Trojan-PSW.Win32.Zbot.4_8aa2ac7620

by malwarelabrobot on September 7th, 2013 in Malware Descriptions.

Trojan-Downloader.Win32.Agent.hdnh (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan-PSW.Win32.Zbot.4.FD, mzpefinder_pcap_file.YR, GenericInjector.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan-PSW, Banker, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 8aa2ac76201abef058b903decb580313
SHA1: 8f19ae3c1ee2561d64699d68120ad2a4fc105f6f
SHA256: d604b19bd91d7a1a28c84e62975543e1cdddec0c8e0ccae26815e9f5270a89f2
SSDeep: 384:UMp3HU08dJlM1jpj0Z3g 4tdmuJc1PbJK:UEHUblMVZ3kJK
Size: 20160 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: SummerSoft
Created at: 2013-09-03 16:59:47


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan-PSW creates the following process(es):

8aa2ac76201abef058b903decb580313.exe:848
zfbttcb.exe:736
cietim.exe:1860
zvbvfndd.exe:340

The Trojan-PSW injects its code into the following process(es):

oKnUAf.exe:1616

File activity

The process oKnUAf.exe:1616 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@paintball[2].txt (301 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\index[1].htm (13 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@facebook[1].txt (168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\budbad[1].htm (213 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@area72aa[1].txt (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\precisionsolutionsky[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\golfpark-moossee[1].htm (1248 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\boundbydesign[1].htm (10 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@screaminpeach[1].txt (231 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@appelfarm[1].txt (223 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\e-shuukyaku[1].htm (18 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@wsipowerontheweb[1].txt (237 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doctsf[1].txt (148 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\slcago[1].htm (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\momonophoto[1].htm (19 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doctsf[2].txt (307 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\christybarry[1].htm (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\home[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\spiti[1].htm (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@freepatentauction[1].txt (168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\timeturkey[1].htm (32 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@choice-select[1].txt (204 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sarahdavid[1].txt (197 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@freepatentauction[2].txt (344 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (881 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\brijindia[1].htm (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\altonhousehotel[1].htm (38 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (342 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\hpp-services[1].htm (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\churchclothes[1].htm (60 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\mibsga[1].htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\cath4choice[1].htm (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\hostphd.com[1].htm (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\easyformations[1].htm (19 bytes)
%Documents and Settings%\%current user%\qejacysgabom.exe (49 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (21092 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\floridadoubled[1].htm (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\gjk.com[1].htm (24 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[1].txt (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\boundbydesign[1].htm (10 bytes)

The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\momonophoto[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\index[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\budbad[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\precisionsolutionsky[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\e-shuukyaku[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doctsf[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\christybarry[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\home[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\slcago[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@freepatentauction[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\timeturkey[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\easyformations[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\spiti[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\brijindia[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\churchclothes[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\mibsga[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\cath4choice[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\hostphd.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\floridadoubled[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\gjk.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\hpp-services[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\boundbydesign[1].htm (0 bytes)

The process 8aa2ac76201abef058b903decb580313.exe:848 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\zfbttcb.exe (20 bytes)

The process zfbttcb.exe:736 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\rhk[1].exe (1685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (52 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (52 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zvbvfndd.exe (1685 bytes)

The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (0 bytes)

The process cietim.exe:1860 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\NTUSER.DAT.LOG (6096 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (6268 bytes)

The process zvbvfndd.exe:340 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\FHI9B2C.bat (179 bytes)
%Documents and Settings%\%current user%\Application Data\Anzuu\cietim.exe (2725 bytes)

Registry activity

The process oKnUAf.exe:1616 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"qejacysgabomzap" = "9C 74 4C 24 FB 47 1F F6 CE A6 7E 56 2E 79 51 29"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"AppManagement" = "35 99 71 49 21 6C 44 1C F3 CB A3 7B 53 2B 03 4E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 67 28 D4 68 7C 7D 5E 5A B4 69 00 4F B0 C1 A1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"qejacysgabom" = "%Documents and Settings%\%current user%\qejacysgabom.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

The process 8aa2ac76201abef058b903decb580313.exe:848 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F F9 A3 C4 CE 1C 33 76 0E CB 47 9A D0 95 57 B0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"zfbttcb.exe" = "zfbttcb"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The process zfbttcb.exe:736 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 E4 A8 18 AB B6 94 D6 AF 7A 67 6F 5C 14 1F 6F"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"zvbvfndd.exe" = "Substance Practicehad"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

The process cietim.exe:1860 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 92 A1 AF 9E 56 4D C7 9D 9F 0F B1 08 7E 8B F8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Byymyjitjemi]
"184bibd6" = "BeTh0UT/9HM="

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process zvbvfndd.exe:340 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 16 42 EE 0B A8 B5 27 69 6E 7B 62 62 55 BF DC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

Network activity (URLs)

