cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

Adobe Cryto Mining Operations

richardk71696431
New Here ,
Feb 19, 2018 Feb 19, 2018

Hey -

I just updated my Creative Cloud apps, and found that my AV blocked Adobe from running an app called "CoinMiner."

I think this means either Adobe is doing this intentionally (bad) or someone hacked your update files and Adobe is doing this unintentionally (very bad).

I have blocked this application, so feel free to take whatever action you think is appropriate.

Richard

5.7K
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

throwway1111111
New Here , Feb 19, 2018 Feb 19, 2018

Hi Richard,

I've seen the same issue, specifically the RedDecoder DLL files (both X86 and x64) presumably from Adobe Premier are being flagged as coin miners by Microsoft AV and deleted. Unfortunately we haven't been able to get a sample and submit it to Microsoft as a false positive as every time the update server re-downloads and attempts to distribute the files, they get deleted. This has only begun within the last few days.

If anyone out there has these DLL files and can submit to MS to re-ch

...
Translate
replies 30 Replies 30
latest latest Jump to latest reply
kglad Community Expert
Community Expert ,
Feb 19, 2018 Feb 19, 2018

more likely you're infected, Fake Flash update leads to Bitcoin Miner – BroadAnalysis

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
richardk71696431
New Here ,
Feb 19, 2018 Feb 19, 2018
In Response To kglad

Perhaps - except that every Adobe app that updated generated a new warning concurrent with the dialogue telling me the update was complete.

As previously noted, I am scanning and quarantining the app. You are free to do as you please.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
thatsmauri Community Expert
Community Expert ,
Feb 19, 2018 Feb 19, 2018
In Response To richardk71696431

richardk71696431,

please scan your entire machine for any malware, viruses and other malicious stuff with Malwarebytes Anti-Malware​​.

Kind Regards,
Maurice

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Test Screen Name
LEGEND ,
Feb 19, 2018 Feb 19, 2018

Is it JS/CoinMiner? That isn't actually an app, it's a web site JavaScript script, which uses your browser to make coins. So it's at your expense but needs no infection or apps on your computer. It points to an infected web site.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
throwway1111111
New Here ,
Feb 19, 2018 Feb 19, 2018

Hi Richard,

I've seen the same issue, specifically the RedDecoder DLL files (both X86 and x64) presumably from Adobe Premier are being flagged as coin miners by Microsoft AV and deleted. Unfortunately we haven't been able to get a sample and submit it to Microsoft as a false positive as every time the update server re-downloads and attempts to distribute the files, they get deleted. This has only begun within the last few days.

If anyone out there has these DLL files and can submit to MS to re-check if they are a false positive, they can be anonymously submitted here.

Submit a file for malware analysis - Windows Defender Security Intelligence

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
dennisd67030422
New Here ,
Feb 20, 2018 Feb 20, 2018

Today i've had exactly the same experience with the same DLL's during install of Media Encoder CC. Defender went beserk on it.

It's obviously a false positive, but i'm hopefull that Adobe and MS will soon fix this issue...

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Joe Dunlea
Community Beginner ,
Feb 20, 2018 Feb 20, 2018

We are seeing the same thing for a number of CC apps in our environment. I'm planning to try and capture the exe's that are generating the alert today and scan them using VT to see if they are actually infected or not.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
rossb17369478
New Here ,
Feb 21, 2018 Feb 21, 2018

I've got the same issue, I'm submitting it to our MS support today. As per normal they are blaming Adobe? Can any one from Adobe comment on this?

containerfile:C:\Adobe\Adobe CC Full 2018\Adobe CC full 2018\Build\HD\AEFT15.0.1\AdobeAfterEffects15AllTrial.zip

containerfile:C:\Adobe\Adobe CC Full 2018\Adobe CC full 2018\Build\HD\AME12.0.1\AdobeMediaEncoder12AllTrial.zip

containerfile:C:\Adobe\Adobe CC Full 2018\Adobe CC full 2018\Build\HD\AUDT11.0.2\AdobeAudition11All.zip

containerfile:C:\Adobe\Adobe CC Full 2018\Adobe CC full 2018\Build\HD\FLPR18.0.1\AdobeAnimate18.0-mul.zip

containerfile:C:\Adobe\Adobe CC Full 2018\Adobe CC full 2018\Build\HD\KBRG8.0.1\AdobeBridge8.0-mul-x64.zip

containerfile:C:\Adobe\Adobe CC Full 2018\Adobe CC full 2018\Build\HD\PPRO12.0.1\AdobePremierePro12AllTrial.zip

