Ghost Antivirus entfernen


Was ist Ghost Antivirus?
Ghost Antivirus ist eine weitere Rogue-Malware in Form einer gefälschten Scan-Software, die mittels eines trojanischen Pferdes in den PC eindringt und dem Benutzer weissmacht, den PC nach Malware abzusuchen. Diese Software (Ghost Antivirus) ist ein Fake und selbst eine Schadsoftware und sollte nicht gekauft werden.

Verbreitet wird Ghost Antivirus nicht mehr ausschliesslich über 'dubiose Seiten' für Cracks, KeyGens und Warez, sondern auch seriöse Seiten werden zunehmend für die Verbreitung dieser mißbraucht (http://www.trojaner-board.de/90880-d...tallation.html).






Symptome von Ghost Antivirus:

• ständige Fake Virenmeldungen von Ghost Antivirus
• PC läuft langsamer als üblich

Dateien von Ghost Antivirus:

Code: Alles auswählenAufklappen

ATTFilter

c:\Program Files\Ghost Antivirus\
c:\Program Files\Ghost Antivirus\GhostAV.exe
c:\Program Files\Ghost Antivirus\register.ico
c:\Program Files\Ghost Antivirus\unins000.dat
c:\Program Files\Ghost Antivirus\uninst.ico
c:\Program Files\Ghost Antivirus\web.ico
c:\Program Files\Ghost Antivirus\working.log
c:\Program Files\Ghost Antivirus\Languages\
c:\Program Files\Ghost Antivirus\lib\
c:\Program Files\Ghost Antivirus\lib\ghost.sql
c:\Program Files\Ghost Antivirus\lib\Infected.wav
c:\Program Files\Ghost Antivirus\lib\listing.cfg
c:\Program Files\Ghost Antivirus\lib\version.db
c:\Program Files\Ghost Antivirus\lib\WMILib.dll
c:\WINDOWS\system32\<zufällig>.dll
c:\WINDOWS\system32\<zufällig>.dll
c:\Documents and Settings\All Users\Desktop\Ghost Antivirus.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Ghost Antivirus\
c:\Documents and Settings\All Users\Start Menu\Programs\Ghost Antivirus\Ghost Antivirus Home Page.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Ghost Antivirus\Ghost Antivirus.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Ghost Antivirus\Purchase License.lnk
%UserProfile%\Application Data\Ghost Antivirus\
%UserProfile%\Application Data\Ghost Antivirus\settings.ini
%UserProfile%\Application Data\Ghost Antivirus\uill.ini
%UserProfile%\Application Data\Ghost Antivirus\unins000.exe
%UserProfile%\Application Data\Ghost Antivirus\Uninstall Ghost Antivirus.lnk
%UserProfile%\Application Data\Ghost Antivirus\lib\
%UserProfile%\Application Data\Ghost Antivirus\lib\links.txt
%UserProfile%\Application Data\Ghost Antivirus\lib\properties
%UserProfile%\Application Data\Ghost Antivirus\lib\times.conf
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Ghost Antivirus.lnk
%UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iGSh.png
%UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iMSh.png
%UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iPSh.png
%UserProfile%\Local Settings\Application Data\Microsoft\Windows\pguard.ini
%UserProfile%\Local Settings\Application Data\Microsoft\Windows\services.exe
<random path>\<zufällig>onin.exe
         

Registry-Einträge von Ghost Antivirus:

Code: Alles auswählenAufklappen

ATTFilter

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ghost Antivirus_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
HKEY_CURRENT_USER\Software\Microsoft\FTP "SearchDir" = "c:\program files\Ghost Antivirus\"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "<zufällig>onin"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Ghost Antivirus"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "3P_UDEC"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent "URIAPRO[1.1.3.9]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe "Debugger" = "?"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe "RealDebugger" = "?"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "RealLogonType" = "1"
         

Ghost Antivirus im HijackThis-Log:

Code: Alles auswählenAufklappen

ATTFilter

O4 - HKCU\..\Run: [Ghost Antivirus] "C:\program files\Ghost Antivirus\GhostAV.exe" /s 
O4 - HKCU\..\Policies\Explorer\Run: [<zufällig>onin] "<zufällig>onin] "<random path>\<zufällig>onin.exe"
         

Ghost Antivirus entfernen

Abgesicherter Modus zur Bereinigung

• Windows mit F8-Taste beim Start in den abgesicherten Modus bringen.
• Starte den Rechner in den abgesicherten Modus mit Netzwerktreibern:
  
  

• Starte einen vollständigen Scan mit Malwarebytes Anti-Malware

Achtung: Diese Fake Software wird versuchen, den Einsatz von Malwarebytes zu verhindern. Benenne das Setup vor dem speichern in etwas anderes um (z.B. Herbert.exe).