URL IP
hxxp://www.solutics.ch/oKnUAf.exe 88.198.26.38
hxxp://precisionsolutionsky.com/ 64.34.168.92
hxxp://sullyfrance.com/ 216.8.179.30
hxxp://screaminpeach.com/ 108.162.203.235
hxxp://christybarry.com/ 66.49.139.143
hxxp://courtney.ca/ 67.223.102.97
hxxp://e-shuukyaku.com/ 211.13.204.89
hxxp://toddpipe.com/ 173.247.243.173
hxxp://jacksonsallamerican.com/ 50.63.202.20
hxxp://celebikalip.com.tr/ 212.58.6.80
hxxp://colourprint.nl/ 91.233.105.63
hxxp://stepnet.de/ 91.250.116.6
hxxp://mandi-man.com/ 210.172.144.61
hxxp://dbcomponents.com/ 66.147.244.241
hxxp://macgregor.co.kr/ 112.175.11.240
hxxp://sarahdavid.com/ 69.167.173.15
hxxp://brijindia.com/ 67.18.185.98
hxxp://ezmedi.com/ 218.150.78.243
hxxp://sarahdavid.com/index.html
hxxp://www.choice-select.com/
hxxp://austriansurfing.at/ 85.13.136.86
hxxp://gjk.com.pl/ 193.239.44.106
hxxp://hifuken.com/ 49.212.198.76
hxxp://tss.org/ 209.200.238.15
hxxp://bethisraelcenter.org/ 204.213.246.4
hxxp://freepatentauction.com/ 213.186.33.4
hxxp://wkhk.net/ 203.189.104.242
hxxp://brookfarm.com.au/ 116.251.204.207
hxxp://iaiglobal.or.id/ 49.50.8.93
hxxp://arquiteturadigital.com/ 208.113.187.143
hxxp://churchclothes.com/ 97.74.42.79
hxxp://hostphd.com.br/ 162.211.86.65
hxxp://timeturkey.com/ 174.123.154.194
hxxp://eurasia.it/ 54.229.116.65
hxxp://gamblingonlinemagazine.com/ 198.1.90.242
hxxp://hpp-services.com/ 69.27.112.3
hxxp://iaiglobal.or.id/v02
hxxp://fraser-high.school.nz/ 210.48.67.144
hxxp://servico-ind.com/ 85.159.56.120
hxxp://arckepesajandek.hu/ 5.56.32.1
hxxp://mastergrp-spb.ru/ 188.127.245.103
hxxp://servico-ind.com/index.asp
hxxp://iaiglobal.or.id/v02/
hxxp://wsipowerontheweb.com/ 173.245.60.194
hxxp://boundbydesign.com/ 64.13.250.94
hxxp://d4drmedia.com/ 208.70.247.105
hxxp://area72aa.org/ 199.19.85.86
hxxp://appelfarm.org/ 108.162.206.115
hxxp://schiedel.it/ 217.145.99.26
hxxp://spiti.org/ 212.67.194.161
hxxp://xing-group.com/ 59.106.167.61
hxxp://egao.net/ 121.83.133.146
hxxp://steelpennygames.com/ 54.227.239.237
hxxp://korta-sa.com/ 91.200.116.10
hxxp://impex.com.pl/ 188.252.27.130
hxxp://kvadratoff.ru/ 188.93.212.32
hxxp://slcago.org/ 97.74.80.192
hxxp://pcpeds.com/ 216.122.144.146
hxxp://budbad.com/ 144.76.86.115
hxxp://paintball.be/ 213.186.33.19
hxxp://vanguardpkg.com/ 184.168.201.1
hxxp://ans-service.com/ 67.227.252.139
hxxp://golfpark-moossee.ch/ 80.74.142.135
hxxp://midwestga.com/ 108.175.148.57
hxxp://xuanxiao.com/ 116.251.205.115
hxxp://mibsga.com/
hxxp://adultlivechat.us/ 74.119.145.130
hxxp://tutuji-saitama.com/ 124.108.33.192
hxxp://cath4choice.org/ 76.12.228.8
hxxp://agence-des-druides.com/ 91.121.36.162
hxxp://aethora.com/ 67.207.143.253
hxxp://coopsupermarkt.nl/ 213.247.43.95
hxxp://easyformations.net/ 88.208.216.219
hxxp://doctsf.com/ 213.186.33.17
hxxp://momonophoto.com/ 203.189.105.136
hxxp://solutioncorp.com/ 66.111.53.120
hxxp://sgprinting.ca/ 184.107.236.2
hxxp://acmepacificrepairs.com/ 69.198.129.78
hxxp://childscope.com/ 173.203.121.238
altonhousehotel.com 78.129.226.106
championsisters.com 50.116.66.142
jointpower-log.com 61.172.246.56
hoodriver.org 205.186.183.163
www.patentauction.com 213.186.33.4
www.iaiglobal.or.id 49.50.8.93
chocolatecovers.com 127.0.0.1
www.hpp-services.com 69.27.112.3
bukaschool.cz 93.185.102.124
link-list-uk.com 91.109.14.224
in1.smtp.messagingengine.com 66.111.4.70
tollefsondesign.com 192.168.0.1
domusretreat.com 50.57.31.161
floridadoubled.com 64.59.81.104
ibcd.com.br 192.168.0.1
heritageplaceky.com 199.34.229.100
menolinx.com 103.8.127.205
sd-jida.com.tw 220.130.45.139
mxs.mail.ru 94.100.176.20
tenpole.com 127.0.0.1
norakuroya.com 175.45.136.72
www.screaminpeach.com 108.162.204.235
smtp.mail.yahoo.com 98.138.105.21
itre.org 199.7.108.125
menyayu.com 62.109.28.222
choice-select.com 176.74.176.179
www.servico-ind.com 85.159.56.120
bgfleming.com 208.36.53.135
gmail-smtp-in.l.google.com 74.125.142.27
floresta.org 209.114.38.138
ondaon.com.br 206.222.17.3
www.childscope.com 173.203.121.238
perc.ca 69.89.31.118
1-dream.net 210.172.144.247
alt4.gmail-smtp-in.l.google.com 173.194.65.27
fnadisplay.com 94.23.0.52
rivhsa.org 69.61.104.168
osouji-school.com 211.13.204.89
netify.de 87.106.66.125
lois-jewellery.com 213.165.89.8
upsilon89.com 62.193.227.35
nadalada.net 216.99.222.235
sanwaseiki.com 182.48.49.38
singtech.com.sg 103.9.101.151
greenshore.com 68.169.60.245
www.wkhk.net 203.189.104.242
islandsticker.com 216.117.162.218
nazcapictures.com 69.0.211.58
mekapro.ch 213.239.199.42
womanshealthchoice.com 46.30.8.183
oceanpowermarine.com.au 202.87.24.152
winnstone.com 174.121.8.8
stageup.net 115.146.8.231
www.golfpark-moossee.ch 80.74.142.135
www.facebook.com 31.13.65.1
www.gamblingonlinemagazine.com 198.1.90.242
www.mibsga.com 173.201.232.241
fitedi.com.br 187.45.210.124
santilli-law.com 173.199.169.56
re-wakefield.co.uk 108.162.193.186
bredainternet.nl 127.0.0.1
trenpalau.com 217.149.1.49
nd-evenementiel.com 79.98.23.30
temsanmakina.com 85.153.48.91
www.sarahdavid.com 69.167.173.15
mail7.digitalwaves.co.nz 127.0.0.1
entegre.com.tr 31.207.87.45
didonatospa.com 217.64.194.122
smtp.live.com 65.55.96.11
theautospas.com 216.70.109.220
www.momonophoto.com 203.189.105.136
nichedictionary.com Unresolvable
xn--22c6bfh8abch1g1b0ap6a9vxa.com Unresolvable
x-cellcommunications.de Unresolvable
audio-direkt.net Unresolvable
toutenmeuse.com Unresolvable


