Backdoor.Generic.622690_a0a4cd62bf

by malwarelabrobot on May 26th, 2016 in Malware Descriptions.

Trojan-Downloader.Win32.AutoIt.th (Kaspersky), Backdoor.Generic.622690 (B) (Emsisoft), Backdoor.Generic.622690 (AdAware), Trojan.Win32.Bumat.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, Virus.Win32.Parite.B.FD, GenericAutorunWorm.YR, VirusParite.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, Backdoor, Worm, Virus, VirTool, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a0a4cd62bf0ff4556a5f9830cfd0553d
SHA1: 49d0d0459af4fedebdfa1aba19864e63392596b8
SHA256: 7331ba67c11daa5f86f1f0910e8979e5a8914357372236d9da557f653ea37292
SSDeep: 24576:hfmMv6Ckr7MnyI8fgVrTdjDOPOZTrkMI6z/:h3v 7/I8fQrTR
Size: 1261142 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: ??????????
Created at: 2010-03-07 18:08:39
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Backdoor creates the following process(es):

5ze4r5y5ry1DLL.exe:1168
%original file name%.exe:1552

The Backdoor injects its code into the following process(es):

svchost.exe:592
Explorer.EXE:1684

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process 5ze4r5y5ry1DLL.exe:1168 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\svchost.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jmd1.tmp (11010 bytes)

The process %original file name%.exe:1552 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%WinDir%\Explorer32DLL.exe (23913 bytes)
%WinDir%\5ze4r5y5ry1DLL.exe (307 bytes)

The Backdoor deletes the following file(s):

%WinDir%\Explorer32DLL.exe (0 bytes)

Registry activity

The process 5ze4r5y5ry1DLL.exe:1168 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 75 97 34 2D 63 7A B0 B3 0F 1E 1F 97 0A B7 FB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Microsoft]
"svchost.exe" = "svchost"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svchost.exe" = "%Documents and Settings%\%current user%\Application Data\Microsoft\svchost.exe"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:1552 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 9A 26 C6 76 A0 EA 9D 37 B7 93 7A C3 7C BF CA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{{DML7J752-5356-4Z46-B4TB-NY2A1F738Y0I}}]
"StubPath" = "%WinDir%\Explorer32DLL.exe"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Explorer" = "%WinDir%\Explorer32DLL.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Explorer" = "%WinDir%\Explorer32DLL.exe"

Dropped PE files

MD5 File path
ec9a9078a8452ee622741d60648f5343 c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\svchost.exe
685f1cbd4af30a1d0c25f252d399a666 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\jmd1.tmp
ec9a9078a8452ee622741d60648f5343 c:\WINDOWS\5ze4r5y5ry1DLL.exe
5d1978c42c8ddcd2db3ec9cd37cae1fe c:\%original file name%.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3, 3, 6, 0
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 524311 524800 4.59881 6c20c6bf686768b6f134f5bd508171bc
.rdata 532480 55644 55808 3.15551 321c940899050104ced482b1e5bf7a0e
.data 589824 107800 26624 1.52615 e5d77411f751d28c6eee48a743606795
.rsrc 700416 26224 26624 3.55864 89967892fb8c209a8bdb03cb6dfa960f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Backdoor connects to the servers at the folowing location(s):

svchost.exe_592:

.idata
.rdata
P.reloc
P.rsrc
P.tqn
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
SQL error or missing database
An internal logic error in SQLite
Operation terminated by sqlite3_interrupt()
Uses OS features not supported on host
2nd parameter to sqlite3_bind out of range
sqlite3_step() has another row ready
sqlite3_step() has finished executing
Unknown SQLite Error Code "
ESQLiteException
TSQLiteDatabase
TSQLiteTable
sqlite3_open
sqlite3_errmsg
sqlite3_free
sqlite3_close
sqlite3_last_insert_rowid
sqlite3_total_changes
sqlite3_errcode
sqlite3_bind_text
sqlite3_bind_int
sqlite3_bind_int64
sqlite3_bind_double
sqlite3_bind_null
sqlite3_bind_blob
sqlite3_prepare_v2
sqlite3_step
sqlite3_reset
sqlite3_finalize
sqlite3_prepare
sqlite3_busy_timeout
sqlite3_libversion
sqlite3_create_collation
sqlite3_bind_parameter_index
sqlite3_changes
sqlite3_column_count
sqlite3_column_name
sqlite3_column_decltype
sqlite3_column_type
sqlite3_column_int64
sqlite3_column_double
sqlite3_column_bytes
sqlite3_column_blob
sqlite3_column_text
Failed to open database "%s" : %s
Failed to open database "%s" : unknown error
Error [%d]: %s.
"%s": %s
Error executing SQL
Could not prepare SQL statement
Error executing SQL statement
SQLite is Busy
udprec
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
:\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
\Mozilla Firefox\
nss3.dll
mozcrt19.dll
sqlite3.dll
nspr4.dll
plc4.dll
plds4.dll
nssutil3.dll
softokn3.dll
PK11_GetInternalKeySlot
userenv.dll
\Mozilla\Firefox\
profiles.ini
\signons3.txt
\Mozilla\Firefox\profiles.ini
signons.sqlite
SELECT * FROM moz_logins
encryptedPassword
Urlmon.dll
Shell32.dll
URLDownloadToFileA
ShellExecuteA
Future Windows version (unknown)
Windows
UDPPROG1|
UDPStart|
SOFTWARE\Mozilla\Mozilla Firefox\
WEBDL
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
svchost.exe
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegFlushKey
RegCreateKeyExA
GetCPInfo
MsgWaitForMultipleObjects
wsock32.dll
shell32.dll
5 5$5(5,5054585
>">*>2>:>
: :$:(:,:0:4:8:<:@:`:
SQLite3
KWindows
UrlMon
SQLiteTable3
Kernel32.dll
ADVAPI32.dll
Software\Microsoft\Windows\CurrentVersion\Explorer
Cannot open file "%s". %s
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Failed to get data for '%s'
Failed to set data for '%s'
%s.Seek not implemented$Operation not allowed on sorted list
Thread creation error: %s
Thread Error: %s (%d)
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread%String list does not allow duplicates
Cannot create file "%s". %s
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value
I/O error %d
Integer overflow Invalid floating point operation

