Danger level 6
Type: Backdoors
Common infection symptoms:
  • Slow Computer
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel


Caphaw, also known as Win32/Caphaw and Shylock, is a highly dangerous backdoor Trojan, which can get access to the target computer in multiple ways. The Trojan horses has been circulating on the Internet since 2011 and has inflicted damage to a huge number of unsuspecting computer users. The Caphaw Trojan spreads via Skype files, including videos and photos, Facebook wall posts, removable drives, YouTube ads, and drive-by malware, which get to the computer by exploiting the vulnerabilities of Adobe Flash or Java. The removal of this Trojan horse is a must, and the sooner you remove this threat, the sooner you can prevent serious financial issues.

As regards Skype, the infection can send files to the user’s Skype contacts. Once the user downloads the files, the Trojan is executed automatically. When the Trojan spreads via Facebook, it creates a post on the Facebook wall. The post invites Facebook friends to click some link, which should be ignored to stop the infection from spreading.

In February 2014, it was found that the ad network providing YouTube visitors with advertisements was hosting the Styx exploit kit, which was employed to spread this nasty banking Trojan horse. The exploit kit took the advantage of a Java vulnerability known as CVE-2013-2460. This occurrence implies that it is highly important to be alert to the possibility of getting the compute infected on any website, and we recommend that you avoid clicking on various web banners and pop-up ads.

Once installed, the Caphaw Trojan uses the names of legitimate files to avoid detection. When some legitimate file names are select, the infection copies itself into the %AppData% directory using the selected file name. The threat injects itself into legitimate system processes in order not to arouse the user’s suspicion. For example, it can affect processes such as firefox.exe, svchost.exe, cmd.exe, and some others.

In order to start running every time Windows starts, the malicious program creates the registry entry HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

Caphaw is used to steal sensitive data, mainly online banking details. Caphaw has targeted many well-known banks, including Barclays, HSBC, Leicester, Fidelity, Lloyds Banks, etc. The infection is known to inject its malicious code into banks’ web pages in order to replace phone numbers with the ones owned by the attackers. The infection automatically steals money while the victim is using his/her account. The fraud is not noticed because the owner of the bank account is provided with fake data.

It is important to note that Caphaw is used to perform some other unauthorized actions. The Trojan horse enables attackers to control the infected machine; i.e. they can use the trojan to control your desktop, access and delete your files, shut down and restart the computer, change PC settings, redirect Internet traffic using a proxy server, download and run other files, etc. These and other actions are performed using some special plug-ins, such asVideoGrabber, SpBot, Backsocks, Diskspread, and Ftpgrabber.

If you suspect that your computer is affected by some malicious program, you should scan the system straight away. Your computer needs protection against fake anti-virus programs, rogue security programs, worms, adware, Trojan horses, ransomware infections, and many other threats that can steal data or impair the performance of the PC.

We advise you against malware removal because Caphaw is an extremely complex piece of malware, and the removal of this threat requires a lot of knowledge and skills. Our team recommends using SpyHunter because this real-time security program can remove the threat and safeguard you against multiple threats.

Download Spyware Removal Tool to Remove* Caphaw
  • Quick & tested solution for Caphaw removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.