0

I recently installed GhostSurf Pro tral version and did not like this program so I uninstalled it. Ever since then, I have not been able to access IE( hit or miss), MSN messenger and have had a number of unstabilities. I have tried to repair IE6 but the download process is always stopped. I have researched this until I'm blue in the face and I know that traces of this program are still altering my IP address which won't allow updates and IE access etc. I have reset IE to detect automatic setting for my LAN and have made sure that the proxy selection is unchecked. I've run Adware, Spybot and virus scans, cleared cookies, files and everything else that Microsoft support has suggested but stilll no luck.I am also unable to do a full system restore. After 4 attempts, I am told restore can not be completed. Any suggestions as to how to remove this program and get back on IE? Any help would greatly be appreciated.

Logfile of HijackThis v1.98.2
Scan saved at 8:00:32 AM, on 11/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng6.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\dslagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\PCBoost\PCBoost.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NGServer] C:\Program Files\Symantec\Ghost\ngserver.exe
O4 - HKLM\..\Run: [Corel Painter 8f] C:\Program Files\Common Files\Corel\Registration\EN\Registration.exe /title="Corel Painter 8" /date=112904 serial=PF08CTD-9999999-KHN
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PCBoost] "C:\Program Files\PCBoost\PCBoost.exe"
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{880C560B-77B7-460D-BF28-FED9170178E0}: NameServer = 195.93.51.134
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD7428D7-9065-494B-8C86-08CAF0F16327}: NameServer = 152.163.0.26 205.188.64.153

3
Contributors
7
Replies
8
Views
12 Years
Discussion Span
Last Post by DMR
0

1. This line in your log shows a leftover from GhostSurf:

"R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212"

The explanation is here:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212

Basically, you want to uncheck two "proxy server" settings mentioned in the above article.


2. You have P2P networking installed. You should remove it (via the Add/Remove Programs control panel), as almost all Peer-to-Peer file-sharing programs present spyware/adware risks.

3. After removing P2P Networking, run HJT and have it fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -


4. Are the nameserver IP below your correct DNS server IPs (as given by your Internet Service Provider)?:

O17 - HKLM\System\CCS\Services\Tcpip\..\{880C560B-77B7-460D-BF28-FED9170178E0}: NameServer = 195.93.51.134
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD7428D7-9065-494B-8C86-08CAF0F16327}: NameServer = 152.163.0.26 205.188.64.153

0

Thank you so much for your help! I thought that those were the leftovers as well.

The 195.93.51.134 address is the correct one.

So far I don't recognise the last entry Although AOL support tried helping me with this issue by reconfiguring my DNS server entries in hopes that this would solve this issue. It wasn't until I happened on a site which mentioned the problems with uninstalling Ghostsurf that I realized that this was most likely the real problem. :
Should I contact AOL support again and ask if the second set of numbers are correct before I attempt your suggestion?

Once again, thank you. I've been round and round with this for over two weeks and you are the first person to offer a possible solution. If this works, then I can't thank you enough! A week ago, I knew nothing about computers, I'm getting there the hard way now, hopefully I'm a fast learner and your patience with my lack of knowledge is greatly appreciated!

0

1. Sorry- I made a cut-n-paste error in my previous post:

Below where I posted "The explanation is here:", I meant to paste a link to the article which describes the GhostSurf proxy settings. Here's the right link:

http://www.tenebril.com/kb/showitem.php?faq_id=117

In the LAN Settings window decribed in the above article, delete the entries in the "Address:" and "Port:" boxes, and make sure the "Use a proxy server..." and "Bypass proxy server..." boxes are unchecked. Click OK in the LAN Settings and Internet Properties windows to apply the changes.

2. Leave your DNS server IPs as they are (at least for now).

3. Do steps 2 & 3 in my previous post.

4. See if your browsing instability is fixed after doing all of the above. Let us know if it worked or not.

0

Ok, I removed P2P succesfully, ran HJT and fixed the entries suggested but when I reboot they are present again( except for the P2P entries). Does it have something to do with start up? Also I am unable to do a full sytem restore to before GhostSurf was installed which I was hoping would have fixed this whole mess.

My LAN settings are selected for automatic detection and use a proxy server and bypass proxy are both unchecked. There were no entries in the "address" and "port" boxes.

I was actually able to access IE6 a little easier but the comp is just crawling.

0

Wonderful news!

I checked out the link that you provided for tenebril.com and decided to check out other toubleshooting issues. I found a link to a tool that repairs AOL adapter settings once GhostSurf is uninstalled.

The problem is that AOL's Adapter software imbibes GhostSurf's proxy settings, and then tries to send information there even after GhostSurf has been uninstalled (and after GhostSurf's settings have been undone).

http://www.tenebril.com/kb/showitem.php?faq_id=219

I ran the tool and was finally able to acces IE but only after I re-installed the SP2 update and when I rebooted, everything was running perfect. I can access MSN messenger and IE every time and the connection speed is back to normal.

I can't thank you enough for all your help. Seems that the combination of GhostSurf and AOL was the culprit.


Thank you so much!
Happy Thanksgiving! :)
-Pam

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.