Click on screenshot to zoom
Danger level 7
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel


FormBook is a Trojan infection that has been advertised in hacking forums since the beginning of 2016. It is already known that this threat has been used in attacks against Aerospace, Manufacturing, and Defense Contractor sectors in the United States and South Korea; however, these are definitely not all attacks it was involved in. Since anyone having bad intentions can rent or purchase it from the dark web for a cheap price (59 USD for 1 month, 99 USD for 3 months, and 299 USD for a lifetime) , it is very likely that it will not take long for it to cause problems to a bunch of companies/individual users/institutions. It is not easy to talk about the distribution of FormBook because it fully depends on the cyber criminal who have purchased it; however, like other Trojan infections, it tends to slither onto computers unnoticed. Consequently, we cannot promise that it will be a piece of cake to protect the system against it. If it turns out that FormBook has somehow already managed to get onto your computer, make sure you get rid of it right away because it is a truly nasty infection that can bring nothing but privacy-related problems. Read the next paragraph of this article carefully to find out what it is capable of. We will also talk about its removal in detail further in this report.

FormBook is the so-called infostealer Trojan. Specifically speaking, the main activity it performs is stealing personal information. Research conducted by specialists working at has clearly shown that it can log keystrokes, steal passwords, take screenshots, clear web browsers’ cache and cookies, reboot and shut down the computer, launch commands via ShellExecute, and, finally, download anything from the web without the user’s knowledge. The recorded information is stored on a secret server belonging to cyber criminals and, later on, might be used for malicious purposes. On top of that, it might also be expensively sold on the black market. As can be seen, this Trojan is a really nasty malicious application.

Our researchers say that the distribution of FormBook depends entirely on the cyber criminal who have purchased/rented it, but it has already been observed that it is quite often spread via malicious emails as a .pdf and .doc attachment. Of course, it does not mean that other distribution methods cannot be used to promote it. According to our malware experts who have analyzed this Trojan, it might also be spread masqueraded as a crack/keygen. It goes without saying that a bunch of other methods might be used to distribute it. Stay away from spam emails and stop downloading software from dubious websites if you do not want to encounter this malicious application. Additionally, you should have security software enabled on your computer 24/7/365.

It takes time to realize that FormBook has slithered onto the computer. There are several reasons why it is so. First, it is known that it should hide in %ProgramFiles%, %CommonProgramFiles%, %USERPROFILE%, %APPDATA%, or %TEMP%, but it seems that it might exist somewhere else too, i.e. it might change its location. It all depends on the cyber criminal’s wishes. Additionally, it has a random extension (e.g. .exe, .com, .scr, .pif, .cmd, or .bat) and a random name. Last but not least, it should create a Value in the Run registry key ([HKCU|HKLM]\SOFTWARE\Microsoft\Windows\CurrentVersion\Runkey and [HKCU|HKLM]\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) following the successful entrance so that it could start working automatically with the Windows OS; however, it usually has a random name too.

FormBook is quite a sophisticated malicious application. It can not only change its location and the filename extension, but it can also inject itself into a windows component. Additionally, it might create many random files in the same directory where its executable file is located, for example, EO3KST53.ini, so do not expect that its removal will be easy. To be frank, it might be extremely hard to erase it in a manual way because it has many different components. Therefore, we suggest that you use a powerful antimalware scanner to eliminate FormBook from your computer. If you still decide to take care of this threat yourself manually, use our manual removal guide you will find below this article. You cannot leave a single component belonging to this Trojan active on your system because it might have a chance to revive easily and continue silently recording personal information.

How to delete FormBook

  1. Press Win+R.
  2. Type regedit and click OK.
  3. Check all these directories one by one and delete malicious Values:
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  1. Close Registry Editor and open Windows Explorer (tap Win+E).
  2. Check %ProgramFiles%, %CommonProgramFiles%, %USERPROFILE%, %APPDATA%, and %TEMP%.
  3. If you find malicious files that belong to FormBook in these directories, delete them all immediately.
  4. Empty Trash.
  5. Perform a system scan with a diagnostic scanner (click the Download button below to get it) to check whether or not there are other active malicious components active on your system.
Download Spyware Removal Tool to Remove* FormBook
  • Quick & tested solution for FormBook removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.