Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Downloaded Program Files,


  • Please log in to reply
3 replies to this topic

#1 razzell2

razzell2

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 31 December 2008 - 11:07 AM

I have a Downloaded Program File entry, that has "unknown status", no creation date, and it says "none" under Last Accessed.

It does claim to be 4kb's in size.

This program file has no name, but instead, is a grouping of numbers and letters, all enclosed in parenthese..{}.

Highlighting it, and right clicking it only brings up the properties of the entry.

It cannot be deleted either from the keyboard, or from the menu...File>delete..Edit>cut.

The properties of this entry show it to be an Active X control, (with no creation date, no access date and no status. It does not appear to be damaged...it does not say that there are any damaged files associated with it).

I dont feel comfortable giving you the codebase http address, because Im not sure if it turns into a link that anyone can access. But I will tell you that it includes the words; fpdownload, macromedia, polarbear, ultrashim.cab

Using my search bar to go to that location brings me to a folder, with an apparent program that has yet to be installed.

There are 3 icons in this cab folder...a .dll icon, a configuration/notepad icon with the name "erma", and the remaining icon is an INSTALL icon.

Clicking on any of these icons brings up a command to "extract", or copy.

I do vaguely remember going to macromedia.com, (adobe.com) a couple of weeks ago, and downloading and installing the adobe flash player and the shockwave player. I seem to remember that when I first began using my new computer with the vista OS, that these needed to be updated or installed to run some webpages, flash stuff, etc.

I do have a couple of games on my computer, that came with the software, that are webtangent games called "polarbear" bowling and "polarbear" golf, and Ive played them both.

Im pretty sure, fairly sure, that this was downloaded at the same time I installed the macromedia applications. I think. Maybe.

I would like to delete it. If it is a program file that needs to be run with any of my applications, my computer would ask me to install it again, is that correct?

But I cannot find anyway to delete it.

So, this is obviously an application of some kind. A program waiting to be installed and ran.
What is this? Anyone know? Should I leave it alone? Should I install, or extract, the program? How do I find out what an "erma" is?

I have googled the crap outta this thing, and there is no help there.

Anyone who has encountered this same thing, or knows what the heck it is, I would be grateful for some help, some advice.

Thanks guys, and gals...

Russell
razzell2
"GAT DANG-ED (BLEEPING) COMPUTER. ARGHHHHHHHHH!!!"

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,260 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:40 PM

Posted 01 January 2009 - 08:37 AM

http://www.sophos.com/security/blog/2008/02/1075.html
QUOTE SOPHOS:
"Ultrashim.cab is normally a valid Macromedia Flash filename, and is a very good example of why you canít trust files based on name alone. Itís pointed to in a similar way to last time so that it appears that Flash is asking you to download an update. But donít be fooled, you definitely donít want this ďupdateĒ."

Submit it to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis. Post back with the results.
http://virusscan.jotti.org/
http://www.virustotal.com/metodos.html
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 razzell2

razzell2
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 03 January 2009 - 04:35 PM

http://www.sophos.com/security/blog/2008/02/1075.html
QUOTE SOPHOS:
"Ultrashim.cab is normally a valid Macromedia Flash filename, and is a very good example of why you canít trust files based on name alone. Itís pointed to in a similar way to last time so that it appears that Flash is asking you to download an update. But donít be fooled, you definitely donít want this ďupdateĒ."

Submit it to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis. Post back with the results.
http://virusscan.jotti.org/
http://www.virustotal.com/metodos.html


Hey buddy215.
Ive been submitting the http address to online malware for quite a while, and it continues to "upload file".
I have chosen not to download the software from Virus Total.
I will wait for the file to upload and scan at Online Malware and when it does I will post the results here.

But I can tell you that I went to the folder/file here on my computer and ran all of them thru my norton antivirus and all of the files including the actual application file came up clean.

Still, there is no way I will run the application, whatever it is. But according to NAV there is no recognizable virus attached to it. (Apparently)

I will get back here when the Malware scan complete. If it completes. Ive been waiting quite a while.
Status: Uploading file, please wait...
Thats what its been saying for about 30 minutes.

Thanks buddy

Russell
"GAT DANG-ED (BLEEPING) COMPUTER. ARGHHHHHHHHH!!!"

#4 buddy215

buddy215

  • Moderator
  • 13,260 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:40 PM

Posted 04 January 2009 - 08:31 AM

This is what I got when running a WinPatrol Hijack scan.

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} (http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim) - http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab

I am sure you would get the same result as I did. It is a safe entry.

Regarding your problem with submitting file for scan, it is not unusual that either or both sites get backed up with requests.
There is an option to submit by email.

Regarding Flash, you might find the post below of interest.
http://www.bleepingcomputer.com/forums/ind...t&p=1037975

Edited by buddy215, 04 January 2009 - 08:55 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users