Trojan found in Adobe software?

[aeolia...@adobeforums.com]

I'm pretty sure this is a false positive, and sorry for posting about it here, I don't know where else do go. The setup of the support forums is confusing me.

Anyway, AVG Free detected a "Trojan horse Crypt.CFR" in Common Files/Adobe/Installer/and a bunch of numbers and letters/Setup.exe . From what I've read, there is no such thing as a "Trojan horse Crypt.CFR" and that this is probaby a false positive, but just to be on the safe side, I wonder if anyone else has experienced this and knows what to do.

[Charli...@adobeforums.com]

I looked at my scan results for last night and see the same thing. It was not
there the night before, and I didn't download anything from Adobe yesterday.
Hopefully it is just a false positive.
--
Charlie...
http://www.chocphoto.com

[aeolia...@adobeforums.com]

That's exactly waht happened to me. The files have been on my computer for months and just last night it said it was a trojan. Most likely, a false positive, but we can never be too careful.

It seems the problem is being reported on other sites and happens to be today as well. Apparently it is with universal Adobe products, mine is CS4 Extended.

<http://answers.yahoo.com/question/index?qid=20090126232534AAufmYU>

[Bart_...@adobeforums.com]

I use MicroTrend and it did not find anything.

[OldBob]

Ditto here for Trend Micro, also Spybot search & Destroy.

I find it pertinent that all the reports, so far as I've seen, are from AVG. My guess would be that AVG updated itself last night and is now registering a false positive on Adobe.

[Jim_J...@adobeforums.com]

There's a trojan circulating with pirated versions of Mac Photoshop CS4. This was just reported this week. Perhaps the Windows virus definitions were also updated to be a bit more suspicious of anything associated with Photoshop.

<http://www.adobeforums.com/webx/.59b7b29c>

[David_E_...@adobeforums.com]

I just ran spybot 1.6.2.46 with the lateset updates and I did not get any hits with PS CS4 extended both on and off.

[El...@adobeforums.com]

Interesting thread. Reading it prompted me to run a full scan of the computer which returned trojans (?) in Bridge(CS3) plugins module as well as Flash 9. I am using Kaspersky Internet Security Suite 2009 and following links provided to security updates followed by a re-scan now shows my puter clean.

[Frank Arthur]

<aeolia...@adobeforums.com> wrote in message
news:59b7b...@webcrossing.la2eafNXanI...

New Mac Trojan Spread By Pirated Adobe Software

By Stefanie Hoffman, ChannelWeb
2:51 PM EST Mon. Jan. 26, 2009
Apple (NSDQ:AAPL) is once again the target of a Mac-only Trojan
variant launched on the Mac OS X via pirated versions of Adobe
(NSDQ:ADBE) Photoshop CS4.
Mac security company Intego issued a security advisory Monday, warning
Mac users of the Trojan variant, which is estimated to have infected
at least 5,000 Macs as of Jan. 25.

The Trojan is a variation of the iServices Trojan malware, discovered
last week, which stormed across users' Macs via pirated versions of
Apple's productivity suite iWorks '09. As of Jan. 22, at least 20,000
users were believed infected by the malware, known as
OSX.Trojan.iServices.A, according to the security advisory.

Similar to the previous version of the malware, the new Mac Trojan
variant is spread through file-sharing sites such as BitTorrent
trackers and other sites that contain links to pirated software.

[aeolia...@adobeforums.com]

My Photoshop definitely is not pirated.

So does everyone agree that this was a false positive?

[Bart_...@adobeforums.com]

Well I agree

[OldBob]

So does everyone agree that this was a false positive?

Id give that a 95%+ probability

[Jim_J...@adobeforums.com]

aeolian, I'm not suggesting that you have a pirated version. I was just pointing out the coincidence that a trojan was reported on Mac this week. Good AV vendors keep an eye on all platforms and may tweak the virus definitions in response to what happens elsewhere. Perhaps this was not the most effective tweak for your AV provider.

To set your mind at ease, check the AV vendor <http://freeforum.avg.com/read.php?4,167314,backpage=1,sv=>. This will apparently be corrected soon.

[OldBob]

Okay, make that 99%+ probability.

Thank you, Mister Jordan.

[Steve Sprengel]

AVG alerted on setup.exe this morning, and after updating both the AVG program and AVG signatures, this evening, the file passed ok, so it was a false positive that has been corrected.

