What is Ghostadmin?

Ghostadmin is a dangerous threat first discovered on the 17th of January, 2017. It has been categorized as a backdoor by specialists working at because it operates as a malicious IRC bot. Since it is a newly-released infection, its infection rate is rather small at the time of writing, but, of course, the situation might quickly change in the near future, especially when Ghostadmin seems to be based on CrimeScene, which affected thousands of computers and caused much harm to computer users 3-4 years ago. Even though Ghostadmin is not very prevalent yet, it has already stolen hundreds of gigabytes of information from two companies, and it is not going to stop soon. Luckily, it is not that hard to detect and eliminate it fully from the system. Its removal should be performed as soon as possible because this threat might be used to steal information and download hundreds of malicious applications on the infected computer. Generally speaking, Ghostadmin is bad news, so letting it stay would be a sin.

What does Ghostadmin do?

Specialists have begun their research by checking the source code of Ghostadmin. This has shown that it is written in the C# programming language and it already has a 2.0 version. It has become clear how this threat operates on the infected system as well. Once Ghostadmin is inside the computer, it establishes communication with its C&C (Command and Control) server, which is nothing more than an IRC channel. Then, it starts giving various commands to all connected bots (i.e. infected PCs). There is a long list of activities this malicious application can perform on computers, but we will name only a few of them: it can open and browse specific URLs, put monitor in sleep mode or turn it on, kill certain processes, download and execute files, take screenshots, record sounds, turn off the computer, restart it, copy data, delete log files, interact with databases, and enable unauthorized RDP (Remote Desktop Protocol) connections. Evidently, it focuses on the collection of information primarily. Ghostadmin constantly sends the gathered information to a remote server, meaning that it connects to the Internet without permission as well. This might have a negative impact on the quality and speed of the Internet connection.

Since we have already found out what to expect from Ghostadmin, let’s talk about modifications it makes on infected systems. After the successful infiltration, it immediately creates a new folder %PUBLIC%\GhostAdmin containing the malicious file named taskhost.exe. Also, a folder Roamingghostadmin is placed in the %APPDATA% directory. It contains logfile.lst, which, as has been found by researchers, contains users’ keystrokes. If Ghostadmin has already recorded audio, files could also be found in %PUBLIC%\audio. Unfortunately, locations of its files might be changed with a new version of this backdoor.

Where does Ghostadmin come from?

Just like other serious malicious applications, Ghostadmin appears on computers illegally. More specifically, cyber criminals distribute this threat through malicious email attachments. These attachments are usually sent inside spam emails. Malware can enter the system the second this attachment is opened and then immediately start performing activities. In most cases, users do not even realize that malware has ended up on their computers. Security specialists at are well aware of the fact that it is a difficult task to prevent malicious software from sneaking onto the computer, so they suggest having a security application enabled rather than trying to protect the computer alone without any help from the outside. Computer users should stay away from spam emails and their attachment too in order not to allow another backdoor or a much more dangerous malicious application to enter the computer.

How to delete Ghostadmin

Ghostadmin needs to be removed as soon as possible to put an end to all undesirable activities it performs on the infected computer. This can be done by removing folders with files this threat has created. Users do not necessarily need to erase this malicious application manually. They can, of course, also remove Ghostadmin automatically with the help of SpyHunter. It will also detect and erase all other infections this backdoor has downloaded and installed on the system without permission. The system will be protected from future threats too as long as the security application is enabled on the computer.

Ghostadmin manual removal guide

  1. Press Win+E to open the Windows Explorer.
  2. Open the %PUBLIC% directory (type this directory in the address bar of the Windows Explorer) and locate the GhostAdmin folder.
  3. Select it and tap the Delete button on your keyboard.
  4. Go to %APPDATA%.
  5. Delete the folder Roamingghostadmin.
  6. If audio files recorded by Ghostadmin can be found in %PUBLIC%\audio, they should be erased as well.
  7. Delete the suspicious recently downloaded file.
  8. Empty the Recycle bin.
100% FREE spyware scan and
tested removal of Ghostadmin*

Leave a Comment

Enter the numbers in the box to the right *