Hi, I have Vista x64 and a few moments ago I was loading a website in Firefox 3.6.3 that used Flash and Spybot popped up stating it had encountered and terminated a process that is listed as malicious. I selected the default "Inform me again" and "Delete the associated file."

Looking in the Resident log file afterwards I see:

9/04/2010 10:27:01 PM Allowed (based on user decision) value "Shockwave Updater" (new data: "C:\Windows\SysWOW64\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100458 -Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)") added in System Startup user entry!

19/04/2010 10:27:01 PM Encountered and terminated WhenU.Search in C:\Windows\SysWOW64\Adobe\SHOCKW~1\SWHELP~1.EXE!

19/04/2010 10:27:05 PM Allowed (based on authenticode whitelist) value "Spybot - Search & Destroy" (new data: ""C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe" /autocheck") added in System Startup global entry!

I know Spybot appears whenever there's a Shockwave update which would explain the "SWHELP~1.EXE -Update" etc, as it's done this before, but I have never had 'WhenU.Search' appear in this file before, nor can I find any trace of it elsewhere.

Since it only appears to be attached to this new update file could it merely be part of the update?

Just a note to say I did a scan of the system using Spybot (I cancelled the automatic one that became scheduled, as for whatever reason it was scanning incredibly slowly and would have taken about 10 hours) and there is nothing popping up in regards to this problem or anything else, a cookie or two aside, so I really don't think this is my side specifically. You would think if Spybot detected the 'WhenU.Search' malware it would also locate it in the proper locations. It also seems too odd that the file wishing to update Shockwave (which is an OLD, OLD version admittedly) also happens to be the one with a specific piece of malware all of a sudden.

I actually kept a copy of the file in question (I didn't want to be too rash having Spybot delete it originally) and scanning it with Spybot's context menu, Malware Bytes and AVG Free yields nothing - it seems as fine as every other file.

Any suggestions? I shall do a full scan tonight using AVG, Malware Bytes, and SUPERAntiSpyware but I honestly don't expect to find anything out of the norm. Perhaps it's a false positive or just a glitch, I don't know.

Sorry to bump this again. Just to say I've done AVG, MalwareBytes and SUPERAntiSpyware scans (on top of Spybot's previously, of course) and as I suspected, nothing is being detected.