The security firm first identified Mal/BadSrc-C, on the 'Vlog IT support center section' - an advice area for video bloggers - on Friday 3 October. Mal/BadSrc-C infects users with SQL injection attacks, which then download more malicious scripts from the net to infect victims with spyware.
Sophos said that although it notified Adobe about the code, it was still present on the site until Thursday night.
"Incidents like this show once again that even established and respected companies like Adobe are not immune from the growing tide of web-based malware attacks. These infections are insidious, meaning the most well-intentioned internet users can be hit without knowing it," said Graham Cluley, senior technology consultant at Sophos.
"Organisations need to wake up and ensure that their websites are properly coded and that security is in place to stop these kind of attacks. With over 90 percent of web infections now found on legitimate sites, firms need to take control to avoid putting potential customers at risk."