shockwave flash shocker

[gbhall]

I suddenly found a new icon in the running applications toolbar calling itself shockwave updater. I find the active program is post update.exe. If I click or right-click on it, nothing happens.

It is obviously something installed without the decency to ask me first, to do with Adobe shockwave flash, and I hate anyone assuming they know what is best for me !!!

I do a search for shockwave, and find I have mentions of shockwave flash all over the place for versions 8,9 and 10. I run three browsers and all mention a shockwave helper in the add-ons, mostly version 9, but I am intensly annoyed that I am not able to remove something I dont want.

I appreciate shockwave is a must for certain silly websites that insist on wasting my precious bandwidth, but i want to at least get rid of the old rubbish and decide for myself what I allow to run!!

Can anyone point to a utility that actually lets me control this nonsense?

 

[evilfantasy]

postupdate.exe is malware.

http://www.file.net/process/postupdate.exe.html

Description: PostUpdate.exe is located in a subfolder of C:\Windows\System32. Known file sizes on Windows XP are 49152 bytes (30% of all occurrence), 13824 bytes, 13312 bytes, 19968 bytes.
PostUpdate.exe is a file without information about the maker of this file. PostUpdate.exe is not a Windows core file. The program is not visible. It is located in the Windows folder, but it is not a Windows core file. PostUpdate.exe is able to manipulate other programs. Therefore the technical security rating is 64% dangerous.

 

[howard_hopkinso]

Your system is infected with malware.

I have therefore moved this thread to our S&W forum.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

Regards Howard

This thread is for the use of gbhall only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[gbhall]

working on it !

Howard, your anti-this-and-that posts are awsome, and I am certainly going to work my way through it. On a dial-up line, this is going to take hours, and I will not be completed for some days.

At this time, I would say I am not at all sure I am actually infected, because :

I always run with ZoneAlarm on
I always run with AVG 7.5 on
I always update the latest MS security patches
I always update AVG before starting any browser.
The symptom of finding PostUpdate.exe running followed (if memory serves me right), a visit to a BBC local radio site, where some of the content specifically stated it required Macromaedia Flash, and I would not let it start updating my current version.
Following this, I find c:\windows\system32\macromed\shockwave 10 was empty except for this PostUpdate.exe
I deleted that and did system restore to before the above event, wherupon shockwave 10 re-filled with dll's etc.
I often run, and also recently in the last 2-3 days have run ccleaner, spybot search&destroy with negative results.
I just ran Panda rootkit deep scan with zero results
Trend housecall is running as I write, and only mentions vulnerability in Wordperfect converter so far.

I will update as results continue.

Some problems caused by your post about how to remove things is now a little outdated, and things mentioned are no longer there, but I have done my best with the latest versions (for example, ad-aware is now Ad-aware 2007), hijack this v.2.0.2 and so on).

It turns out I had Norton 2003 still running with script blocker and so on, despite not having updated it for years....the remaining features still being so useful, for example all the utilities are regularly used)

The three tools were a puzzle until I realised I long ago updated my system to use command.com instead of cmd.exe for its Dos interpreter, chiefly because command.com works in many, many areas where cmd.exe does not.
none of the tools work properly under command.com, and one of the things you got me to use has now actually put it back to cmd.exe !!

AVG anti-spyware was disappointing in that there is no control over which drives it should test, and I was forced to cancel it after several hours when it was well into drives that have nothing to do with Windows, and I needed to get some sleep....

All in all, nothing seemes to have been found with any significance, SD&D actually congratulated me on not having any infections, but we'll see. Attached logs, excluding avg anti-spyware whoch did not offer a save button, since I had to cancel it as reported above. At that point it mentioned nothing at all ecept the usual tracking cookies from reputable websites all of which I know about, such as New Scientist.

 

[evilfantasy]

At this time, I would say I am not at all sure I am actually infected, because......

The only way to never become infected is to never connect to the net.

The symptom of finding PostUpdate.exe running followed (if memory serves me right), a visit to a BBC local radio site, where some of the content specifically stated it required Macromaedia Flash, and I would not let it start updating my current version.

Even the Microsoft Website has been hacked.
Sometimes the hacker(s) do it just to show they can.
But sometimes they do it to add malicious content to infect users.

News and radio sites are a popular target for this as they have a lot of traffic.

 

[howard_hopkinso]

As Evilfantasy quite rightly said, postupdate.exe is malware.

Therefore your system is infected.

Whether you have any other infections will only become clear, once we have your log files.

Regards Howard

This thread is for the use of gbhall only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[gbhall]

not only, but also...

The only way to never become infected is to never connect to the net.

Even the Microsoft Website has been hacked.

News and radio sites are a popular target for this as they have a lot of traffic.

just as you say, EvilFantasy (and I am emphatically not taking a pot at you here), my version of your post would have been 'Even the microsoft Website - being hosted on Windows servers of course - has been hacked'.

