Jump to content
tankace

AdobeARM_1824406920[1].msi and BITXXXX.tmp

Recommended Posts

Hello folks,

Forgive me in advance don't know that much about computers. 

For the pass 3 days at startup Immunet has flag and quarantined these two files as malware.  One with the same exact file name the other is a variation of the same file name.  But they seem to be going into the same respective folders paths

 

1.  File Name=AdobeARM_1824406920[1].msi      File Path=C:\users\Username\AppData\Local\Microsoft\Windows\INetCache\IE\7JNV5UH\AdobeARM_1824406920[1].msi   (note:  this is typed in vs  cut and past)

2.  File Name=BIT6270.tmp  or variation BITXXXX.tmp    File Path=C:\users\Username\AppData\Local\Adobe\ARM\S\BIT6270.tmp

So the questions are these real virus (malware)???? Or is it a false positive????

If they are it seem like someone or something is trying to install it at start up everyday how do I stop it?

If they are not It seem then Adobe trying to install something what is it that they are trying to install and why? 

Thanks. 

 

Share this post


Link to post
Share on other sites

Hi Tankace!

First run a full system scan. With ClamAv on. I would also scan with Defender.   

What AVs do you have or is Immunet you main? Is Defender flagging anything? 

Those files do look suspicious, but could be false positives. Since these are copy and paste I can't dive in to the files much. Try uploading the files to Virustotal, https://www.virustotal.com. It's a drag and drop site and it's easy to get a good idea if its bad or not. After you do that we should know more if its a true threat or a false positive. 

What's your OS i.e Win7 or 10. Pro of home version

Are you using Internet explorer?  The reason I ask is the first file path with INetcache/IE looks like a toolbar has installed itself to IE. 

Why it seems to install when your start your system is most likely is set to startup automatically when you turn on your computer.  You can disable this in a few ways, but the easiest is go to task manager ->startup tab -> find the program and select it and at the bottom right hit disable. With that said if it's malware it may hide itself for being seen.

Sorry if this seems like a quick response It's a very busy day for me, but I will help where I can:)

Let me know what virusTotal says so I can help with what needs to be done next.

  • Like 1

Share this post


Link to post
Share on other sites

ok this is what I did,

 

Ran full scan with Immunet (I only have immunet but I made ClamAV was on).  I don't have defender because my understanding is that you have to delete Immunet to install defender to run it (not sure the exactly way to do that correctly, so will hold off on doing that for now and will wait for response from you all).

 

Run full scan on Immunet flag 74.  72 were like the first one the 2 like the 2nd one.  I restore one of the files like the 1st one and drop it into www.virustotal.com. 

and only ClamAV detected it out of 60  other engines (please see pic) . 

What do you folks think do we have a false positive???

 

Also some of the Adobe files were listed from months ago.  I am pretty sure I ran Immunet full scan more often then that.  I am pretty sure I rant Immunet full scan last week if not the  week before.

any help will be appreciated. 

 

The other questions is in immunet if a file is  quarantine it disappears form the file-path tree so for me I can not drop the file in virustotal.com unless I restore the file.  Is there a way I can drop the file in virustotal when it is in quaranitine from immunet???

 

ps I use firefox and I have window 10.  thanks

virus.PNG

  • Like 1

Share this post


Link to post
Share on other sites

Hi tankace,

I deleted your topic in the General section of the forum. Please refrain from posting duplicate topics in different locations as it's against forum rules. No biggie though & with that said...

Ordinarily I would recommend you submit those files to Immunet's False Positive URL but to my knowledge it's still not functional at this time. 

One option at your disposal & since it's a ClamAV detection would be to submit your findings directly to the folks at ClamAV at this URL. http://www.clamav.net/contact

Scats's idea to use Virustotal to check the files & you adding the screen grabs was a good one! I would venture to guess these are False Positives.

AdobeARM is used for auto-updating Adobe Reader & Acrobat Manager but if you 'manually update' to new builds yourself (which I would recommend) you really don't need to use ARM anyway.

Best wishes, Ritchie....

Share this post


Link to post
Share on other sites

Thanks ritchie!

 

Tankace,

Thanks for the pic unload from VT. Since no other AVs have flagged it I would agree with ritchie and say it's a FP. I wish immunets FP upload was working:(

Stay safe. 

 

 

Share this post


Link to post
Share on other sites

Thanks Scats and ritchie58.  Two new files were flag today at startup the are the same type or same configurations as I mention before. 

Also what is the best way to get a file that is already in immunet quarantine to load in either virustotal.com  or http://www.clamav.net/contact  because if it is in quarantine I don't see the file in my file path folder anymore (I can restore it but then I may have release a potential virus). 

Also can you folks point me to an article on how to change to abode and Acrobat Manager manual update.  

thanks

Edited by tankace
retyped

Share this post


Link to post
Share on other sites

Under those circumstances it would be nice if Immunet had a Copy & Paste feature for quarantined files. This idea to include this feature in a future build has been suggested in the past actually.

What you could do is click on the word Quarantine located below & to the right of the History tab on the UI and in the right side Details dialog box write down the exact malware definition name & file path for the file(s) in question & manually type it in.

Here's how to disable AdobeARM with Win 10.

Click on the Search app -> type exactly msconfig in the Search bar and click on the System Configuration app to launch msconfig.exe -> click on the Startup tab, depending on your version of Win 10 you may be directed to Task Manager to do this -> uncheck any file names that end in adobeARM.exe -> click Apply -> reboot your computer and that should disable ARM.

Just don't forget to check for any new builds for Adobe Reader or Acrobat Manager from time to time & manually update yourself. That is important as new builds can sometimes contain security/exploit vulnerability fixes 

Cheers, Ritchie...

Share this post


Link to post
Share on other sites

Ritchie,

 

I am pretty sure I am doing that.  See pic below.  "File Path" is listed on the right.  Unless I am missing something.  When I type in the path it said file can not be found (I think it is because it is in quarantine).  Now I can restore it and the file will be there.  But then I just put back a potential virus, right?  Is there a better way?  Or am I missunderstanding what you are saying. 

 

Regarding unchecking adobeARM.ex.  I went into Task Manager.  I went into startup and got this (see pic) I don't see adobeARM.exe.  Any suggestions??? I guess it is not that important if we still think it is not a virus but still like to know what is going on.  Is it as simple as adobe is trying to look for updates at every startup and Immnet is blocking it and adobe tries again and load more files at the next startup.  But if that is the case sure like to know how to turn of adobe looking for update if that is what is happening. 

file path in immunet.PNG

Task Manager Start Up.PNG

Share this post


Link to post
Share on other sites

That shows that ARM is not a dedicated startup program! I bet it is launched when you start Reader or Acrobat. It phones home, so to speak, to see if any new builds are available.

Try starting Reader and then check Task Manager. Click on the Processes tab to see if you find anything in "Background processes" related to ARM.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...