Gen.Variant.Zusy.193211_c243065a8d

by malwarelabrobot on June 9th, 2016 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Zusy.193211 (B) (Emsisoft), Gen:Variant.Zusy.193211 (AdAware), Backdoor.Win32.PcClient.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: c243065a8d53d757144c0e4fb4c30fab
SHA1: f04a32b17e431a76f3a295c95daa4afc092b95d1
SHA256: 02b5fbf13027314a2ce5b1a5b7de58952f120dcdc60ea6a93cac994dfd9d8719
SSDeep: 6144:5biDeTMxEZqYHobQ0jtl0I4HYEGQrz/bkRwOkOAT9eUWp8mkmN2O:5bseIihUkI42WQRwO0Y9gE
Size: 383488 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-11-02 04:47:02
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

dwwin.exe:1228

The Trojan injects its code into the following process(es):

rundll32.exe:1784
%original file name%.exe:1504

Mutexes

The following mutexes were created/opened:

ShimCacheMutex

File activity

The process dwwin.exe:1228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\261FF2.dmp (75226 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

The process %original file name%.exe:1504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\msirku32.dll (175 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\c7_appcompat.txt (6214 bytes)

Registry activity

The process dwwin.exe:1228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D F1 80 B3 01 6D 4A FE 17 77 65 97 B6 7C 46 DE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process rundll32.exe:1784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 CE 95 3B 1E 2B B3 89 8A 5F A5 3B 72 BE 57 60"

The process %original file name%.exe:1504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 7C 90 F4 E9 35 B9 7E 59 E3 8A CA 81 0E 27 DB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:c243065a8d53d757144c0e4fb4c30fab"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MSIDLL" = "rundll32.exe msirku32.dll,UzEPTgVNpk"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"

Dropped PE files

MD5 File path
90b41535ed0ab3b62a2ed967a65ea166 c:\WINDOWS\system32\msirku32.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 39033 39424 4.47406 00f1fdff6c730cdc079c576d71b74072
.rdata 45056 11588 11776 3.62586 da51eff10052d9e5a546e77d2c9ddd2c
.data 57344 334080 331264 5.49717 2d185f4bc166ee88ebb260f880adfef8

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1504:

.text
`.rdata
@.data
winver.exe
ntdll.dll
Kernel32.dll
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
operator
GetProcessWindowStation
USER32.DLL
KERNEL32.DLL
GDI32.dll
USER32.dll
GetCPInfo
T!.xy
TcPO
.ROLR
7Nl%F
.NlaUk
fE%Ug
.NFlQc
.hfSDn
yomsg
.KC^[
i*Oa.vB3K
w`h)GZb.sa`
(r.RJLR
hGSj%u
~%X@^
%X@^u
KLz.GOK
@Qj vEU3NMR.IsBM|[bmHJrWaVD
.wsQZ,
QaOFzLC|.bufhGE|-rYHYJ]A
.AJOG
k.bufh!
.mrFJre
\aOFzisNvbufhbuNurYHYomsLTYnvsQpBNzPNMKjwhUxYNIxodfSDnBlaUkxmTTnheraSvBAJOGVSJWjZKmtzdgVolASoKWZEHtkxfIhFSjPpGUSHORbOqByzYbMNHrGgTDfLNVRNrzkQInKvplbFJrerqDATgPOenvvFuajInVovFRKLRvDSMkfXnfOmZAhGELocBmIJSKCfaQcziVEYdTyUJxGdmgEskLnvyyuijLppWkcSutjfhdTCszYNlXbEPQTnJFLQCBWsqZBQwGyvBaoFRi[N^b][email protected]{x}TDnxebaCvRAZOWVCJGjJK
VhUxYNIxo%F !
oQv.OHO
_LrLfSIrFtpboDJrhpq
532>2>5$
5 5:5!#71;
?38&1$.cB>
!0?=.Wb[
 /1<0;.<.
6.dH#
6V="%x?7
.ha[nH#
p;>.DzbXr
~c{Ot/g-U5}
J_]%x
WBS{G%x5B
RvW@nuRHH,i%x<p
%diagmEgnzBSojZykMhENzZWMPNUxjvhDzCJqMB
c=vx\Jx.XOmY
ij%u2
Iy.HTy
(L%fP
qa%%ui
G.KZd@
oY.ri
g.ks6
a|[!
QwW.zju_
0t$%f_Rk
`G%D>
88,.PF
;@'J.rK
fU.K.TA
.ZV 6
U.bcUz
.tA8J
.DKgF
h.xYjF
Ap.sZm
CUnOuxS[oeIOSrurL[rwPXsnPS.J
tAmtcpGgIqAWj'GdtJ{p
a.NJHH9JbPYA
wh^smsGc
b.KIH
ez%u-
S.DUV3
%di{gnEfnzB&'
KDvcsRWNfWCSnjDcjnVglXjYpLjEciIzmjQmEaQdWKfQbIFBbWIOQLMhuqUZqLUSwutabOYsBwWkCtoQjlRfZNmAlBAtWrtnAiTVHKPINrhmYGTeackRMwMwiKuNJZRyFzsxAOpnMIwqaarrrXCUBzTwdmnooRNHJevriQFGlLqqAfzULmBPFslUdPequWTsnvomHQVslNaKzamCiZGHnareeDverbfdEnwBYRqhIQeQQcihbrrFhyBgoWdPTLhUZaUuJHdwEKviaxomLPTVhhAjUfPDebJmmSITLnnOO
c:\%original file name%.exe
mscoree.dll