containerfile:C:\Adobe\Adobe CC Full 2018\Adobe CC full 2018\Build\HD\PRLD7.0.1\AdobePrelude7AllTrial.zip

file:C:\Adobe\Adobe CC Full 2018\Adobe CC full 2018\Build\HD\AEFT15.0.1\AdobeAfterEffects15AllTrial.zip->1/universal/Professional/Support Files/REDDecoder-x64.dll

file:C:\Adobe\Adobe CC Full 2018\Adobe CC full 2018\Build\HD\AEFT15.0.1\AdobeAfterEffects15AllTrial.zip->1/universal/Professional/Support Files/REDDecoder-x86.dll

file:C:\Adobe\Adobe CC Full 2018\Adobe CC full 2018\Build\HD\AME12.0.1\AdobeMediaEncoder12AllTrial.zip->1/universal/App/REDDecoder-x64.dll

file:C:\Adobe\Adobe CC Full 2018\Adobe CC full 2018\Build\HD\AME12.0.1\AdobeMediaEncoder12AllTrial.zip->1/universal/App/REDDecoder-x86.dll

file:C:\Adobe\Adobe CC Full 2018\Adobe CC full 2018\Build\HD\AUDT11.0.2\AdobeAudition11All.zip->1/universal/App/REDDecoder-x64.dll

file:C:\Adobe\Adobe CC Full 2018\Adobe CC full 2018\Build\HD\AUDT11.0.2\AdobeAudition11All.zip->1/universal/App/REDDecoder-x86.dll

file:C:\Adobe\Adobe CC Full 2018\Adobe CC full 2018\Build\HD\FLPR18.0.1\AdobeAnimate18.0-mul.zip->1/mul/AppFiles/Common/Configuration/dlms/REDDecoder-x86.dll

file:C:\Adobe\Adobe CC Full 2018\Adobe CC full 2018\Build\HD\KBRG8.0.1\AdobeBridge8.0-mul-x64.zip->2/Application/Required/dynamiclinkmediaserver/REDDecoder-x86.dll

file:C:\Adobe\Adobe CC Full 2018\Adobe CC full 2018\Build\HD\PPRO12.0.1\AdobePremierePro12AllTrial.zip->1/universal/App/REDDecoder-x64.dll

file:C:\Adobe\Adobe CC Full 2018\Adobe CC full 2018\Build\HD\PPRO12.0.1\AdobePremierePro12AllTrial.zip->1/universal/App/REDDecoder-x86.dll

file:C:\Adobe\Adobe CC Full 2018\Adobe CC full 2018\Build\HD\PRLD7.0.1\AdobePrelude7AllTrial.zip->1/universal/App/REDDecoder-x64.dll

file:C:\Adobe\Adobe CC Full 2018\Adobe CC full 2018\Build\HD\PRLD7.0.1\AdobePrelude7AllTrial.zip->1/universal/App/REDDecoder-x86.dll

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Test Screen Name
LEGEND ,
Feb 21, 2018 Feb 21, 2018

An interesting aspect of this is that the message suggests that the files are in C:\Adobe\Adobe CC Full 2018. This is not, however, where Creative Cloud downloads them by default. What exactly is your download/update process? Can you account for them being in C:\Adobe ?

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
rossb17369478
New Here ,
Feb 21, 2018 Feb 21, 2018
In Response To Test Screen Name

This is just a temp location we tell Adobe Creative Cloud Packager version 1.14.0 build 97 to download to. We have Adobe core apps we send out (small download) and a Adobe Full with every app (large download).

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Test Screen Name
LEGEND ,
Feb 21, 2018 Feb 21, 2018

Ok, so you aren't using the Creative Cloud app, you are directly downloading the apps for packaging. What is the URL you download from (unless it's private, just the hostname in that case)?

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
rossb17369478
New Here ,
Feb 21, 2018 Feb 21, 2018
In Response To Test Screen Name

We are using "Adobe Creative Cloud Packager version 1.14.0 build 97"

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Test Screen Name
LEGEND ,
Feb 21, 2018 Feb 21, 2018

Let's assume Packager isn't downloading from a tainted source, then.

I observe all the messages refer to REDDecoder-x86.dll . Now I have several versions of this on my system but I think what would be interesting for you is to check whether you have the original signed DLL or whether it has been modified since.

