Ghost Antivirus


Ghost Antivirus (also known as GhostAV)is a rogue program that often downloaded and executed on computers by means of Trojan and malicious websites, browser and software exploits. Once on the computer, Ghost Antivirus will display fake notifications to get user into purchasing the full version of the program. While other fake antivirus is being installed secretly without users consent, Ghost Antivirus differs on this stage. It will be installed in step-by-step procedure and prompts users in each procedure. Once installed, Ghost Antivirus begins to scan computer and will display scan results which are fake and does not really exists on computers. Aside from that, Ghost Antivirus launch warning alerts about security threats and force user to get the full version of the program.

What are the Symptoms of Ghost Antivirus Infection?

Ghost Antivirus Screen Shot

Falsified security scan will be displayed by Ghost Antivirus or GhostAV.

It will modify Windows Registry and add the following entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Uninstall\Ghost Antivirus_is1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Image File Execution Options\taskmgr.exe
  • HKEY_CURRENT_USER\Software\Microsoft\FTP “SearchDir” = “c:\program files\Ghost Antivirus\”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Explorer\Run “[random]onin”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run “Ghost Antivirus”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\RunOnce “3P_UDEC”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent “URIAPRO[1.1.3.9]”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Image File Execution Options\taskmgr.exe “Debugger” = “?”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Image File Execution Options\taskmgr.exe “RealDebugger” = “?”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon “RealLogonType” = “1”

The threat will drop the following malicious files:

  • %UserProfile%\Application Data\Ghost Antivirus\
  • %UserProfile%\Application Data\Ghost Antivirus\settings.ini
  • %UserProfile%\Application Data\Ghost Antivirus\uill.ini
  • %UserProfile%\Application Data\Ghost Antivirus\unins000.exe
  • %UserProfile%\Application Data\Ghost Antivirus\Uninstall Ghost Antivirus.lnk
  • %UserProfile%\Application Data\Ghost Antivirus\lib\
  • %UserProfile%\Application Data\Ghost Antivirus\lib\links.txt
  • %UserProfile%\Application Data\Ghost Antivirus\lib\properties
  • %UserProfile%\Application Data\Ghost Antivirus\lib\times.conf
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Ghost Antivirus.lnk
  • %UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iGSh.png
  • %UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iMSh.png
  • %UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iPSh.png
  • %UserProfile%\Local Settings\Application Data\Microsoft\Windows\pguard.ini
  • %UserProfile%\Local Settings\Application Data\Microsoft\Windows\services.exe
  • c:\Program Files\Ghost Antivirus\
  • c:\Program Files\Ghost Antivirus\GhostAV.exe
  • c:\Program Files\Ghost Antivirus\register.ico
  • c:\Program Files\Ghost Antivirus\unins000.dat
  • c:\Program Files\Ghost Antivirus\uninst.ico
  • c:\Program Files\Ghost Antivirus\web.ico
  • c:\Program Files\Ghost Antivirus\working.log
  • c:\Program Files\Ghost Antivirus\Languages\
  • c:\Program Files\Ghost Antivirus\lib\
  • c:\Program Files\Ghost Antivirus\lib\ghost.sql
  • c:\Program Files\Ghost Antivirus\lib\Infected.wav
  • c:\Program Files\Ghost Antivirus\lib\listing.cfg
  • c:\Program Files\Ghost Antivirus\lib\version.db
  • c:\Program Files\Ghost Antivirus\lib\WMILib.dll
  • c:\WINDOWS\system32\<random>.dll
  • c:\WINDOWS\system32\<random>.dll
  • c:\Documents and Settings\All Users\Desktop\Ghost Antivirus.lnk
  • c:\Documents and Settings\All Users\Start Menu\Programs\Ghost Antivirus\
  • c:\Documents and Settings\All Users\Start Menu\Programs\Ghost Antivirus\Ghost Antivirus Home Page.lnk
  • c:\Documents and Settings\All Users\Start Menu\Programs\Ghost Antivirus\Ghost Antivirus.lnk
  • c:\Documents and Settings\All Users\Start Menu\Programs\Ghost Antivirus\Purchase License.lnk
  • [random path]\[random]onin.exe

How to Remove Ghost Antivirus Manually

1. Restart your computer in SafeMode
– After Power-On the computer, just before Windows start, press F8
– From the selections, Select SafeMode

2. Remove Registry entries that the threat added. You MUST BACKUP YOUR REGISTRY FIRST.
– Click Start > Run
– Type in the field, regedit
– Navigate and look for the registry entries mentioned above and delete if necessary

3. Delete malicious files that the threat added:
– Base on the given location above, browse and delete the file
– If no location is given, click Start>Search> and search for the files.
– If cannot be deleted, press Ctrl+Alt+Del to access Task Manager, see if the file is running in the process. If it is, select the file and click End Process. Perform file delete again.

4. Scan computer with Antivirus Program
– Update antivirus program
– Scan computer and delete all detected threats.

How to Easily Remove Ghost Antivirus

1. Download and run Removal Tool to remove Ghost Antivirus

Leave a Comment