Devirusare / Dezinstalare Ghost Antivirus – rogue removal

Posted by Devirusare on Jan 15, 2010 in Devirusare, New |

Hello there! If you are new here, you might want to subscribe to the RSS feed for updates on this topic.

Pe Devirusare.com am mai vorbit acum ceva timp ce este un program rogue si cat de daunator este.

Ca sa explic in 2 cuvinte pentru cei ce nu au rabdare sa citeasca, un program rogue este un antivirus/antispyware fals.

Imprumuta interfata si functii asemanatoare cu produsele originale ca sa pacaleasca utilizatorul sa plateasca o licenta.

Softul este un malware, care se instaleaza pe PC de pe diferite pagini(are sute de mirrors – site-uri identice cu originalul, doar pe alte domenii) si incepe sa trimita mesaje conform carora computerul este infectat si trebuie cumparata “licenta” pentru curatarea acestuia.

Bun, dupa acest malware au aparut sute de programe asemanatoare, companiile antivirus/antispyware facand cu greu fata zecilor de versiuni pe zi.

Este si greu de adaugat o detectie generica(o singura definitie pentru o familie de malware de acelasi tip).

Americanii au botezat acest fenomen scareware.

In continuare o sa prezint 2 metode de indepartare a programului Ghost Antivirus din PC:

1. Metoda manuala:

Mergeti la un PC neinfectat.

Descarcati urmatoarele fisiere:

rkill.com

mbam-setup.exe

mbam-rules.exe

Puneti cele 3 fisiere pe un stick / CD si mergeti cu ele la PC-ul cu probleme.

Restartati PC-ul in Safe Mode. Daca nu stiti cum, cititi tutorialul de mai jos:

http://www.bitdefender.ro/…Cum-se-restarteaza-Windows-in-Safe-Mode.html

Dupa ce ati intrat in Safe Mode, rulati fisierul rkill.com.

Dupa rularea fisierului de mai sus, NU restartati PC-ul.

Stergeti urmatoarele fisiere din PC:

c:\Program Files\Ghost Antivirus\
c:\Program Files\Ghost Antivirus\GhostAV.exe
c:\Program Files\Ghost Antivirus\register.ico
c:\Program Files\Ghost Antivirus\unins000.dat
c:\Program Files\Ghost Antivirus\uninst.ico
c:\Program Files\Ghost Antivirus\web.ico
c:\Program Files\Ghost Antivirus\working.log
c:\Program Files\Ghost Antivirus\Languages\
c:\Program Files\Ghost Antivirus\lib\
c:\Program Files\Ghost Antivirus\lib\ghost.sql
c:\Program Files\Ghost Antivirus\lib\Infected.wav
c:\Program Files\Ghost Antivirus\lib\listing.cfg
c:\Program Files\Ghost Antivirus\lib\version.db
c:\Program Files\Ghost Antivirus\lib\WMILib.dll
c:\WINDOWS\system32\<random>.dll
c:\WINDOWS\system32\<random>.dll
c:\Documents and Settings\All Users\Desktop\Ghost Antivirus.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Ghost Antivirus\
c:\Documents and Settings\All Users\Start Menu\Programs\Ghost Antivirus\Ghost Antivirus Home Page.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Ghost Antivirus\Ghost Antivirus.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Ghost Antivirus\Purchase License.lnk
%UserProfile%\Application Data\Ghost Antivirus\
%UserProfile%\Application Data\Ghost Antivirus\settings.ini
%UserProfile%\Application Data\Ghost Antivirus\uill.ini
%UserProfile%\Application Data\Ghost Antivirus\unins000.exe
%UserProfile%\Application Data\Ghost Antivirus\Uninstall Ghost Antivirus.lnk
%UserProfile%\Application Data\Ghost Antivirus\lib\
%UserProfile%\Application Data\Ghost Antivirus\lib\links.txt
%UserProfile%\Application Data\Ghost Antivirus\lib\properties
%UserProfile%\Application Data\Ghost Antivirus\lib\times.conf
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Ghost Antivirus.lnk
%UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iGSh.png
%UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iMSh.png
%UserProfile%\Local Settings\Application Data\Microsoft\Internet Explorer\iPSh.png
%UserProfile%\Local Settings\Application Data\Microsoft\Windows\pguard.ini
%UserProfile%\Local Settings\Application Data\Microsoft\Windows\services.exe
<random path>\<random>onin.exe

Folositi LockHunter daca unele fisiere nu pot fi sterse:

LockHunter – alternativa Unlocker pentru Windows 7 64bit

Stergeti urmatoarele chei de registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ghost Antivirus_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
HKEY_CURRENT_USER\Software\Microsoft\FTP “SearchDir” = “c:\program files\Ghost Antivirus\”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run “<random>onin”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Ghost Antivirus”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce “3P_UDEC”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent “URIAPRO[1.1.3.9]”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe “Debugger” = “?”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe “RealDebugger” = “?”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon “RealLogonType” = “1″

Bifati si apasati Fix checked in Hijackthis 2.0.3 Beta pentru:

O4 – HKCU\..\Run: [Ghost Antivirus] “C:\program files\Ghost Antivirus\GhostAV.exe” /s
O4 – HKCU\..\Policies\Explorer\Run: [<random>onin] “<random>onin] “<random path>\<random>onin.exe”

Dupa cum vedeti, cheile si fisierele au nume random, uneori aceasta metoda este dificila.

2. Metoda automata:

Mergeti la un PC neinfectat.

Descarcati urmatoarele fisiere:

rkill.com

mbam-setup.exe

mbam-rules.exe

Puneti cele 3 fisiere pe un stick / CD si mergeti cu ele la PC-ul cu probleme.

Restartati PC-ul in Safe Mode. Daca nu stiti cum, cititi tutorialul de mai jos:

http://www.bitdefender.ro/…Cum-se-restarteaza-Windows-in-Safe-Mode.html

Dupa ce ati intrat in Safe Mode, rulati fisierul rkill.com.

Dupa rularea fisierului de mai sus, NU restartati PC-ul.

Instalati Malwarebytes’ Anti-Malware folosind mbam-setup.exe. In unele cazuri programul nu poate fi instalat.

Redenumiti kit-ul in test.exe sau ceva.exe si instalati-l.

La sfarsitul instalarii asigurati-va ca ati debifat urmatoarele: Update Malwarebytes’ Anti-Malware si Launch Malwarebytes’ Anti-Malware. Apoi apasati Finish.

Faceti un update offline pentru Malwarebytes’ Anti-Malware instaland mbam-rules.exe.

Malwarebytes’ Anti-Malware Update Offline

Dupa lansarea programului, selectati Perform full scan si apoi apasati pe Scan.

La terminarea scanarii apasati OK si apoi Show Results. Asigurati-va ca e totul bifat si apoi apasati Remove Selected.

Restart PC.

4 Responses to “Devirusare / Dezinstalare Ghost Antivirus – rogue removal”

Just your dream ... says:
15/01/2010 at 22:25

Cristi , uite ceva frumos de la Comodo …
acuma am primit un email … daca crezi ca merita , fa o postare :p

http://bit.ly/ComodoDiskCleaner

succes
Just your dream ... says:
15/01/2010 at 22:43

wow … am curatat windowsul cu chestia asta si merge ca nou !!!
ce bine … ca vroiam sa-l schimb … mergea greu : )) …

Doamne ajuta …
Devirusare says:
15/01/2010 at 22:45

Curand. Ms.
Just your dream ... says:
15/01/2010 at 23:05

cu placere …
__________