GhostAntivirus

Gharath M. Narayan, mastermind behind Ghost Antivirus has created a program very similar to Internet Antivirus Pro which frustrated users to no end in 2009.   Dangerous and aggressive, GhostAntivirus will first attempt to compel you to try the trial version of the program.  After you have done this, a “scan” will run and you will be presented with a result that contains a series of “infected files.”  These files are not infected.  In fact, they are placed there exactly by GhostAntivirus and if removed may affect other legitimate applications that require the use of those files.
In addition to the phony results, GhostAntivirus will disable your Task Manager making it nearly impossible to end the processes of this pest.  It will also prevent you from accessing sites that would enable you to remove it.

Type: Rogue Security Application
Related file contents:
[random symbols]onin.exe, services.exe, pguard.ini, iPSh.png, iMSh.png, iGSh.png, times.conf, links.txt, Uninstall Ghost Antivirus.lnk, unins000.exe, uill.ini, settings.ini, Purchase License.lnk, Ghost Antivirus Home Page.lnk, Ghost Antivirus.lnk, [random symbols].dll, wmilib.dll, version.db, listing.cfg, Infected.wav, ghost.sql, working.log, web.ico, uninst.ico, unins000.dat, register.ico, ghostav.exe

Manual Removal Instructions:
In theory, it is possible to manually remove GhostAntivirus from a computer.  However, if you lack the sufficient expertise required for the process, you may cause more harm than good.  For those with experience in removal, proceed with the following:
Delete the following processes thoroughly:
Processes ending with onin.exe (e.g. 235asrstonin )
ghostav.exe
unins000.exe
services.exe

Then, disable these GhostAntivirus dlls:

WMILib.dll
[random symbols].dll

Next, you must delete the following registry values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ghost Antivirus_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
HKEY_CURRENT_USER\Software\Microsoft\FTP “SearchDir” = “%Program Files%\Ghost Antivirus\”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run “onin”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Ghost Antivirus”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce “3P_UDEC”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent “URIAPRO[1.1.3.9]”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe “Debugger” = “?”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe “RealDebugger” = “?”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon “RealLogonType” = “1?

Finally, be sure to remove each of the following files:
Files ending with onin.exe (e.g. 235asrstonin )
GhostAV.exe
register.ico
unins000.dat
uninst.ico
web.ico
working.log
ghost.sql
Infected.wav
listing.cfg
version.db
WMILib.dll
[random symbols].dll
Ghost Antivirus.lnk
Ghost Antivirus Home Page.lnk
Ghost Antivirus.lnk
Purchase License.lnk
settings.ini
uill.ini
unins000.exe
Uninstall Ghost Antivirus.lnk
links.txt
times.conf
Ghost Antivirus.lnk
iGSh.png
iMSh.png
iPSh.png
pguard.ini
services.exe

Manual removal requires meticulous precision if you are to remove the program properly.  If you have less than an exacting hand, then perhaps trying a program that removes the program for you is a better option.  SpyZooka, created by programming experts at ZookaWare, have provided an excellent choice in spyware removal.

SpyZooka offers, in addition to a stellar anti-virus application, free and unconditional customer support if you have any questions.  Now, that’s a deal you can live with!  For solid and fast results, try SpyZooka.

Download Free Scan

One Response

  1. Susan Nelson says:

    My computer was infected with GhostAntivirus last week. For me it was easy to get rid of it with SpyZooka 🙂 Sorry for the ones that are buying the license. It’s better to be informed by reading this posts.

Leave a Reply

Your email address will not be published. Required fields are marked *

Products

Contact

css.php