Ghost Antivirus
Ghost Antivirus is a malicious Windows security program initially found associated with Internet Antivirus Pro. At first attack, Trojan will introduce this rogue on the system and when executed will modify Internet browser settings. When accessing web site, it redirects to a fake virus scanner web page that pretend as Windows Explorer. The web page adopts present hard drives’ setup and provide virus scanning on each accordingly. After the scan, Ghost Antivirus will display fake alert about computer’s security status such as “Serious security and privacy threats found on your computer” and advise to download and install the recommended software. After installation, it modifies the registry that will make Ghost Antivirus run every time Windows starts. Modifying other system settings will also disable locally installed antivirus and security programs. This is a preventive move not to eradicate Ghost Antivirus from the system. It also removes desktop icons, disables Task Manager, mouse and keyboard is made unusable. The only option left for user is to purchase the licensed version of Ghost Antivirus.
To completely remove Ghost Antivirus, a trusted and known anti-virus and anti-malware program must be executed. A combination of both is more effective in removing Ghost Antivirus and all of malicious files already planted on hidden folders and system directories of the computer.
Screen Shot Image:
Technical Details and Additional Information:
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
Malware Behavior
While Ghost Antivirus is running on the computer, it will repeatedly remind user of possible serious threats found on the system. One example alert may contain this warning message:
Serious security and privacy threats found on your computer. It may damage your files or steal your personal and financial information. Click “OK” to start downloading CRITICAL security software update.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run "Ghost Antivirus" HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce "3P_UDEC" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ghost Antivirus_is1 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe HKCU\Software\Microsoft\FTP "SearchDir" = "C:\program files\Ghost Antivirus\" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "(random characters)onin" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent "URIAPRO[1.1.3.9]" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe "Debugger" = "?" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe "RealDebugger" = "?" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "RealLogonType" = "1"Associated Files and Folders:
C:\Documents and Settings\All Users\Desktop\Ghost Antivirus.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Ghost Antivirus\ C:\Documents and Settings\All Users\Start Menu\Programs\Ghost Antivirus\Ghost Antivirus Home Page.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Ghost Antivirus\Ghost Antivirus.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Ghost Antivirus\Purchase License.lnk %UserProfile%\Application Data\Ghost Antivirus\ %UserProfile%\Application Data\Ghost Antivirus\settings.ini %UserProfile%\Application Data\Ghost Antivirus\uill.ini %UserProfile%\Application Data\Ghost Antivirus\unins000.exe %UserProfile%\Application Data\Ghost Antivirus\Uninstall Ghost Antivirus.lnk %UserProfile%\Application Data\Ghost Antivirus\lib\ %UserProfile%\Application Data\Ghost Antivirus\lib\links.txt %UserProfile%\Application Data\Ghost Antivirus\lib\properties %UserProfile%\Application Data\Ghost Antivirus\lib\times.conf %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Ghost Antivirus.lnk %UserProfile%\Local Settings\Application Data\Microsoft\Windows\pguard.ini %UserProfile%\Local Settings\Application Data\Microsoft\Windows\services.exe (random folders)\(random characters)onin.exe C:\Program Files\Ghost Antivirus\ C:\Program Files\Ghost Antivirus\GhostAV.exe C:\Program Files\Ghost Antivirus\register.ico C:\Program Files\Ghost Antivirus\unins000.dat C:\Program Files\Ghost Antivirus\working.log C:\Program Files\Ghost Antivirus\Languages\ C:\Program Files\Ghost Antivirus\lib\ C:\Program Files\Ghost Antivirus\lib\ghost.sql C:\Program Files\Ghost Antivirus\lib\Infected.wav C:\Program Files\Ghost Antivirus\lib\listing.cfg C:\Program Files\Ghost Antivirus\lib\version.db C:\Program Files\Ghost Antivirus\lib\WMILib.dll C:\WINDOWS\system32\(random characters).dll C:\WINDOWS\system32\(random characters).dll
How to Remove Ghost Antivirus
Ghost Antivirus1. Reboot your computer in Safe Mode with Networking.
- Continue tapping F8 on your keyboard after turning on the computer.
- From the selections menu, select Safe Mode with Networking.
2. Connect to Internet and download SuperAntiSpyware here.
3. Install SAS with default configuration. It will prompt for update when installation has completed.
4. After installation and update, SuperAntiSpyware will open.
5. On main window, select Scan Type, choose Complete Scan. This is recommended to detect all files associated to Ghost Antivirus.
6. Click on Scan your Computer…, this will give you options on which drive to scan.
7. On Scan Location, select c:\Fixed Drive.
8. Click on Start Complete Scan to begin the scanning process.
9. Scanning will take some time. Please be patient. When scanning is done, it will display the Scan Summary.
10. On scanning Window, items infected with Ghost Antivirus are marked in check.
11. Click Next to remove infected items.
12. It will prompt you to reboot your computer. Click Yes to reboot.
13. After a reboot, open SuperAntiSpyware again. Go to the Main Menu and click Manage Quarantine.
14. Select all items that were quarantined and click Remove. This will completely remove all files and components of Ghost Antivirus.
15. Close the window to exit SuperAntiSpyware.
Shubhamjain
Jan 31, 2010 @ 05:10:09
This is good