If you can right click > Properties for one of the mentioned DLL files and look under digital signatures, what do you have for name of signer and timestamp, and does the signature show as OK if you click Details? In CC 2017 I find two versions:

* Red.COM,Inc. 1 September 2016 (version 6.2.2.41549)

* Adobe Systems, Inc. 25 April 2017 (version 6.1.0.39888).

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
rossb17369478
New Here ,
Feb 21, 2018 Feb 21, 2018
In Response To Test Screen Name

Ok I've scanned a 2017 machine 6.2.241549 and both files are fine. REDDecoder-x86.dll, REDDecoder-x64.dll.

We don't have 2016 and 2015 doesn't have those files.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Test Screen Name
LEGEND ,
Feb 21, 2018 Feb 21, 2018

So, are the signatures valid, and what are they, in a 2018 machine? (Infections don't usually change versions, but will damage signatures). I was trying to download a 2018 product but the internet's not cooperating. The thing is to see whether these are the original files from the distribution, or a tainted version.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
rossb17369478
New Here ,
Feb 21, 2018 Feb 21, 2018
In Response To Test Screen Name

CC 2017= RED.com inc sha1 01 September 2016

CC 2018= RED.com inc sha1 25 July 2017

Malwarebytes and Symantec endpoint protection don't pick the files up as a virus.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Joe Dunlea
Community Beginner ,
Feb 21, 2018 Feb 21, 2018
In Response To rossb17369478

We managed to snag a copy of these two dll files before Endpoint nuked them yesterday and uploaded them to a site called VirusTotal which scans them against about 66 different AV engines. Interestingly all of them including Microsoft's one said the files were clean.

I'm guessing that it is a false positive and that the definition file which fixes it just hasn't filtered out yet. Will keep an eye on it over today and let you know if we are still seeing this behaviour.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Reggie_Edit
Community Beginner ,
Feb 21, 2018 Feb 21, 2018
In Response To Joe Dunlea

Are you able to submit them to Microsoft?

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Joe Dunlea
Community Beginner ,
Feb 21, 2018 Feb 21, 2018
In Response To Reggie_Edit

I should be able to.

Just an update, I can confirm we are no longer seeing these files tagged as malware since the latest MS defender/Endpoint protection definition update. I would say it was all a false positive.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
rossb17369478
New Here ,
Feb 22, 2018 Feb 22, 2018
In Response To Joe Dunlea

Ive updated to todays definitions and the latest release and they are still flagging up.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Joe Dunlea
Community Beginner ,
Feb 22, 2018 Feb 22, 2018
In Response To rossb17369478

What definition version are you running? We are running 1.261.1503.0 which does not detect these two files anymore.

Just wondering, is anyone seeing these files blocked by any AV program other than Windows Defender/System Centre Endpoint Protection?

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Reggie_Edit
Community Beginner ,
Feb 22, 2018 Feb 22, 2018
In Response To Joe Dunlea

I've checked the most recent client to have detected the files as malware and it is running 1.261.1431.0

I'd expect most machines to be updated to the latest definitions over the weekend so hopefully we stop seeing the alerts come Monday then.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
es1010
New Here ,
Feb 22, 2018 Feb 22, 2018
In Response To Joe Dunlea

The virus def. that I have is 1.261.1507.0.  But now it doesn't seem to be labeling the files as a virus for me either.  It was this morning... hopefully it stays that way.  Thanks!

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
rossb17369478
New Here ,
Feb 23, 2018 Feb 23, 2018
In Response To es1010

Im still getting it now only on x64 file:

Antimalware Client Version: 4.12.17007.18011

Engine Version: 1.1.14500.5

Antivirus Version: 1.261.1518.0

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Troubleshooting Software & Hardware
Troubleshooting PC hardware
Troubleshooting Mac Hardware
Troubleshooting Premiere Pro Software
Premiere Pro Troubleshooting Documents
Video Hardware Forum
Frequently Asked Questions
Premiere Pro Guided Workflow: Start Here
How to reset preferences in Premiere Pro?
Open in a new window
How to clean media cache in Premiere Pro?
Open in a new window
How to fix workspace related issues?
Open in a new window
Everything you need to know about GPU in Premiere Pro
Open in a new window
How to find the exact version of Premiere Pro?
Premiere Pro New Features
Welcome to Adobe Premiere Pro 24.6!
Welcome to Adobe Premiere Pro 25.0!
Welcome to Adobe Premiere Pro 25.1!
Welcome to Adobe Premiere Pro 25.2!
Welcome to Adobe Premiere Pro 25.3!
Welcome to Adobe Premiere Pro 25.4!
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices