Home Malware Programs Browser Hijackers Softwareanti.net

Softwareanti.net

Posted: January 20, 2010

Softwareanti.net is a malicious browser hijacker created to push Ghost Antivirus rogue anti-spyware software. Softwareanti.net hijacker takes control of web browsing functionality and redirects users to its site. Softwareanti.net produces strange-looking scanners accompanied by annoying pop-ups. Softwareanti.net wants you paying for Ghost Antivirus licensed copy. Do not fall for Softwareanti.net tricks, instead remove this hijacker immediately.

File System Modifications

  • The following files were created in the system:
    # File Name
    1 %Documents and Settings%\All Users\Desktop\Ghost Antivirus.lnk
    2 %Documents and Settings%\All Users\Start Menu\Programs\Ghost Antivirus\
    3 %Documents and Settings%\All Users\Start Menu\Programs\Ghost Antivirus\Ghost Antivirus Home Page.lnk
    4 %Documents and Settings%\All Users\Start Menu\Programs\Ghost Antivirus\Ghost Antivirus.lnk
    5 %Documents and Settings%\All Users\Start Menu\Programs\Ghost Antivirus\Purchase License.lnk
    6 %Program Files%\Ghost Antivirus\
    7 %Program Files%\Ghost Antivirus\GhostAV.exe
    8 %Program Files%\Ghost Antivirus\Languages\
    9 %Program Files%\Ghost Antivirus\lib\
    10 %Program Files%\Ghost Antivirus\lib\ghost.sql
    11 %Program Files%\Ghost Antivirus\lib\Infected.wav
    12 %Program Files%\Ghost Antivirus\lib\listing.cfg
    13 %Program Files%\Ghost Antivirus\lib\version.db
    14 %Program Files%\Ghost Antivirus\lib\WMILib.dll
    15 %Program Files%\Ghost Antivirus\register.ico
    16 %Program Files%\Ghost Antivirus\unins000.dat
    17 %Program Files%\Ghost Antivirus\uninst.ico
    18 %Program Files%\Ghost Antivirus\web.ico
    19 %Program Files%\Ghost Antivirus\working.log
    20 %UserProfile%\Application Data\Ghost Antivirus\
    21 %UserProfile%\Application Data\Ghost Antivirus\lib\
    22 %UserProfile%\Application Data\Ghost Antivirus\lib\links.txt
    23 %UserProfile%\Application Data\Ghost Antivirus\lib\properties
    24 %UserProfile%\Application Data\Ghost Antivirus\lib\times.conf
    25 %UserProfile%\Application Data\Ghost Antivirus\settings.ini
    26 %UserProfile%\Application Data\Ghost Antivirus\uill.ini
    27 %UserProfile%\Application Data\Ghost Antivirus\unins000.exe
    28 %UserProfile%\Application Data\Ghost Antivirus\Uninstall Ghost Antivirus.lnk
    29 %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Ghost Antivirus.lnk
    30 %UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iGSh.png
    31 %UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iMSh.png
    32 %UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iPSh.png
    33 %UserProfile%\Local Settings\Application Data\Microsoft\Windows\pguard.ini
    34 %UserProfile%\Local Settings\Application Data\Microsoft\Windows\services.exe
    35 %WINDOWS%\system32\[random].dll
    36 [random path]\[random]onin.ex

Registry Modifications

  • The following newly produced Registry Values are:
    HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\FTP "SearchDir" = "c:\program files\Ghost Antivirus\"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User AgentHKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}Ghost Antivirus_is1
Loading...