svchost.exe_592_rwx_00427000_00001000:

Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
Software\Microsoft\Windows\CurrentVersion\Explorer

svchost.exe_592_rwx_008B1000_00071000:

UDPSockError
NMUDP
Errmsg
Port
TNMUDP
RemotePort
LocalPort
ReportLevelLk
0.0.0.0
%d.%d.%d.%d
AutoHotkeys
:].tJ
EInvalidGraphicOperation,0
EInvalidGraphicOperation
KeyPreview,
WindowState
OnKeyDown
OnKeyPressdz
OnKeyUp
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
*.TMP
Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
readbook.exe
rundll32.exe
*.exe
*.scr
UdpT
UdpOnDataReceived
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
An exception (X) occurred during DllEntryPoint or DllMain in module:
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
ReportLevel
GetCPInfo
GetProcessHeap
GetWindowsDirectoryA
RegCreateKeyExA
RegFlushKey
SetViewportOrgEx
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardState
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
SetWindowsHookExA
UnhookWindowsHookEx
VprK|%Ud
€00404
8 @ @ @ @ @
.text
`.data
.idata
@.edata
@.rsrc
@.reloc
70"!(&&$
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
Invalid data type for '%s'
Failed to set data for '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
Alt  Clipboard does not support Icons
!Control '%s' has no parent window
Error reading %s%s%s: %s
Ancestor for '%s' not found
Unsupported clipboard format
Class %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
Cannot assign a %s to a %s
Cannot create file %s
Cannot open file %s

Explorer.EXE_1684_rwx_022A1000_00071000:

UDPSockError
NMUDP
Errmsg
Port
TNMUDP
RemotePort
LocalPort
ReportLevelLk*
0.0.0.0
%d.%d.%d.%d
AutoHotkeys
:].tJ
EInvalidGraphicOperation,0 
EInvalidGraphicOperation
KeyPreview,
WindowState
OnKeyDown
OnKeyPressdz,
OnKeyUp
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
*.TMP
Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
readbook.exe
rundll32.exe
*.exe
*.scr
UdpT
UdpOnDataReceived
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
An exception (X) occurred during DllEntryPoint or DllMain in module:
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
ReportLevel
GetCPInfo
GetProcessHeap
GetWindowsDirectoryA
RegCreateKeyExA
RegFlushKey
SetViewportOrgEx
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardState
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
SetWindowsHookExA
UnhookWindowsHookEx
VprK|%Ud
€00404
8 @ @ @ @ @
.text
`.data
.idata
@.edata
@.rsrc
@.reloc
70"!(&&$
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
Invalid data type for '%s'
Failed to set data for '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
Alt  Clipboard does not support Icons
!Control '%s' has no parent window
Error reading %s%s%s: %s
Ancestor for '%s' not found
Unsupported clipboard format
Class %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
Cannot assign a %s to a %s
Cannot create file %s
Cannot open file %s


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    5ze4r5y5ry1DLL.exe:1168
    %original file name%.exe:1552

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\%current user%\Application Data\Microsoft\svchost.exe (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jmd1.tmp (11010 bytes)
    %WinDir%\Explorer32DLL.exe (23913 bytes)
    %WinDir%\5ze4r5y5ry1DLL.exe (307 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "svchost.exe" = "%Documents and Settings%\%current user%\Application Data\Microsoft\svchost.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Explorer" = "%WinDir%\Explorer32DLL.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Explorer" = "%WinDir%\Explorer32DLL.exe"

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now