[19...@bellsouth.net]

I am getting the same message. The Setup.exe file is located in my windows Vista folder
C:\Program Files\Common Files\Adobe\Installers\faf656ef605427ee2f4289c3ad31b8.
From the location and date last accessed, these would seem to be be temporary files used during installation.

The question I have is, are these files required? I don't want to delete the files if they are needed, but the folder above uses 49+ m-bytes. The installers folder uses 95 m-bytes. This isn't all that much in the great scheme of things, but a hundred meg here and a hundred meg there starts to add up...

[dave_...@adobeforums.com]

avg has been flaky this past week. been asking to restart the system to apply an update for the last 2 or 3 days.

[Lawrenc...@adobeforums.com]

No problems here with AVG on two machines.

[dave_...@adobeforums.com]

rebooted again today and avg has stopped asking for an update and restart. my guess is they put out an update, realized something was flaky and re-released.

did you get "avg needs to restart" msgs to apply updates larry?

[Steve Sprengel]

AVG may ask for a reboot if it updates its own programs.

It does not ask for a reboot if it only updates the virus signatures.

The day that it detected the false-positive in the Adobe setup.exe it later updated both the signature and its own programs, so needed to reboot.

[dave_...@adobeforums.com]

AVG may ask for a reboot if it updates its own programs.

I understand. i'm saying it updated the app itself and rebooted at least 2 days in a row, maybe 3... the need to release an app update so close to the last one indicates there may have been major programming issues going on relating to the update.

i'd say false alarm on the trojan.

[harol...@adobeforums.com]

Restored the installer file, got the latest update - ran a scan and the issue has been resolved.

[dave_...@adobeforums.com]

I like a thread all wrapped up in a nice little package at the end. :)

[john_...@adobeforums.com]

My problem is that AVG8 put the "false positive" folder mentioned above into the virus vault, together with this feature from a back up. I deleted them before finding out they were false. Now, although CS4 and Bridge work, they do not appear as programmes in (XP) Control Panel/ Add/Remove programmes, although the folder appears still to be in Programme Files/ Common Files /Adobe/ Installers. Short of a re-install, is there a way to correct this? Also I cannot follow Adobe's instructions on uninstall if they do not show in the Add/Remove Programmes. I could use the Windows Install Utility I suppose. Is there a simple answer?(Restore point up would not work for the reason above - maybe a registry issue?)

[Steve Sprengel]

The file that was detected and you deleted is setup.exe.

Go to your original install media or download-extract location and just copy that setup.exe into the

C:\Program Files\Common Files\Adobe\Installers\faf656ef605427ee2f42989c3ad31b8\setup.exe

that you deleted.

On my system, I am running the trial while waiting for the box to come, so that setup.exe is in:

C:\Users\Steve\Downloads\Adobe CS4\Photoshop\Adobe CS4

because I downloaded the .7z file containing the trial into my Downloads folder and ran its corresponding EXE from there.

These two setup.exe files are identical, at least in the trial version.

[john_...@adobeforums.com]

Spoke to Adobe Tech support. In the end downloaded their special CS4 Uninstal programme, used that with Windows Install Clean Up, then re - installed. Took ages, and I am annoyed with myself and AVG!!

[dave_...@adobeforums.com]

another AVG program update tonight. ai!!!

[Bill...@adobeforums.com]

I'm glad I use BitDefender.

[dave_...@adobeforums.com]

and another today! i think it's their plugin though. that scans websites that come up in google...

[Charli...@adobeforums.com]

I've only had one AVG program update since the false positive. I get daily
definitions updates, though.
--
Charlie...
http://www.chocphoto.com

[dave_...@adobeforums.com]

very weird. i'm using xp pro sp3 on one machine and xp home sp2 on another. wonder if the os and patch level matter...

[Charli...@adobeforums.com]

One of the AVG 8 machines is vista SP2 beta and the other is win7. I have an XP
machine somewhere, but it is on AVG 7.5.
--
Charlie...
http://www.chocphoto.com

[dave_...@adobeforums.com]

apparently there IS a trojan in a pirate version of photoshopr that's floating around!

David E Crawford, "new member - old user ? about CS3" #43, 2 Feb 2009 7:46 pm </webx?14@@.59b7b5d1/42>

[Jim_J...@adobeforums.com]

Dave, is there?!! :)

[dave_...@adobeforums.com]

um, is there what?

[Jim_J...@adobeforums.com]

Dave, scroll up to post #5.

[just poking fun at the news you announced in post #31]

[dave_...@adobeforums.com]

oh. well. ... :|

um, nobody reads post #5, do they? :)