(#@&$@# Ghostwall.....

Erind · **Joined:** Thu Jul 13, 2006 7:11 pm **Posts:** 75

Ok, so I tried this because it looked like it was suggested somewhere over in the portable freeware program. Here's my take...

IT BLOWS. I have removed it from the hidden devices in the device manager, I've removed every trace of the file I could find, I made sure that Spybot has banned it from being placed anywhere... BUT THE DAMN THING STILL RUNS. I just spent 2 days (right after rebooting) blaming people at Qwest saying that they were blocking my inbound ports because I KNEW that I had removed GW. Bull@#$%. It was still rearing its ugly head. After breaking down, opening GW, clicking "Allow All" (which doesn't work once you reboot), my servers all started receiving connections again. Not only that, but somehow since opening it (first tried it at work) there are a few remote desktop destinations that I can no longer access, no matter how hard I try. Please PLEASE somebody tell me how to remove every tiny little aspect of this #$@&(@&. Ghost Security (the programmers who created this) do not respond to anything that's emailed to them or posted to their forums.

Fluffy · **Joined:** Sat Apr 15, 2006 6:37 pm **Posts:** 465

So... I should add it to the rejection list with the reason "@!#$" ?

Firewrath · **Joined:** Mon Aug 28, 2006 2:36 pm **Posts:** 303

I had this program long ago, and tryed it again when i saw it here on the forums, and i never had those kind of problems, O_o

i got rid of it because i dont like the 'by rules' bit,
<3 Sygate Personal Firewall, but alas, its not portable and damn hard to find now, >.<

...but your describing almost virus-like problems which is really odd, unless it got infected on your machine somehow.
(but considering your post, i wouldnt think so,)

try deleting all the 'rules' to it, i think that should default it into not blocking any IP/Ports, kinda like 'allow all' but not,

if anything else, id use RegSeeker and go through your Registry, and remove all references to Ghostwall,
(back your Registry up first, ofcourse,

)
you could also try redownloading it, installing and uninstalling it just for kicks,

also try a virus scan or two "just in case"

anyways,
From what i see, Ghostwall leaves the following when used:

C:\WINDOWS\system32\ghstwall.fir
C:\WINDOWS\system32\drivers\ghstwall.sys

and these Reg. Entries:

Code:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\GhostWall=1
HKEY_LOCAL_MACHINE\SOFTWARE\Ghost Security\GhostWall\@=1
HKEY_LOCAL_MACHINE\SOFTWARE\Ghost Security\GhostWall\RuleList_cw0=4
HKEY_LOCAL_MACHINE\SOFTWARE\Ghost Security\GhostWall\RuleList_co0=4
HKEY_LOCAL_MACHINE\SOFTWARE\Ghost Security\GhostWall\RuleList_cw1=4
HKEY_LOCAL_MACHINE\SOFTWARE\Ghost Security\GhostWall\RuleList_co1=4
HKEY_LOCAL_MACHINE\SOFTWARE\Ghost Security\GhostWall\RuleList_cw2=4
HKEY_LOCAL_MACHINE\SOFTWARE\Ghost Security\GhostWall\RuleList_co2=4
HKEY_LOCAL_MACHINE\SOFTWARE\Ghost Security\GhostWall\RuleList_cw3=4
HKEY_LOCAL_MACHINE\SOFTWARE\Ghost Security\GhostWall\RuleList_co3=4
HKEY_LOCAL_MACHINE\SOFTWARE\Ghost Security\GhostWall\RuleList_cw4=4
HKEY_LOCAL_MACHINE\SOFTWARE\Ghost Security\GhostWall\RuleList_co4=4
HKEY_LOCAL_MACHINE\SOFTWARE\Ghost Security\GhostWall\RuleList_cw5=4
HKEY_LOCAL_MACHINE\SOFTWARE\Ghost Security\GhostWall\RuleList_co5=4
HKEY_LOCAL_MACHINE\SOFTWARE\Ghost Security\GhostWall\RuleList_sc6=4
HKEY_LOCAL_MACHINE\SOFTWARE\Ghost Security\GhostWall\RuleList_sa6=4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
GhostWall=22 00 46 00 3a 00 5c 00 4d 00 69 00 73 00 63 00 5c 00 67 00 68 00 6f 00 73 00 74 00 77 00 61 00 6c 00 6c 00 5c 00 67 00 68 00 6f 00 73 00 74 00 77 00 61 00 6c 00 6c 00 2e 00 65 00 78 00 65 00 22 00 20 00 2d 00 6d 00 69 00 6e 00 69 00 6d 00 69 00 7a 00 65 00
[HKEY_LOCAL_MACHINE\SOFTWARE\Ghost Security\GhostWall]
@=00 00
RuleList_cw0=c8 00 00 00
RuleList_co0=00 00 00 00
RuleList_cw1=c8 00 00 00
RuleList_co1=01 00 00 00
RuleList_cw2=64 00 00 00
RuleList_co2=02 00 00 00
RuleList_cw3=64 00 00 00
RuleList_co3=03 00 00 00
RuleList_cw4=64 00 00 00
RuleList_co4=04 00 00 00
RuleList_cw5=64 00 00 00
RuleList_co5=05 00 00 00
RuleList_sc6=00 00 00 00
RuleList_sa6=00 00 00 00