This what we are up against. Hopefully, the more enlightened websites are hosted on Linux, or even better, Unix servers. Let us all pray that this common sense can get home enough to brake thhe hopeless situation we are in today, where far too much of everyone's time and effort has to be devoted to protecting one's computer.

 

[howard_hopkinso]

Why did you decide to attach your log files to an old post, instead of your last one? I nearly missed them.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT and Combofix log.

Please let us know if you`re still having problems.

Regards Howard

This thread is for the use of gbhall only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[gbhall]

new AV logs

Sorry Howard, I did append my logs to my last post, but should have realised it would be better to add a new post. Here are my latest log files following your test request.


As to do I still have problems?, the answer is 'maybe not'. The original weird active program postupdate.exe I just deleted, then went back to a previous system restore. It has not reapperared. Nothing has been found by all the tests you required that makes sense to me, and nothing is odd excepting that at startup, two applications start, run for a couple of minutes and then stop. I am aware they all could be viruses.....

wuaudt.exe wmiprvse.exe

wuaudt.exe starts and continues to run as a service.

Following the installation of the latest AV checks, there are of course also a number of avg...exe services that were not there before, plus aawservice.

I am full of admiration and gratitude for your efforts to help, and am all agog to learn if there ever was, or still is, any infection.

many thanks Howard.

regards

 

[howard_hopkinso]

wuaudt.exe and wmiprvse.exe are both legit files and are safe.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

SearchWin

Close control panel.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://antwrp.gsfc.nasa.gov/apod/archivepix.html

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - (no file)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

C:\Program Files\SearchWin

Reboot into normal mode and rehide your protected OS files.

Post fresh HJT and Combofix logs.

Regards Howard

This thread is for the use of gbhall only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[gbhall]

5 objects removed

Thanks for that Howard, latest logs attached.

Notes on the five objects...
SearchWin - installed by me as it provided certain improvements over standard Windows search for a specific job. I only used it once and should have de-installed.

IE start page apod\archivepix installed by me - it is something I visit every day. I dont actually use IE except for those sites that refuse to do things unless it IS IE (e.g. microsoft update). I like Avant browser which uses the IE internals, but provides an infinitely superior interface.

Yahoo helper toolbar you can't avoid picking up if you cannot resist checking out the fuss over google earth.

IeCaptureBHO - dont know about.

NAV helper object - I would think part of Norton AV of 2003.

There is lots of rubbish I would like to be rid of installed by all the universal applications you have to have, like acrobat and so on. I always try to defeat these things from phoning home, sometimes without success.

I always keep Windows update switched off, because I get emailed about monthly updates from both MS and CERT advisory, and I like to let everyone else find the bugs for a couple of days before I give myself grief by installing them. To be fair, MS updates seem much better these days, but I download them from work instead of wasting my phone line over dozens of Mb.

Regards to you Howard, if there's anything I could do in return....

 

[howard_hopkinso]

Run the Avenger again, but use the avengerscript that is attached to this post.

Post the c:\avenger.txt as well as a fresh Combofix log.

Regards Howard

This thread is for the use of gbhall only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[gbhall]

maybe a missing instruction line?

Did as asked with Avenger, and the log of combofix showed the things still there. I deduced you maybe forgot to add to set hidden and system files visible before running avenger, so I set that and repeated avenger and combofix with what looks the correct values. is that so?

regards

david

 

[howard_hopkinso]

Looks like you forgot to attach the Combofix log.

Regards Howard

This thread is for the use of gbhall only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[gbhall]

didnt forget

It didnt take for some reason. Here it is

 

[howard_hopkinso]

I have removed your previous Combofix log. maybe you`ll now be able to attach the fresh one.

Edit: Since you`re having problems in attaching your combofix log I have removed them all from your previous posts in this thread. If that still doesn`t help, please feel free to copy and paste it and I`ll remove it one we`re done with it.

Regards Howard

 

[gbhall]

why wont this work?

it says 'in progress' and wont finish...

 

[howard_hopkinso]

All clean mate.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of gbhall only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[gbhall]

Many, many thanks for that - what an effort !

Was there anything there really ?

Any thoughts on registryboosterplc.exe ? Supposed to look for nasties too, especially those which masquarade under legit MS names....

Well, I'm signing off now, to make a new image whilst things are looking good...

all the best Howard

regards

Davd

 

[howard_hopkinso]

Take a look at this post HERE and decide for yourself what you think of registryboosterplc.exe. If you`ve still got it, I suggest you get rid of it asap.

Regards Howard

This thread is for the use of gbhall only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[gbhall]

I have not downloaded it, I just ended up on the rather nice-looking site every time I researched wuaudt.exe wmiprvse.exe and wuaudt.exe

The self-promotion followed by a paid version makes complete sense. Doesn't mean it would not work though !

 

[howard_hopkinso]

No, it doesn`t mean it wouldn`t work, but there are far better alternatives out there. To be honest, Ccleaner is one of my favourite applications and best of all it`s free.

Regards Howard

This thread is for the use of gbhall only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.