On 4/5/2023 12:41 PM, RonTheGuy wrote:
"Adobe Refresh Manager" or ARM, an updater that can update itself.
The service is the evil bit, that keeps it alive. Like a malware would.
https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
autoruns64.exe # lists stuff
Adobe Acrobat Update Task Adobe Reader and Acrobat Manager Adobe Inc.
c:\program files (x86)\common files\adobe\arm\1.0\adobearm.exe 2/1/2023 8:44 PM
AdobeARMservice Adobe Acrobat Updater keeps your Adobe software up to date.
Adobe Inc.
c:\program files (x86)\common files\adobe\arm\1.0\armsvc.exe 2/1/2023 8:43 PM
*******
Even the updater, updates itself, judging by date stamp.
The MSI is the installer for the Updater.
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Cache
Name: Arm_018244601042_3410575711391224984732579583162061827.msi
Size: 1058816 bytes (1034 KiB)
SHA1: E6E5E9F7B299A95983D5AC6D90BFEC8F3AD67D70
Title: Adobe Refresh Manager
The number 76E2369A-75BA-41F9-8B9E-16059E5CF9A6 , you may find other bits of that (CLSID?)
elsewhere in the Registry. While this is part of the evil, this isn't necessarily all of it.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\Policy•#3•SZ
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\AppPath•[ARM_1.0]•SZ
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6}\AppName•AdobeARM.exe•SZ
*******
https://www.ctrl.blog/entry/how-to-delete-adobearmservice.html
# Open an Administrator shell. You will be removing the executables, including the MSI file.
sc.exe stop AdobeARMservice
sc.exe delete AdobeARMservice
del "%PROGRAMFILES(X86)%\Common Files\Adobe\ARM\"
Maybe that will cripple it a little bit, unless... Acrobat Reader installer
is run again. Then, it will come back of course. Like a skin disease.
Paul