Click to view attachment
So this thing (^ see pic) appeared in my menu bar when I turned my computer on today seeking to get on the internet. Um, basically I searched to see what it was. Some say it's spyware some say it's legit. Found a program called PrevX that was recommended to remove it but didn't so I uninstalled Shockwave 10 and the little bugger is still in the folder.
Can you guys check if you have it? C:\WINDOWS\system32\Macromed\Shockwave 10
It's actually called "PostUpdate.exe" in the tray when you hover over it it says "shockwave updater" left or right clicking does nothing maybe because I stopped it using zone alarm.
Suggestions?
Thanks
Full Version: postupdate.exe
Hi Mike,
It's likely just an updating component from Shockwave but I don't have it installed to confirm it, try using Task Manager to end the process (Right click the taskbar and choose Task Manager) then have it scanned at VirusTotal if your suspicious about it
http://www.virustotal.com
Assuming its clean then it should be easy enough to delete once its stopped running and then maybe reinstall Shockwave if its something you need and see if its included in the install,
Andy
It's likely just an updating component from Shockwave but I don't have it installed to confirm it, try using Task Manager to end the process (Right click the taskbar and choose Task Manager) then have it scanned at VirusTotal if your suspicious about it
http://www.virustotal.com
Assuming its clean then it should be easy enough to delete once its stopped running and then maybe reinstall Shockwave if its something you need and see if its included in the install,
Andy
QUOTE(AndyManchesta @ Sep 20 2007, 11:32 PM) 
Hi Mike,
It's likely just an updating component from Shockwave but I don't have it installed to confirm it, try using Task Manager to end the process (Right click the taskbar and choose Task Manager) then have it scanned at VirusTotal if your suspicious about it
http://www.virustotal.com
Assuming its clean then it should be easy enough to delete once its stopped running and then maybe reinstall Shockwave if its something you need and see if its included in the install,
Andy
It's likely just an updating component from Shockwave but I don't have it installed to confirm it, try using Task Manager to end the process (Right click the taskbar and choose Task Manager) then have it scanned at VirusTotal if your suspicious about it
http://www.virustotal.com
Assuming its clean then it should be easy enough to delete once its stopped running and then maybe reinstall Shockwave if its something you need and see if its included in the install,
Andy
Ok I had it checked and it came out clean, but I'm still not sure of its authenticity. If I just delete the postupdate.exe after ending its process won't the parts that have it come up in the tray at start up be left over?
I doubt it if you have removed Shockwave as that should of removed any related registry entries, I'll install Shockwave myself abit later and let you know
Andy
Hi Mike,
I installed Shockwave earlier but it didnt add the postupdate file, but it may of been added by an older versions of shockwave or may come as part of an additional plugin that you installed, there's really nothing to suggest the file isnt legit and if it was running on your system it would only have a RunOnce value like this
O4 - HKCU\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1014020
So when it runs after the next reboot the reg entry removes itself, if it was malicious in anyway then it would use other area's to startup so it runs everytime Windows starts rather than just the once so maybe it was running when you attempted to remove shockwave and it wasnt able to delete that file as it was in use.
There's also a topic here that shows it was detected by some AV's at one stage but was a false detection
http://www.wilderssecurity.com/showthread.php?t=158975
Cheers
Andy
I installed Shockwave earlier but it didnt add the postupdate file, but it may of been added by an older versions of shockwave or may come as part of an additional plugin that you installed, there's really nothing to suggest the file isnt legit and if it was running on your system it would only have a RunOnce value like this
O4 - HKCU\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1014020
So when it runs after the next reboot the reg entry removes itself, if it was malicious in anyway then it would use other area's to startup so it runs everytime Windows starts rather than just the once so maybe it was running when you attempted to remove shockwave and it wasnt able to delete that file as it was in use.
There's also a topic here that shows it was detected by some AV's at one stage but was a false detection
http://www.wilderssecurity.com/showthread.php?t=158975
Cheers
Andy
QUOTE(AndyManchesta @ Sep 23 2007, 01:43 AM)
So when it runs after the next reboot the reg entry removes itself, if it was malicious in anyway then it would use other area's to startup so it runs everytime Windows starts rather than just the once so maybe it was running when you attempted to remove shockwave and it wasnt able to delete that file as it was in use.
Thank you for the clarification. I ended up renaming it, rebooting, it didn't come back up so I 'shredded' it. I never considered that it may have been left over since it was running when I removed shockwave. But hey, all in all, better safe than sorry.
Thanks so much Andy!
Your welcome
I agree its better to be safe than sorry and Im glad you managed to eventually get it removed
Cheers
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.