Falls es vorher nicht funktioniert hat, sollte das Setup jetzt starten.

Wenn das Programm nach der Installation nicht starten sollte, dann benenne die "mbam.exe" in "herbert.exe" um und versuche es erneut.

Sollte MBAM trotzdem nicht starten: Malwarebytes Anti-Malware startet nicht

Zitat:

Memory Processes Infected:
C:\Documents and Settings\{username}\My Documents\My Music\inatoutin.exe (Trojan.Vundo) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\oowirck.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\alvgpaird.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\inatoutin (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ghost antivirus (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\3p_udec (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\realdebugger (Security.Hijack) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\{username}\Application Data\Ghost Antivirus (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\{username}\Application Data\Ghost Antivirus\lib (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Ghost Antivirus (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Ghost Antivirus\Languages (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Ghost Antivirus\lib (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\oowirck.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\alvgpaird.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\{username}\My Documents\My Music\inatoutin.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\{username}\Local Settings\Temporary Internet Files\Content.IE5\TLDHEQ9O\update__[1].exe (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\{username}\Application Data\Ghost Antivirus\settings.ini (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\{username}\Application Data\Ghost Antivirus\uill.ini (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\{username}\Application Data\Ghost Antivirus\unins000.exe (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\{username}\Application Data\Ghost Antivirus\Uninstall Ghost Antivirus.lnk (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\{username}\Application Data\Ghost Antivirus\lib\links.txt (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\{username}\Application Data\Ghost Antivirus\lib\properties (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\{username}\Application Data\Ghost Antivirus\lib\times.conf (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Ghost Antivirus\GhostAV.exe (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Ghost Antivirus\iGSh.png (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Ghost Antivirus\iMSh.png (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Ghost Antivirus\iPSh.png (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Ghost Antivirus\register.ico (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Ghost Antivirus\unins000.dat (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Ghost Antivirus\uninst.ico (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Ghost Antivirus\web.ico (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Ghost Antivirus\working.log (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Ghost Antivirus\lib\ghost.sql (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Ghost Antivirus\lib\ia080618x.db (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Ghost Antivirus\lib\ia190908g.db (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Ghost Antivirus\lib\Infected.wav (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Ghost Antivirus\lib\links.txt (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Ghost Antivirus\lib\listing.cfg (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Ghost Antivirus\lib\properties (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Ghost Antivirus\lib\times.conf (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Ghost Antivirus\lib\version.db (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Ghost Antivirus\lib\WMILib.dll (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Ghost Antivirus.lnk (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\{username}\Application Data\Microsoft\Internet Explorer\Quick Launch\Ghost Antivirus.lnk (Rogue.GhostAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\{username}\Local Settings\Application Data\Microsoft\Windows\pguard.ini (Rogue.InternetAntiVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\{username}\Local Settings\Application Data\Microsoft\Windows\services.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\{username}\Local Settings\Application Data\Microsoft\Internet Explorer\iGSh.png (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\{username}\Local Settings\Application Data\Microsoft\Internet Explorer\iMSh.png (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\{username}\Local Settings\Application Data\Microsoft\Internet Explorer\iPSh.png (Trojan.FakeAlert) -> Quarantined and deleted successfully.

GhostAntivirus / Ghost Antivirus immer noch nicht entfernt?

OTH - OTHelper - Kill All Processes


Mit aktualisiertem (!!) Malwarebytes Anti-Malware nach Ausführen von OTH nochmal QUICKSCAN ausführen.

Bitte alle temporären Dateien löschen und Speicherplatz freigeben.

Weitergehende Prüfung

Das System könnte noch nicht vollständig sauber sein.

Daher unbedingt ein Thema erstellen: Für alle Hilfesuchenden! Was muss ich vor der Eröffnung eines Themas beachten?

Nicht vergessen mit FRST-Logfiles wie in der Anleitung beschrieben.

Wie man Hilfe bekommt steht auch hier.