Home Rogue Websites Ghost-Antivirus.com

Ghost-Antivirus.com

Posted: January 15, 2010

Ghost-Antivirus.com is a malicious website that was designed to promote and sell the rogue anti-spyware program Ghost Antivirus. Ghost-Antivirus.com can be very misleading to a gullible computer user in the way that it advertises the rogue Ghost Antivirus as a security application that is able to detect and remove viruses.

Ghost-Antivirus.com cannot be trusted and should never be visited. Use of Ghost-Antivirus.com may end up damaging a user's computer because they ended up downloading and installing the Ghost Antivirus rogue application.

File System Modifications

  • The following files were created in the system:
    # File Name
    1 %Documents and Settings%\[User Name]\Application Data\Ghost Antivirus\lib\
    2 %Documents and Settings%\[User Name]\Application Data\Ghost Antivirus\lib\links.txt
    3 %Documents and Settings%\[User Name]\Application Data\Ghost Antivirus\lib\properties
    4 %Documents and Settings%\[User Name]\Application Data\Ghost Antivirus\lib\times.conf
    5 %Documents and Settings%\[User Name]\Application Data\Ghost Antivirus\settings.ini
    6 %Documents and Settings%\[User Name]\Application Data\Ghost Antivirus\uill.ini
    7 %Documents and Settings%\[User Name]\Application Data\Ghost Antivirus\unins000.exe
    8 %Documents and Settings%\[User Name]\Application Data\Ghost Antivirus\Uninstall Ghost Antivirus.lnk
    9 %Documents and Settings%\[User Name]\Application Data\Microsoft\Internet Explorer\Quick Launch\Ghost Antivirus.lnk
    10 %Documents and Settings%\[User Name]\Local Settings\Application Data\Microsoft\Internet Explorer\iGSh.png
    11 %Documents and Settings%\[User Name]\Local Settings\Application Data\Microsoft\Internet Explorer\iMSh.png
    12 %Documents and Settings%\[User Name]\Local Settings\Application Data\Microsoft\Internet Explorer\iPSh.png
    13 %Documents and Settings%\[User Name]\Local Settings\Application Data\Microsoft\Windows\pguard.ini
    14 %Documents and Settings%\[User Name]\Local Settings\Application Data\Microsoft\Windows\services.exe
    15 %Documents and Settings%\All Users\Application Data\Ghost Antivirus\
    16 %Documents and Settings%\All Users\Desktop\Ghost Antivirus.lnk
    17 %Documents and Settings%\All Users\Start Menu\Programs\Ghost Antivirus\
    18 %Documents and Settings%\All Users\Start Menu\Programs\Ghost Antivirus\Ghost Antivirus Home Page.lnk
    19 %Documents and Settings%\All Users\Start Menu\Programs\Ghost Antivirus\Ghost Antivirus.lnk
    20 %Documents and Settings%\All Users\Start Menu\Programs\Ghost Antivirus\Purchase License.lnk
    21 %Program Files%\Ghost Antivirus\
    22 %Program Files%\Ghost Antivirus\ghostav.exe
    23 %Program Files%\Ghost Antivirus\Languages\
    24 %Program Files%\Ghost Antivirus\lib\
    25 %Program Files%\Ghost Antivirus\lib\ghost.sql
    26 %Program Files%\Ghost Antivirus\lib\Infected.wav
    27 %Program Files%\Ghost Antivirus\lib\listing.cfg
    28 %Program Files%\Ghost Antivirus\lib\version.db
    29 %Program Files%\Ghost Antivirus\lib\WMILib.dll
    30 %Program Files%\Ghost Antivirus\register.ico
    31 %Program Files%\Ghost Antivirus\unins000.dat
    32 %Program Files%\Ghost Antivirus\uninst.ico
    33 %Program Files%\Ghost Antivirus\web.ico
    34 %Program Files%\Ghost Antivirus\working.log
    35 %WINDOWS%\System32\[random symbols].dll

Registry Modifications

  • The following newly produced Registry Values are:
    HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\FTP "SearchDir" = "%Program Files%\Ghost Antivirus\"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run “onin”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Ghost Antivirus"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "3P_UDEC"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe "Debugger" = "?"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe "RealDebugger" = "?"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "RealLogonType" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent "URIAPRO[1.1.3.9]"HKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}Ghost Antivirus_is1

Additional Information on Ghost-Antivirus.com

  • The following domains were detected:
    # Domain
    1 93.190.140.165 Softwareanti com
    2 93.190.140.165 Softwarejar com
    3 93.190.140.165 Softwarerising com
    4 93.190.140.165 Softwaresecure net
    5 93.190.140.165 Softwarespyware net
    6 93.190.140.165 Softwarethe net
    7 93.190.140.165 Softwarethreats com
    8 93.190.140.165 Softwarethreats net
    9 93.190.140.165 Softwarexp net
    10 93.190.140.165 Softwarespam net
    11 93.174.95.194 Ghost-antivirus com
    12 93.174.95.194 Ghost-pay com
    13 93.174.95.194 Ghostantivirus com
    14 93.174.95.194 Ghostpays com
Loading...