How to remove Ghost Antivirus (free removal guide)

Ghost Antivirus is a fake anti-virus program. It's a typical scareware that displays fake security alerts just to scare you into thinking that your computer is infected with Trojans and other viruses. Some of the infections listed by this virus: Trojan-Spy.HTML.Bankfraud.ra, Trojan-Spy.HTML.Paylap, Trojan-Spy.HTML.Sunfraud and etc. Actually, these supposed infections were used and probably will be used again by other rogue programs too. The most important thing is to realize that all those infections are actually fictitious. Secondly, don't purchase this bogus software. The main aim of Ghost Antivirus is to trick out money from you. Please read the removal guide below and remove this virus from your computer for free.



Ghost Antivirus has to be manually installed either from its home page or from fake online scanners that use Windows OS graphics to make the scam look more reliable. In short, please avoid these websites:

• Ghost-antivirus .com 
• Ghostantivirus .com 
• Ghost-pay .com
• Ghostpays .com 

Browser hijackers that are recently used to promote this malware: softwareanti .com, softwarejar .com and many other similar websites. Just make sure to block these IPs: 93.190.140.165, 93.174.95.194 and 93.174.95.195.



Ok, now let's go the most important part - GhostAntivirus removal. Unfortunately, this virus has quite strong self-protection mechanism. It blocks anti-virus software and disables important system tools. Manual removal is not an oprion in this case, because Ghost Antivirus creates random files and randomly named directories usually under the Windows folder.
----------------------------------
Removal guide:

Step #1: Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. 



NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

Step #2: Download SUPERAntispyware or MalwareBytes Anti-malware and run a full system scan. Don't forget to update the installed program before scanning. Then reboot your computer in "Normal Mode" and run  a system scan again.
----------------------------------

Manual removal: When in "Safe Mode with Networking" you can try to remove Ghost Antivirus files listed below manually. Then reboot your PC in "Normal Mode" and run a system scan to remove the remains or additionally installed malware.

Ghost Antivirus Folder: 

• C:\Program Files\Ghost Antivirus\  (note: removal entire folder with all files in it)
• C:\Documents and Settings\All Users\Start Menu\Programs\Ghost Antivirus\ 
• %UserProfile%\Application Data\Ghost Antivirus\ 

Registry values:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  "Ghost Antivirus"=-
• -HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ghost Antivirus_is1
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
• HKEY_CURRENT_USER\Software\Microsoft\FTP "SearchDir" = "c:\program files\Ghost Antivirus\"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "onin"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Ghost Antivirus"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "3P_UDEC"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent "URIAPRO[1.1.3.9]"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
• Execution Options\taskmgr.exe "Debugger" = "?"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File
• Execution Options\taskmgr.exe "RealDebugger" = "?"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "RealLogonType" = "1"

If you have any questions, don't hesitate and ask. Good luck!

Last update: 01/15/2010