Mail from Adobe: a virus???


I received a mail from adobe (phishing??).
this mail:

A critical vulnerability has been identified in Adobe Flash Player and Adobe Reader.

Adobe recommends users of Adobe Flash Player, Adobe Reader update to last versions.

Download Updates
hxxp:// [URL broken by Mod]

You may use the Adobe Download Manager to seamlessly install your software.
hxxp:// [EXE name removed by Mod]

*** This is an automatically generated email, please do not reply ***

Copyright © 2012 Adobe Systems Incorporated. All rights reserv

the first link shows a blanc page… I did clic this first link in Firefox (I got blanc page)
I did NOT clic the second link pointing to an EXE file!

Comodo (and Norton too) tell me “nothing virus found”.
I am still able to get antivirus definitions and windows updates.
Firefox dont shows ad ware popups nor “odd thing”.

what think you about this behaviour?
how to establish if this is a malware?

please click on your “tester pc” on the first link and dont block him with noscript.
do you get a virus in your pc??

please let me know if I have installed a virus/malware. I am worriend but my pc works fine (I guess…)

thanks a lot for testing the first link from fake adobe update mail.

**)) I tried it on VMware: now it say Warning… but you may want to ignore the warning for testing this phishing attempt. still blac page in virtualmachine…

mod edit: URL broken & EXE name removed by Mod. kail

That domain name is not Adobe. I’m also a Adobe customer & I don’t remember ever seeing an email from them encouraging me to update anything… it’s all done by the software itself.

Domain name record for: []

PS I’m going to have to remove/break those URLs since they’re obviously bad. People can request them from you by PM if they need them. Also if you already have the EXE you should report/send it to Comodo. Thanks.

Sorry, I did not understand if, after clicking the first link, my pc has become infected…
what mean you? is my pc infected ?

comodo antivirus did not help me…
so I dont know if I am infected bythe first link…

help please.

NO. I clicked on the first link only (blanc page).

I dont clicked on the link pointing to the .exe. so I dont have the exe file. never downloaded.

I don’t know… what browser are you using?

thanks for your reply and your patience :wink:
I am worried.

Firefox 10.
vista sp2.

That’s odd… Firefox should have prevented direct access to that site. Google Safe Browsing has been part of FF since version 3. Did you not get a warning?

Do you run the FF add-on called NoScript or something similar?


yes now I become the warning from google safe browsing, but yesterday there are NO warning yet :frowning:

I dont have noscript.

so Firefox let me to open this white page (yesterday).

but I am unable to understand if I have a malware now…

((now I tried this FIRST link on virtual machine with firefox, ignoring the today google warning: still white page. but it seems that nothing happens…
confused ))

how can I verify if I am infected?


so…I think that the experts from comodo may want to try this first link on a testing machine to verify if clicking the link -without noscript and ignoring the google safe browsing that appeared today, not yesterday- causes to get infected or not. perhaps only the second link was infected (pointing to exe file).
no idea how to verify if my system is infected.

You’re probably OK. But, I’m no AV expert… you’ll need to wait for one of those to come along.

However, at the very least, it’s fairly likely that the “track.php?id=0441c70b56095539” bit might have verified your email address though. As it might have been a unique number. So, you should probably expect more such phishing emails on that same address I’m afraid.

Please follow the advice I give in my article about How to Know If Your Computer Is Infected.

You’re probably okay, but by following these methods you can be sure.

Ok. Now I have understood.
Thanks to both for the replies.

Ok, this is the same email adress that I am using for adobe forums! now I am aware for future phishing emails. no problem. from now on I will be aware. (I hope hehehe) :wink:

Chiron, PM with the dangerous link :wink:


(I will read your suggestion about verifiing my system…not simply but, I will give a try :wink:

I looked over my advice, after you pointed out that it may be too complicated (I am assuming you are talking about making sure the files are safe) and updated my advice to be simpler for analysis, I hope.

Please let me know if it still seems to difficult.

Thanks. :-TU

ok thanks, I read here


Hi Chiron. Now I did read your suggestion from the link above.

Before I beginn with testing ((Normally I have 111 proocesses at Windows startup!!)) , a question please:

you told that all the application (step 1. up to 4.) are portable.
can I download themm in a external thumb driver and run the scan from my pen drive’ or I have to install these applications?

people from malwarelist say that “my” link was a trojan zeus…

also I were happy to take your 4. steps to see if I am infected.

Am i allowed toinstall your applicaions or launch them from the pen drive?


They are portable, so they don’t install. CCE will just begin downloading the latest virus database to wherever the folder is.

