Copy link to clipboard
Copied
I have just done an update via Creative Cloud to Photoshop CC 2017 and Windows Defender has also found the same malware
PWS: Win32/Lineage.gen!C.dam
Category:
Password Stealer
Description:
This program is dangerous and captures user passwords.
Recommended action:
Remove this software immediately.
Items:
file:C:\adobeTemp\ETR6D86.tmp\1\Application\pngquant.exe
Message was branched from old thread by Terri Stevens
Copy link to clipboard
Copied
Copy link to clipboard
Copied
The problem with Windows Defender and Security Essentials is they get a relatively high rate of false positives. What you should try is uploading pngquant.exe to
VirusTotal - Free Online Virus, Malware and URL Scanner
That is a free resource that scans individual files with around 50 different virus scanners and shows you the results. If you get a low positive score there then the file is almost certainly safe. I checked my version of pngquant.exe with the Kaspersky application advisor and you can see the result below. As you can see it comes back as trusted. If you are using the very latest version of Photoshop 2017 and have some software to calculate hash values then you should find the MD5 and SHA-1 values for the file agrees with the values listed in green below. If they don't agree then your file has been modified by a third party and could be a 'keylogger' as suggested by Defender. My money though would be on Defender having come up with a false positive. Of course this does assume you are using a legal version of Photoshop downloaded from Adobe, if not then it could be malware, but the hash code will tell you that.
Copy link to clipboard
Copied
I think there's every chance this is indeed malware. I don't think Adobe software makes c:\adobetemp today, and it isn't going to put software in a temp folder. PNGQUANT is a third party tool for PNG compression, though it is used by the SuperPNG third party plug-in.
So it looks to me like bad software trying to hide by borrowing respectable names. Unless someone else sees this happening. I don't.
Copy link to clipboard
Copied
perfectly possible that someone has given a bad file a mainstream name. The fact it uses c:\adobetemp would worry me a little as obviously it's not a true temp folder and won't get cleared out in the way a regular temp folder would. It doesn't help the OP, but I always use a password manager and simply cut and paste them into place, that way you never actually type the password. Defender isn't bad actually as long as you only use respected websites and avoid casual downloading.
Copy link to clipboard
Copied
But this file downloaded as I was updating ADOBE? So it had to come from them or how else would it be downloaded?
Copy link to clipboard
Copied
Yes this is a legal copy
Yes Adobe updater does use C:\Adobetemp during the install process
Copy link to clipboard
Copied
So what did you do when Defender found the suspect malware? Normally it would quarantine it unless you opted to do something different, so I assume the update didn't get installed? The file is harmless unless you run it, so what I would do is
1) turn Defender temporarily off. That should allow you to take pngquant.exe from the quarantine folder
2) Now upload it to VirusTotal it's only 267KB
VirusTotal - Free Online Virus, Malware and URL Scanner
Run a fresh scan as it will tell you that 'pngquant.exe' has been scanned before. After a minute or so it will give a report like below. When I did it just now 0/61 antivirus programs detected a problem , including Microsoft which might be a worry as your copy disagrees with that.
Copy link to clipboard
Copied
Well, I tried to reproduce this. On Windows 10 with Defender I updated Photoshop. There was no virus alert. This worries me and does suggest that on your system an infection has landed. Some thoughts.
1. I did not end up with c:\adobetemp. It's possible one was used during updating of course.
2. There is a PNGQUANT.EXE in the Photoshop install folder, and it was updated.
3. There is a simple way to see if a file could have been infected. Adobe signed this file. So, check the signature; that's what it's for. Make sure you validate it, don't just display it. Let us know if you need help with that.
Copy link to clipboard
Copied
It's not going to be the same virus after 2 years. Please start a new discussion with all relevant info.