Ghost Antivirus is a rogue antispyware program. It is usually installed from fake online malware scanners that reports that your computer is infected and you must install a program to clean your PC. That online scanner is scam and could not possibly detect malware, trojans and viruses on your computer. The program is a trojan that, once started, will download and install Ghost Antivirus onto your computer. The trojan will also configure Ghost Antivirus to run automatically when you Windows starts.
Once installed, Ghost Antivirus will start to scan your computer and list numerous infections that will not be fixed unless you first purchase the program. Important to know, all of these infections are fake and do not actually exist on your computer, so you can safely ignore them.
While Ghost Antivirus is running you will be shown nag screens, fake security alerts and other notifications from Windows task bar. An example:
Ghost Antivirus – Threats detected!
Warning! Infections found!
However, like false scan results, all of these warnings are fake and should be ignored! The rogue may also block Task Manager and an access to security websites. As you can see, Ghost Antivirus is designed with one purpose to scare you into thinking that your computer in danger as method to trick you into purchasing the full version of the program.
If your computer is infected with this malware, then most importantly, do not purchase it! Uninstall the rogue from your PC as soon as possible. Use the removal guide below to remove Ghost Antivirus from the system for free.
More screen shoots of Ghost Antivirus
Symptoms in a HijackThis Log
O4 – HKCU\..\Run: [Ghost Antivirus] “c:\program files\Ghost Antivirus\GhostAV.exe” /s
O4 – HKCU\..\Policies\Explorer\Run: [ofoutbyand] “C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\ofoutbyand.exe”
Use the following instructions to remove Ghost Antivirus (Uninstall instructions)
1. Remove Ghost Antivirus main components
Please read the article: How to reboot computer in Safe mode and reboot your computer in the Safe mode with networking.
Download OTM by OldTimer from here and save it to desktop.
Run OTM. Copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):
:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Ghost Antivirus"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
:files
%ProgramFiles%\Ghost Antivirus
:commands
[reboot]
Click the red Moveit! button. When the tool is finished, it will produce a report for you. If you are asked to reboot the machine choose Yes.
2. Remove Ghost Antivirus associated malware
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer for Ghost Antivirus infection. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start Ghost Antivirus removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Ghost Antivirus creates the following files and folders
C:\Program Files\Ghost Antivirus
C:\Program Files\Ghost Antivirus\GhostAV.exe
C:\Program Files\Ghost Antivirus\register.ico
C:\Program Files\Ghost Antivirus\unins000.dat
C:\Program Files\Ghost Antivirus\uninst.ico
C:\Program Files\Ghost Antivirus\web.ico
C:\Program Files\Ghost Antivirus\working.log
C:\Program Files\Ghost Antivirus\Languages
C:\Program Files\Ghost Antivirus\lib
C:\Program Files\Ghost Antivirus\lib\ghost.sql
C:\Program Files\Ghost Antivirus\lib\Infected.wav
C:\Program Files\Ghost Antivirus\lib\listing.cfg
C:\Program Files\Ghost Antivirus\lib\version.db
C:\Program Files\Ghost Antivirus\lib\WMILib.dll
C:\Documents and Settings\All Users\Desktop\Ghost Antivirus.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Ghost Antivirus
C:\Documents and Settings\All Users\Start Menu\Programs\Ghost Antivirus\Ghost Antivirus Home Page.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Ghost Antivirus\Ghost Antivirus.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Ghost Antivirus\Purchase License.lnk
%UserProfile%\Application Data\Ghost Antivirus
%UserProfile%\Application Data\Ghost Antivirus\lib
%UserProfile%\Application Data\Ghost Antivirus\lib\links.txt
%UserProfile%\Application Data\Ghost Antivirus\lib\properties
%UserProfile%\Application Data\Ghost Antivirus\lib\times.conf
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Ghost Antivirus.lnk
Ghost Antivirus creates the following registry keys and values
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ofoutbyand
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\3p_udec
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ghost Antivirus
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MediaPlayer\Preferences\addontemplatesdir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\debugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\realdebugger