So in short, yes, you can run this from a pen drive.

thanks . now I beginn with the first step.

apprehension :wink:

Dear Chiron!

I am very happy! you have helped me very fine with this
congratulations for your job.

Here my results with CCE vers. 2.3.219500.176 (updated CCE definitions? I hope this, because this malware has been detected yesterday, i.e. a new malware?):

  1. first step:
    Open KillSwitch:
    106 processes at startup, 448 services:
    (Safe files has been hidded, as you suggested):

one file only found!!!
I am not expert, but I guess that you may want to add the following file into your whitelist!
I think that it is safe, very safe!!

dthtml.exe, PID 3060, FLS Unknown (I guess this is not unknown), it comes from HP:
HP My Display of Portrait Display, Inc. vers., 328KB.
If I remember, I did install this application HP My Display:
e.g. turn the light sensor on for the monitor HP…set it to view fotos or text…and so…
If you want, I guess you can add this dthtml.exe in your whitelist, so in the future I will not see this file in CCE and I go a white page with no entries, as your page.

  1. second step:
    Open autorun analyzer (x2, after my first run, as you suggested: run the apply 2 times).
    1228 entries with 12 UNSAFE!!!
    You may want to analyze these entries, and I suggest to add them all in your whitelist:

[folder] \ [*]\ ShellEx:
3 times occurs this file:
this comes from MagicISO (I guess: not dangerous??)

HiDownload.exe (an Extension for IE): to be whitelisted??

\key Instance in folder HP Shared Files: from Cyberlink audio decoder filter : to be whitelist?? from muvee Technologies Pte Ltd: I dont know this file!!! perhaps never used by me (???) perhaps it comes PREinstalled on HP desktop… (?)

HP\Digital Imaging: (to be whitelisted all?? not sure, but perhaps preinstalled or installed by me with scanner???)

hpqSSupply.exe Shop for HP Supplies (I dont know this…)
hpqsudi.exe (???)
HpqTrMgr.exe QHouston (???)

Photoshop.exe from Phoshop CS3: why it is dangerous? I dont understan… (???)

hppcappm.dll for Fax Driver Port Monitor for HP AIO: to be whitelisted?

and finally, very very very odd:
and RED HIGHLIGHTED (!!!) the one and only file in red color!!!
=> MediaInfo.exe from
why?? I guess to be whitelisted?? what think you about?

  1. Third step:
    Kaspersky Killer:

281 objects scanned in \system32 \driver:

“NO threats found”
all events are signed as: “OK”

  1. last step:

CCE Smart scan:
49.497 Objects:
=> the only problem found:
MediaInfo.exe !!! (very odd, I dont understan: for the second time/analysis mediainfo seems to be dangerous…). MediaInfo tell me the framerate, Mbps, video-audio codec for TS files…
Action purposed by CEE: Clean?
my answer: No!
then I did clic Exit.
then Reboot > question after reboot: do you allow CCE to run? yes!
CCE window open: .

the end.

NB: I dont know of the folders Java (and Temp) has been scanned…(I did not see these folders during the scanning process…) I guess in the folder classes java may be trojans??

My conclusions (please let me know if I am right with following conclusions/resume):

My PC appears to be total and perfect clean.

By clicking the link (see PM a few hours ago) from the faked Adobe mail --without noscript!-- and becoming the “Page is loading…” , I was NOT infected by malware (and malware means: virus, rootkit, trojan, ad ware, blackhole exploit kit… if I have understood right?).
Probably they have now my email adress (tracking mail after I clicked the link??) and in the future I will receive a lot of phishing mails.

Please I’d be very happy to read your opinion about my purposes for the files which could be whitelisted in the future if you accept my purpose and verify the files,
and your opinion about the health of my pc (which I consider now very clean). :wink:

Tomarrow I will be online again :slight_smile:
And I have to read here yet

I hope that I have followed your suggestions without errors.
Please let me know if I should to take other actions/other kind of analysis on my pc.

In the meantime congratulations to you and thank you for your job, suggestions and patience with me!
Best regards.

Did you have 12 unsafe files or 12 unknown files? There is a big difference.

Also, please report MediaInfo.exe as a false positive here and they will get back to you with the results of the analysis.

Also, you should report the files for whitelisting by following the advice I give in my post here.

Please keep us posted about the results.



at step 2)
12 unsafe! this is strange.
(mediainfo inred, hp imaging, photoshop, magic iso, cyberlink…very strange).

I hope that all the files will be whitelisted.
(and dthtml step 1 too: hp display settings sw).

there are other steps to verify that my pc is really clean?
should I run adwcleaner?

ok, now i try to post the file in your link for whitelisting process.