6 replies to this topic

[mikeb]

 shockwaveupdater_icon.bmp   13.14K   5 downloads

So this thing (^ see pic) appeared in my menu bar when I turned my computer on today seeking to get on the internet. Um, basically I searched to see what it was. Some say it's spyware some say it's legit. Found a program called PrevX that was recommended to remove it but didn't so I uninstalled Shockwave 10 and the little bugger is still in the folder.

Can you guys check if you have it? C:\WINDOWS\system32\Macromed\Shockwave 10

It's actually called "PostUpdate.exe" in the tray when you hover over it it says "shockwave updater" left or right clicking does nothing maybe because I stopped it using zone alarm.

Suggestions?

Thanks

[AndyManchesta]

Hi Mike,

It's likely just an updating component from Shockwave but I don't have it installed to confirm it, try using Task Manager to end the process (Right click the taskbar and choose Task Manager) then have it scanned at VirusTotal if your suspicious about it

http://www.virustotal.com

Assuming its clean then it should be easy enough to delete once its stopped running and then maybe reinstall Shockwave if its something you need and see if its included in the install,

Andy

[mikeb]

AndyManchesta, on Sep 20 2007, 11:32 PM, said:

Hi Mike,

It's likely just an updating component from Shockwave but I don't have it installed to confirm it, try using Task Manager to end the process (Right click the taskbar and choose Task Manager) then have it scanned at VirusTotal if your suspicious about it

http://www.virustotal.com

Assuming its clean then it should be easy enough to delete once its stopped running and then maybe reinstall Shockwave if its something you need and see if its included in the install,

Andy

Ok I had it checked and it came out clean, but I'm still not sure of its authenticity. If I just delete the postupdate.exe after ending its process won't the parts that have it come up in the tray at start up be left over?

[AndyManchesta]

I doubt it if you have removed Shockwave as that should of removed any related registry entries, I'll install Shockwave myself abit later and let you know

Andy

[AndyManchesta]

Hi Mike,

I installed Shockwave earlier but it didnt add the postupdate file, but it may of been added by an older versions of shockwave or may come as part of an additional plugin that you installed, there's really nothing to suggest the file isnt legit and if it was running on your system it would only have a RunOnce value like this

O4 - HKCU\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1014020

So when it runs after the next reboot the reg entry removes itself, if it was malicious in anyway then it would use other area's to startup so it runs everytime Windows starts rather than just the once so maybe it was running when you attempted to remove shockwave and it wasnt able to delete that file as it was in use.

There's also a topic here that shows it was detected by some AV's at one stage but was a false detection

http://www.wildersse...ad.php?t=158975


Cheers

Andy

[mikeb]

AndyManchesta, on Sep 23 2007, 01:43 AM, said:

So when it runs after the next reboot the reg entry removes itself, if it was malicious in anyway then it would use other area's to startup so it runs everytime Windows starts rather than just the once so maybe it was running when you attempted to remove shockwave and it wasnt able to delete that file as it was in use.

Thank you for the clarification. I ended up renaming it, rebooting, it didn't come back up so I 'shredded' it. I never considered that it may have been left over since it was running when I removed shockwave. But hey, all in all, better safe than sorry.

Thanks so much Andy!

[AndyManchesta]

Your welcome

I agree its better to be safe than sorry and Im glad you managed to eventually get it removed

Cheers