Windows XP PostUpdate.exe

[Taffycat]

PostUpdate.exe
Destination IP 63.88.212.82NS

The above tried to access the internet earlier, but was intercepted by Zone Alarm and then disallowed. I did a quick "Google" to see what it is and most of the returns came up with malware/spyware/a virus, etc. I then spotted a different icon sitting in the notification area, which "mousing" revealed as "Shockwave Updater." It doesn't respond to either a left or right click. I installed Shockwave quite recently, so would this be anything to do with the above?

Just for the record: SUPERAntiSpyware is always running, and this being the XP Pro PC, I have AVG and Zone Alarm. (KIS7 is on the Vista machine.) I ran CCleaner and cleared a bit of junk and did a full AVG system scan which came up clean.

Come to think of it, am I posting in the right area...? Apologies if this should have been in the Security section but I've convinced myself that this is probably Shockwave-related

Thank you for looking

 

[Abarbarian]

http://fileinfo.prevx.com/QQ436617083934-POST3774197/POSTUPDATE.EXE.html

http://www.runscanner.net/getprocess.aspx?process=postupdate.exe

http://www.runscanner.net/getmd5.aspx?md5=0F080B4DD0AC4895C6BC8A7EB92DD444&process=postupdate.exe

http://www.runscanner.net/getmd5.aspx?md5=83C922DC4BB3E408BFD5C8D15633025C&process=postupdate.exe

Hope that helps some .

 

[Taffycat]

Hi Abarbarian, thank you for your reply I have looked at each of your links, but noticed that each time they referred to "postupdate.exe" or "POSTUPDATE.EXE" instead of PostUpdate.exe...... I'm not trying to be picky, honestly but aren't certain files sort-of case-sensitive..?

I am desperately trying to remember an example that I read about ages ago, where if the name of the item contained a capital letter, it was a baddie, but if it appeared in lower case, it was okay... (or it might have been the other way around )

By the way - that big-grin shouldn't have appeared where it says "Destination IP" it was supposed to be 63.88.212.82 : DNS sorry I didn't notice what had happened at the time I wrote it.

Thanks again for your reply

 

[Abarbarian]

Yep yer right pc stuff is usually case sensetive .

O4 - HKCU\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1010011

Is this the file your having trouble with ?? It seems to crop up in a lot of Hijack This logs that are posted on the net and does not seem to be a threat . One of the wise ones here will be able to tell you if it is or isn't if it is indeed your mystery file .

 

[Taffycat]

Ah thanks AB - I only saw the message that ZA threw up this morning, to be truthful, apart from running the scans, I've not tried to find the file (just in case I found it and accidentally "released" something that I shouldn't ) if that doesn't sound too double-Dutch But I'm guessing that it must be Shockwave, which was the last thing I installed.

 

[muckshifter]

Hmmm, have I not taught you anything ...

That "file" does spring up all over the 'tinternet as belonging to a Nastie: Malware AdSpider ... However, it is possible to be a genuine file.


How to remove Shockwave;

Click Start, Settings, Control Panel, Add or Remove Programs.
Look for either "Shockwave" or "Macromedia Shockwave Player" in the list, highlight it, then click "Remove".


Do a search on your HD for PostUpdate.exe ... as Abarbarian said, if it is running from a legitimate source, then all can be well. Spelling, or, capitalization, sometimes makes all the difference.


SO!

Please post a HJT log ...

 

[Taffycat]

Hellooo ... okay Mucks, I've uninstalled Shockwave (but how do I play the game that needed it? ) and have a HiJack This log for you .... by the way, the Java that appears on it was intentionally downloaded too, so will I get more lines and a detention Just kidding, thank you for looking

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:48, on 12/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Nova Development\Greeting Card Factory Deluxe\ReminderApp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Nikon\NkView4\NkVwMon.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\system32\Macromed\Shockwave 8\PostUpdate.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\BOINC\projects\www.worldcommunitygrid.org\wcg_hpf2_rosetta_5.18_windows_intelx86
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Diz\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Deluxe\ReminderApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 8\PostUpdate.exe" 1014021
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Forget Me Not.lnk = ?
O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{67A70A77-BDA7-475C-8D21-7205BD5EE152}: NameServer = 213.253.16.72 195.8.69.7
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8063 bytes

 

[muckshifter]

Games!! PCs aren't for playing Games ... gawed, what is this world coming to ??


I err, was just pointing out where/how/what on the removal of Flash ... sorry, but anyway, when you reinstall, and, the same .EXE file pops up, you'll know what it is.

C:\WINDOWS\system32\Macromed\Shockwave 8\PostUpdate.exe ... this is safe.

OK,

Nothing Nastie is on your system, I just wanted to be sure ... however, while we are here, maybe we should do a couple things.

Just get HJT to fix ...

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Have a cup of coffee & reinstall Flash err, I mean Shockwave, make sure you get the latest version.


TTFN

 

[Taffycat]

How did you know it was coffee time I'd rather be safe than sorry Mucks, so I'm not complaining In fact, I'm giving myself a small pat on the back, because I spotted that 02 - BHO no file thingy and had a feeling that you'd advise me to fix it

Thank you for your help, it's much appreciated (and great to know there are no nasties lurking in the system too.)