Rootkit activity

The Trojan-PSW installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetWriteFileExA
InternetQueryDataAvailable
HttpQueryInfoW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle

The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan-PSW installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Trojan-PSW installs the following user-mode hooks in Secur32.dll:

DecryptMessage
SealMessage
DeleteSecurityContext

The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:

WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW

The Trojan-PSW installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    8aa2ac76201abef058b903decb580313.exe:848
    zfbttcb.exe:736
    cietim.exe:1860
    zvbvfndd.exe:340

  3. Delete the original Trojan-PSW file.
  4. Delete or disinfect the following files created/modified by the Trojan-PSW:

    %Documents and Settings%\%current user%\Cookies\Current_User@paintball[2].txt (301 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\index[1].htm (13 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@facebook[1].txt (168 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\budbad[1].htm (213 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@area72aa[1].txt (208 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\precisionsolutionsky[1].htm (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\golfpark-moossee[1].htm (1248 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\boundbydesign[1].htm (10 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@screaminpeach[1].txt (231 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@appelfarm[1].txt (223 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\e-shuukyaku[1].htm (18 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@wsipowerontheweb[1].txt (237 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@doctsf[1].txt (148 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\slcago[1].htm (400 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\momonophoto[1].htm (19 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@doctsf[2].txt (307 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\christybarry[1].htm (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\home[1].htm (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\spiti[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@freepatentauction[1].txt (168 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\timeturkey[1].htm (32 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@choice-select[1].txt (204 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@sarahdavid[1].txt (197 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@freepatentauction[2].txt (344 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (881 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (233 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\brijindia[1].htm (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\altonhousehotel[1].htm (38 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][2].txt (342 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (214 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\hpp-services[1].htm (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\churchclothes[1].htm (60 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (168 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\mibsga[1].htm (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\cath4choice[1].htm (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\hostphd.com[1].htm (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\easyformations[1].htm (19 bytes)
    %Documents and Settings%\%current user%\qejacysgabom.exe (49 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (21092 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\floridadoubled[1].htm (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\gjk.com[1].htm (24 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@paintball[1].txt (150 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\boundbydesign[1].htm (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zfbttcb.exe (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\rhk[1].exe (1685 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (52 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (52 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zvbvfndd.exe (1685 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT.LOG (6096 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FHI9B2C.bat (179 bytes)
    %Documents and Settings%\%current user%\Application Data\Anzuu\cietim.exe (2725 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "qejacysgabom" = "%Documents and Settings%\%current user%\qejacysgabom.exe"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now