Hi @ll, the $*&#§ware by the name of "McAfee Security Scanner Plus" that Adobe dares to push to unsuspecting users of Microsoft Windows trying to get flash player from their main distribution page was developed, packaged and tested by people who obviously never heard of "long" filenames which may contain spaces. >From or : | Note: If any element of the command string contains or might contain | spaces, it must be enclosed in quotation marks. Otherwise, if the | element contains a space, it will not parse correctly. For instance, | "My Program.exe" starts the application properly. If you use | My Program.exe without quotation marks, then the system attempts to | launch My with Program.exe as its first command line argument. You | should always use quotation marks with arguments such as "%1" that are | expanded to strings by the Shell, because you cannot be certain that | the string will not contain a space. When the unsuspecting Joe Average clicks the "Install now" button on the above mentioned download page, but forgets to deselect the "optional offer" McAfee Security Scanner Plus before, a file named "install_flashplayer13x32_mssa_aaa_aih.exe" is downloaded to directory "C:\Users\Joe Average\Downloads". Following the instructions displayed after the download, Joe Average opens the download directory and double clicks "install_flashplayer13x32_mssa_aaa_aih.exe" On recent versions of Microsoft Windows this triggers the user account control, asking Joe Average for consent to continue with administrative privileges. "install_flashplayer13x32_mssa_aaa_aih.exe" now copies itself to the TEMP directory and executes its copy with the argument (note the missing quotes.-) {RemoveFile:C:\Users\Joe Average\Downloads\install_flashplayer13x32_mssa_aaa_aih.exe} The copy then downloads its payload "gtbcheck.exe", "install_flash_player.exe" and "SecurityScan_Release.exe" into the directory "C:\Users\Joe Average\AppData\Local\Adobe\AIH.<40_hex_digits>\" and executes these three programs in succession. The last, "SecurityScan_Release.exe", an NSIS installer, unpacks its payload into directory "C:\Program Files\McAfee Security Scan\\" and calls Windows' CreateProcess() function (see above) with the UNQUOTED command line C:\Program Files\McAfee Security Scan\3.0.285\McCHSvc.exe /Service This command line now runs the rogue program C:\Program.exe which was placed there waiting for some dimwit of a developer to call CreateProcess() with an unquoted command line. Fortunately Joe Average (really: his Administrator) had a hunch and placed as C:\Program.exe on his system which displayed a message box to Joe Average informing him that some crappy software may have just run malware on his PC. This caught the silly beginners mistake of a company that brags with | For award-winning customer service, please visit our Web | site that will have answers to almost all questions concerning | our company: | ==> http://service.mcafee.com in automated replies to mail sent to but does not provide a mailbox to report bugs or vulnerabilities. JFTR: english versions of Windows have a "Program Files" directory for nearly 20 years now. That should REALLY be enough time for EVERY programmer to learn how to properly handle pathnames with spaces. To complete the story: when Joe Average noticed what was done to him he opened the Windows control panel and went to uninstall programs, then selected "McAfee ..." and clicked "uninstall". This started "C:\Program Files\McAfee Security Scan\uninstall.exe" which unpacked its payload "Au_.exe" (see above: it's an NSIS installer) to TEMP and called it with the argument (again note the missing quotes) _?=C:\Program Files\McAfee Security Scan\ "Au_.exe" in turn called Windows' CreateProcess() function with the (you guess it) UNQUOTED command line C:\Program Files\McAfee Security Scan\3.0.285\McCHSvc.exe /unregserver which again led to execution of C:\Program.exe regards Stefan Kanthak