%original file name%.exe_1504_rwx_009C0000_0005A000:

[%.2d/%.2d/%.4d %.2d:%.2d:%.2d] - %s %s
c:\boot.log
Profile: %s
Port
password
Software\FTPWare\COREFTP
- password: %s
\Mozilla\Firefox\
profiles.ini
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
%Program Files%\Mozilla Firefox\
\signons.txt
\signons2.txt
\signons3.txt
nspr4.dll
plc4.dll
plds4.dll
softokn3.dll
nss3.dll
PK11_GetInternalKeySlot
PK11_CheckUserPassword
port
Sites.dat
<Port>
<Password>
\SmartFTP
/admin/getfile.php
madcapphotoworks.com
/adv/getfile.php
arminpfluegl.ar.funpic.de
i-p.perm.ru
<FTPItem>
</Port>
<Login>
</Login>
<Pass>
</Pass>
</FTPItem>
<HTTPItem>
<URL>
</URL>
<LoginParam>
</LoginParam>
<PassParam>
</PassParam>
</HTTPItem>
iexplore.exe
firefox.exe
opera.exe
chrome.exe
kernel32.dll
CURL::Get: %s
CURL::Get(): trying to inject to ie and load...
CURL::Get(): %s
CURL::Get(): trying to download directly...
CURL::Post: %s, %s
CURL::GetIEProcessID
CURL::GetIEProcessID(): findwindow returned 0x%X
CURL::GetIEProcessID(): GetWindowThreadProcessId returned 0x%X
CURL::GetIEProcessID(): 0x%X
mscoree.dll
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
GetProcessWindowStation
user32.dll
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
GetWindowsDirectoryA
GetProcessHeap
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegEnumKeyExA
RegOpenKeyA
RegOpenKeyExA
CryptDestroyKey
CryptDeriveKey
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
shlwapi.dll
WSOCK32.dll
GetCPInfo
pr_ni.dll
\p_sys.dll
\sysclos.exe
\*.dat
db Xh
.data
%sLen equ %lu
SOFTWARE\Microsoft\Windows\ShellNoRoam\MUICache
SSSSkernel32.dll
|shfolder.dll
psapi.dll
P:\Projects\password_recovery\cinch\tools\out.bin
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\account.cfg
\account.cfn
%s Database
Password
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\&RQ
\&RQ.exe
crypted-password
\andrq.ini
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian\
\aim.ini
\users\global\profiles.ini
Software\Ghisler\Windows Commander
FtpIniName
\wcx_PTF.ini
\Mailbox.ini
PassWd
INETCOMM Server Passwords
Outlook Account Manager Passwords
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
%s\%s\%s
%s\%s
SMTP Email Address
POP3 Password
POP3 Password2
IMAP Password
IMAP Password2
pstorec.dll
crypt32.dll
w\GlobalSCAPE\CuteFTP\
\GlobalSCAPE\CuteFTP Pro\
\cutftp32.exe
%Program Files%\CuteFTP\
sm.dat
tree.dat
smdata.dat
SOFTWARE\Far\Plugins\FTP\Hosts
WS_FTP
\*.ini
\Ipswitch\WS_FTP\Sites
\Ipswitch\WS_FTP Home\Sites
\win.ini
\ws_PTF.ini
\ws_PTF.exe
\Opera
\Mail\accounts.ini
\profile\wand.dat
Software\Opera Software
Incoming Password
\Mozilla\Profiles
urlmon.dll
wininet.dll
URLDownloadToCacheFileA
URLDownloadToFileA
HttpOpenRequestA
HttpSendRequestA
.ar.funpic.de
Googlebot/2.1 ( hXXp://VVV.google.com/bot.html)
Content-Type: application/x-www-form-urlencoded
More information: hXXp://VVV.ibsensoftware.com/
zcÁ
c:\c243065a8d53d757144c0e4fb4c30fab
c:\%original file name%.exe:*:Enabled:c243065a8d53d757144c0e4fb4c30fab
c:\%original file name%.exe
%Documents and Settings%\%current user%\Start Menu\Programs\Startup
A2C-196E-4210-9C04-2B1BC21F07EF}
8.3.2.1593
%Documents and Settings%\%current user%\Application Data\The Bat!\*.*
d:\Procmon.exe
ec.exe
t.dll,-331
es.dll,-1646
.dll,-20003
%Documents and Settings%\%current user%\Trillian\User Settings\
%APPDATA%\GHISLER\wcx_PTF.ini
Identities\{37E80C13-CB45-4DCE-A438-545B791476AC}\Software\Microsoft\Internet Account Manager\Accounts
^d:\Procmon.exe
Pro\6.0\sm.dat
e\Sites\*.ini
%WinDir%\win.ini
%Documents and Settings%\%current user%\Application Data\Opera\*.*\Mail\accounts.ini
%Documents and Settings%\%current user%\Application Data\Mozilla\Profiles\*.*
< <$<(<,<0<4<8<
7p7C7l7x7
3=3N3_3m3
SmartFTP
x86 9.0.30729.4148
iER\wcx_PTF.ini

