the file location is under Adobe.  I think I accidentally left a couple of those check box options checked during the install, so I quickly canceled, unchecked and started install again.


      I did de-install flash player and re-install, but executable still there and still running.  I am not using Google Chrome - only use it sparingly.  Have de-installed and re-installed it too.


      Am I going to need to de-install Adobe Reader too?

        • 1. Re: What is sualofw.exe used for?
          pwillener Level 8

          What is your operating system?


          How exactly did you update Flash Player?


          And where exactly is that file located?  "under Adobe" sounds suspicious!


          Curious: why did you post your question in the rather obscure Acrobat.com Developers forum?


          [topic moved to Flash Player forum]

          • 2. Re: What is sualofw.exe used for?
            RDawson Level 1

            Windows 7

            I was prompted to update Flash Player so I responded to the update.  I clicked install then noticed it had a couple of check boxes checked, so I stopped it, unchecked them (set Google as main browser and something else), then started it again.  Thought that maybe something halfway installed or something.  When I found this file/process running a lot and saw that it was under Adobe, I tried to think what could have happened and remembered this situation.  The date on the file is about when I did this.


            Yes it does sound strange which is why I am asking.  It has been a running process on my computer for a couple of days.  Now it's not, but the file is still there.


            C:\users\<my name>\AppData\LocalLow\Adobe\ppyrzfzevlgy\uphqqlhshmzg\sualofw.exe


            Forum: None of the options seemed like the right one so I just picked a "developer" thinking they could help the most.


            Thank you for replying back and helping.

            • 3. Re: What is sualofw.exe used for?
              jeromiec83223024 Adobe Employee

              If you right-click on that file and choose Properties, is there a Digital Signatures tab?  If So, can you choose the item and hit details and provide a screenshot?

              • 4. Re: What is sualofw.exe used for?
                pwillener Level 8

                RDawson wrote:


                C:\users\<my name>\AppData\LocalLow\Adobe\ppyrzfzevlgy\uphqqlhshmzg\sualofw.exe

                That is definitely not a place where any Adobe software would place anything, let alone an executable.


                You may have been tricked by a website (or local malware) into what appeared to be a Flash Player update, but in fact installed malware on your system.

                • 5. Re: What is sualofw.exe used for?
                  RDawson Level 1


                  Thank you.  See below.  Does it look OK?



                  See Digital Signatures above.  Do you think maybe those directories were temporary and since I canceled and restarted they didn't delete? 

                  I obviously can't go back and look, but the way I remember it was a typical upgrade alert from Adobe (reader or flash player).  I do have my settings set for it to ask me first.

                  Any suggestions about how to and if I should get rid of any of those directories?


                  What started all of this was some suspicious printing.  Saw this funny process running and looked it up.  Lead us to Adobe as it's in that directory.  Looked at date and saw it was close to when I did the install, cancel and install.  We did full computer scans on all 3 computers on network.  We use Norton.  It did ask us to reboot to finish "security" stuff.  The good news is the process (the .exe) isn't running any more, but it concerns me that it's still there if it shouldn't be. 


                  Thank you again !!!!

                  • 6. Re: What is sualofw.exe used for?
                    jeromiec83223024 Adobe Employee

                    I have to be honest, I work on Flash Player and not the bundled software that gets included by our distribution team.  This stuff gets added downstream, so I don't know a lot about it personally.


                    I don't see any activity on C:\users\<user>\AppData\LocalLow\Adobe\ when doing the installation from http://get.adobe.com/flashplayer using Internet Explorer on Win7, when installing the optional Chrome Toolbar and Browser, and it's fairly common for malware (even when it has nothing to do with Flash) to stash files under Adobe directories, because they're almost universally present and it makes the exploit files look more legitimate.


                    If the file is malicious, it's highly unlikely that it came from our installer.  Our distribution mechanisms are tightly controlled, as are Google's.  The fact that the binary appears to have a valid Google signature issued by VeriSign is comforting, but I'd like to see the data in the Details and Certification Path tabs, just to make sure nothing is out of the ordinary.  If there's a root CA from Pakistan or something in the approval chain, that would be a good reason to dig deeply into this.


                    Just to be on the safe side, I'd highly recommend uploading the executable to virustotal.com.  It scans the file against a whole bunch of virus scanning engines, and they provide intelligence on new exploits back to the industry when new variants are discovered.  Please let me know what you find out.

                    • 7. Re: What is sualofw.exe used for?
                      RDawson Level 1


                      Thank you.  Do you think this is something I should purse with Google?  I'll and take a look at VirusTotal.  Thanks again.

                      • 8. Re: What is sualofw.exe used for?
                        jeromiec83223024 Adobe Employee

                        Can you just post the cert?  (Just hit CopyToFile on that certificate page).


                        Everything looks reasonably legit.  I'd just send it to VirusTotal to be safe.  If it matches any known signature, you'll get a hit.