Participant

Question

Dangerous malware detected by Microsoft Security Essentials in Adobe folder [Locked old Thread]

Forum|Forum|8 years ago
April 10, 2017
4 replies
8981 views

I have just done an update via Creative Cloud to Photoshop CC 2017 and Windows Defender has also found the same malware

PWS: Win32/Lineage.gen!C.dam

Category:

Password Stealer

Description:

This program is dangerous and captures user passwords.

Recommended action:

Remove this software immediately.

Items:

file:C:\adobeTemp\ETR6D86.tmp\1\Application\pngquant.exe

Message was branched from old thread by Terri Stevens

This topic has been closed for replies.

T

Test Screen Name

Legend

It's not going to be the same virus after 2 years. Please start a new discussion with all relevant info.

Mark MasiakAuthor

Participant

Yes this is a legal copy

Yes Adobe updater does use C:\Adobetemp during the install process

Terri Stevens

Legend

So what did you do when Defender found the suspect malware? Normally it would quarantine it unless you opted to do something different, so I assume the update didn't get installed? The file is harmless unless you run it, so what I would do is

1) turn Defender temporarily off. That should allow you to take pngquant.exe from the quarantine folder

2) Now upload it to VirusTotal it's only 267KB

VirusTotal - Free Online Virus, Malware and URL Scanner

Run a fresh scan as it will tell you that 'pngquant.exe' has been scanned before. After a minute or so it will give a report like below. When I did it just now 0/61 antivirus programs detected a problem , including Microsoft which might be a worry as your copy disagrees with that.

T

Test Screen Name

Legend

Well, I tried to reproduce this. On Windows 10 with Defender I updated Photoshop. There was no virus alert. This worries me and does suggest that on your system an infection has landed. Some thoughts.

1. I did not end up with c:\adobetemp. It's possible one was used during updating of course.

2. There is a PNGQUANT.EXE in the Photoshop install folder, and it was updated.

3. There is a simple way to see if a file could have been infected. Adobe signed this file. So, check the signature; that's what it's for. Make sure you validate it, don't just display it. Let us know if you need help with that.

Terri Stevens

Legend

The problem with Windows Defender and Security Essentials is they get a relatively high rate of false positives. What you should try is uploading pngquant.exe to

VirusTotal - Free Online Virus, Malware and URL Scanner

That is a free resource that scans individual files with around 50 different virus scanners and shows you the results. If you get a low positive score there then the file is almost certainly safe. I checked my version of pngquant.exe with the Kaspersky application advisor and you can see the result below. As you can see it comes back as trusted. If you are using the very latest version of Photoshop 2017 and have some software to calculate hash values then you should find the MD5 and SHA-1 values for the file agrees with the values listed in green below. If they don't agree then your file has been modified by a third party and could be a 'keylogger' as suggested by Defender. My money though would be on Defender having come up with a false positive. Of course this does assume you are using a legal version of Photoshop downloaded from Adobe, if not then it could be malware, but the hash code will tell you that.

T

Test Screen Name

Legend

I think there's every chance this is indeed malware. I don't think Adobe software makes c:\adobetemp today, and it isn't going to put software in a temp folder. PNGQUANT is a third party tool for PNG compression, though it is used by the SuperPNG third party plug-in.

So it looks to me like bad software trying to hide by borrowing respectable names. Unless someone else sees this happening. I don't.

Terri Stevens

Legend

perfectly possible that someone has given a bad file a mainstream name. The fact it uses c:\adobetemp would worry me a little as obviously it's not a true temp folder and won't get cleared out in the way a regular temp folder would. It doesn't help the OP, but I always use a password manager and simply cut and paste them into place, that way you never actually type the password. Defender isn't bad actually as long as you only use respected websites and avoid casual downloading.