%original file name%.exe_1504_rwx_00A50000_00087000:

vSSSh
FTPjK
FtPj;
C.PjRV
Content-Type: application/x-www-form-urlencoded
yahoo.com
HttpQueryInfoA
InternetOpenUrlA
HttpSendRequestA
HttpOpenRequestA
wininet.dll
Chrome_WidgetWin_0
kernel32.dll
rundll32.exe
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
operator
GetProcessWindowStation
USER32.DLL
unsupported version
'8 77, .
0'(8:>""
 "1%.'8"8
.?AV?$oserializer@Vxml_oarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@
.?AV?$singleton_wrapper@V?$oserializer@Vxml_oarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@@detail@serialization@boost@@
.?AV?$singleton_wrapper@V?$extended_type_info_typeid@VMCmdList@@@serialization@boost@@@detail@serialization@boost@@
.?AV?$extended_type_info_typeid@VMCmdList@@@serialization@boost@@
.?AV?$singleton@V?$extended_type_info_typeid@VMCmdList@@@serialization@boost@@@serialization@boost@@
.?AVMCmdList@@
.?AV?$iserializer@Vxml_iarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@
.?AV?$singleton_wrapper@V?$iserializer@Vxml_iarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@@detail@serialization@boost@@
2=,2%*2&
0.HM{
zcÁ
c:\%original file name%.exe
GetProcessHeap
GetConsoleOutputCP
GetCPInfo
RegCreateKeyExA
RegCloseKey
.text
`.rdata
@.data
.reloc
.,.EA
KERNEL32.DLL
ADVAPI32.dll
GDI32.dll
SHLWAPI.dll
USER32.dll
uHxcZGgLZd.dll
mscoree.dll

rundll32.exe_1784:

.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s

rundll32.exe_1784_rwx_10001000_00083000:

vSSSh
FTPjK
FtPj;
C.PjRV
Content-Type: application/x-www-form-urlencoded
yahoo.com
HttpQueryInfoA
InternetOpenUrlA
HttpSendRequestA
HttpOpenRequestA
wininet.dll
Chrome_WidgetWin_0
kernel32.dll
rundll32.exe
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
operator
GetProcessWindowStation
USER32.DLL
unsupported version
'8 77, .
0'(8:>""
 "1%.'8"8
.?AV?$oserializer@Vxml_oarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@
.?AV?$singleton_wrapper@V?$oserializer@Vxml_oarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@@detail@serialization@boost@@
.?AV?$singleton_wrapper@V?$extended_type_info_typeid@VMCmdList@@@serialization@boost@@@detail@serialization@boost@@
.?AV?$extended_type_info_typeid@VMCmdList@@@serialization@boost@@
.?AV?$singleton@V?$extended_type_info_typeid@VMCmdList@@@serialization@boost@@@serialization@boost@@
.?AVMCmdList@@
.?AV?$iserializer@Vxml_iarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@
.?AV?$singleton_wrapper@V?$iserializer@Vxml_iarchive@archive@boost@@VMCmdList@@@detail@archive@boost@@@detail@serialization@boost@@
2=,2%*2&
0.HM{
zcÁ
%System%\rundll32.exe
GetProcessHeap
GetConsoleOutputCP
GetCPInfo
RegCreateKeyExA
RegCloseKey
.text
`.rdata
@.data
.reloc
KERNEL32.DLL
mscoree.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    dwwin.exe:1228

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\261FF2.dmp (75226 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %System%\msirku32.dll (175 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\c7_appcompat.txt (6214 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "MSIDLL" = "rundll32.exe msirku32.dll,UzEPTgVNpk"

  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now