i see nothing in there thatd make it reinstall itself, but, never know,
and none of my anti-virus / spyware scanners picked up anything,

(though leaving the files in the Windows folder is a good reason to reject it,

*BUT, i used that 'now being re-writen' program (;)) to get this, so theres a chance that it deletes those when it closes and 'it' missed that happening, but i find that unlikely.)

*/sneaky

Anyways dude, hope this helps,

gp_hbk · **Posted:** Sat Sep 16, 2006 12:23 am

Firewrath wrote:

Sygate Personal Firewall, but alas, its not portable and damn hard to find now

You can find it on FileHippo

Firewrath · **Joined:** Mon Aug 28, 2006 2:36 pm **Posts:** 303

long time, but,

Thanks gb. I actually keep a copy of the install on my USB drive, ^-^

anyways, i found more ghostwall stuff to help removal,
all this is also in the registry:
(i think this/the created files, and all the ppl that have problems with it is More then enough to deny adding it,

)

Code:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ghstwall]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"="\\??\\C:\\WINDOWS\\system32\\drivers\\ghstwall.sys"
"DisplayName"="ghstwall"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ghstwall\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9C,00,00,00,14,00,00,00,30,00,00,00,02,00,1C,00,01,00,\
00,00,02,80,14,00,FF,01,0F,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,60,\
00,04,00,00,00,00,00,14,00,FD,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,\
00,00,18,00,FF,01,0F,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,\
00,14,00,8D,01,02,00,01,01,00,00,00,00,00,05,0B,00,00,00,00,00,18,00,FD,01,\
02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,\
05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ghstwall\Enum]
"Count"=dword:00000000
"NextInstance"=dword:00000000
"INITSTARTFAILED"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ghstwall]
"ImagePath"="\\??\\C:\\WINDOWS\\system32\\drivers\\ghstwall.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ghstwall\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ghstwall\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ghstwall]
"DisplayName"="ghstwall"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ghstwall\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ghstwall\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\PCI\VEN_8086&DEV_2580&SUBSYS_00000000&REV_0E\3&61aaa01&0&00\ghstwall]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\V1394\NIC1394\90ee28002856\ghstwall]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ghstwall]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"="\\??\\C:\\WINDOWS\\system32\\drivers\\ghstwall.sys"
"DisplayName"="ghstwall"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ghstwall\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9C,00,00,00,14,00,00,00,30,00,00,00,02,00,1C,00,01,00,\
00,00,02,80,14,00,FF,01,0F,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,60,\
00,04,00,00,00,00,00,14,00,FD,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,\
00,00,18,00,FF,01,0F,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,\
00,14,00,8D,01,02,00,01,01,00,00,00,00,00,05,0B,00,00,00,00,00,18,00,FD,01,\
02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,\
05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ghstwall]
"ImagePath"="\\??\\C:\\WINDOWS\\system32\\drivers\\ghstwall.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ghstwall\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ghstwall]
"DisplayName"="ghstwall"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ghstwall\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Teefer\ghstwall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ghstwall]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"="\\??\\C:\\WINDOWS\\system32\\drivers\\ghstwall.sys"
"DisplayName"="ghstwall"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ghstwall\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9C,00,00,00,14,00,00,00,30,00,00,00,02,00,1C,00,01,00,\
00,00,02,80,14,00,FF,01,0F,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,60,\
00,04,00,00,00,00,00,14,00,FD,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,\
00,00,18,00,FF,01,0F,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,\
00,14,00,8D,01,02,00,01,01,00,00,00,00,00,05,0B,00,00,00,00,00,18,00,FD,01,\
02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,\
05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ghstwall\Enum]
"Count"=dword:00000000
"NextInstance"=dword:00000000
"INITSTARTFAILED"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ghstwall]
"ImagePath"="\\??\\C:\\WINDOWS\\system32\\drivers\\ghstwall.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ghstwall\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ghstwall\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ghstwall]
"DisplayName"="ghstwall"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ghstwall\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ghstwall\Enum]

(#@&$@# Ghostwall.....

Who is online