Solution: I discovered. CWshredder guard.tmp VX2 STUBBORN "UMonitor" fix. workaround.

I am taking a few minutes here to post this, in the CRAZY event it helps just one person on this planet. The bottom line is: for many weeks, I literally almost gave up and did a complete fresh re-install of windows XP Pro. Many hours on tech support with my company, and 4 hours with Microsoft themselves as a last ditch effort .. to no avail. So, I finally tried this last possible approach, and it worked. My system is finally finally working clean clean clean clean. Long solution.. but I want to give all the details. I swear I am an above average computer user, but not advanced by any stretch. I tried every solution suggested on every forum on every site, and tried every spyware scanner and cleaner imagineable .. and only this solution worked.

Things on my system PRIOR to problem: XP pro (SP2) and all updates, Spybot and McAfee Viruscan, AdAware SE run frequently and updated all the time.

Problems: About a month or more ago. Major pop ups, redirected web sites. Even was having some instances where my system would give me a critical winlogon.exe error and my system would shut down.

Downloaded the Microsoft AntiSpyware beta just because nothing else was working in detecting my problem. As you all know, some pick up some items others don't and some clean and some don't. Spybot was the only one detecting CoolWWWSearch variations.. but would simply NOT allow fixing or deleting. Even upon manual registry removal attempts, would constantly re-install items, and hide in my system32. I also would get VX2 detected occassionally as well.

My final advice by both Microsoft Spyware help tech support team, and also my corporate tech team (who did try to clean CWshredder and other items.. under safe mode, system restore, stopping startup items, etc. etc.) was for FRESH XP Pro re-install - which, we all avoid like the plague if we have to. I'm just stubborn.

I was informed of a program called CWShredder v2.12 that simply would NOT allow removal of the three items detected.. and would actually CRASH and stall upon attempt to scan and certainly would lock up when attempt to fix. I found some references on some forums to a file called guard.tmp in the system32 folder.. but no real advice or help to try to remove.. completely. The file itself (no matter what was tried, even with MSFT tech support help) would simply not allow deletion. Once, we did go to safe mode and changed the administrator security preferences, and thought we had deleted, only to find on a fresh boot-up that it reappeared again anyhow.

Hence, my final last ditch effort that I though of on my own. Again, a much more advanced user may have many other ways of fixing this one variation that I had, but I swear I tried everything, and this worked for me.. system running 100% the past week... and all programs (spybot, MSFTSpywareBeta, AdAware, etc.. all come up clean on every scan) .. TrendMicro also shows nothing.

******************
final solution. Get to safe mode, and find the guard.tmp file in system32. Change the preferences to allow editing and deletion, etc.. bottom line is: GET RID of the file, and delete it. For some of you, you'll notice in regular mode it definitely will NOT allow you to delete at all, but you can RENAME the file to "guard55555.tmp" or whatever. But, this doesn't really solve the problem (I tried it). just fyi though.

NOW- the critical key is: before you reboot... make a regular old fashioned TXT (notepad file) and name it guard.tmp (yes, it will allow you to do this, may pop a message up saying are you sure, etc.. etc..) but just do it.. and place that file in the system32 folder. You also could then do a search for guard.tmp in the registry, and literally delete everything (keys, etc.) that relates. Trust me, you'll find them in there for sure. Now, reboot.

Whem my problems arose, I certainly got those infamous "....dll "UMonitor" error messages as well, each time with various .dll files listed. If you are getting these as well, once you do the above, I bet all your error messages go away as well. Now, run Spybot.. and this time, not only will it detect the CoolWWWSearch problems, but also will now allow you to remove/fix. Now, run CWShredder program (free) .. bet this time, it will let you run a full scan, and show no items detected (plus, won't lock up anymore).

Now, run MSFTSpyware scan.. see if you can clean anything up there. Run AdAware. etc.. Viruscan. TrendMicro.

ONCE CLEAN: establish a SystemRestore Point and name the damn thing: Finally FIXED !!! You Bastards! for me. ha ha

The bottom line is: I guess creating a FAKE version of the guard.tmp (that is a harmless, empty notepad file that was simply renamed with the guard.tmp name and extension) temporarily paralyzes whatever is trying to launch that file at each startup. So, in essence, it gives you a window to GET CRAP off.. so I guess that guard.tmp file was in essence GUARDING the variation of CoolWWWSearch and/or VX2 that I had. or both?!? ..


I hope this LONG email doesn't piss of some (much more advanced, regular users than me). I just registered here to post this, as I did refer to it quite a bit, and saw others who posted their HiJack this logs, etc. My variation didn't seem to want to cooperate with any of the other posted suggestions, etc...

If ONE person this helps, I am happy.

Good luck.


Googleman

 

one other quickie too.

If you still get any redirected web sites, and pop-ups. (even though you have pop up blockers engaged?!?) go to:

Start / Run
then type: drivers

then open the "Etc" folder.

then double click on the hosts file, and use NotePad to open that file.

Bottom line is: Mine reads as:


# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy

127.0.0.1 localhost


the main item to be listed here is: the 127.0.0.1

you really can't screw this up that much. You have two options.

delete all the other CRAP that may be listed here... which may all be CRAP leftover before your fix.

Or.

option 2 is: You can simply rename your hosts File to something like hostsOLD and then reboot your machine.

when you open up your new browser, it should RESET this to NEW with the standard NON-redirected web site CRAP (I had about 20 or so listed, that MSFT couldn't figure out why it was constantly changing this host file?? obviously, it was spyware.. either CoolWWWSearch or VX2 ).



127.0.0.1 localhost


good luck.

 

Thanks Googleman,

We've been fixing this for some time now. Check out this thread:

My computer is on its deathbed

I should probably add that you may have missed the Narrator Trojan that often accompanies this infection.

If you want to make sure all is clean, please download this tool: ZUPE - Find%20It%20NT-2K-XP

NOW:
Unzip the Zupe/Find%20It%Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Please attach that log and we'll see if Narrator or any of the baddie remains on your machine!


PP

 

Sure seems like it! Rather than go through the whole extended process, I've been using the L2MeFix Tool lately. It gets the VX2, but you still need to look out for the Narrator Trojan & use Find.bat to pin that one down. See the thread I linked. . . . .

PP

 

thanks all. I feel like it's running clean, but there still may be some items to re-check and perhaps just make sure.

I haven't been on this site over the past two weeks at all, but the first few weeks I was going crazy I definitely didn't see anything (so if the variant I had was posted her with some fixes, I was a dummy and just missed it.. but I swear I looked and wasn't much that seemed that similar to MY exact problems) as specific as some other postings show MORE recently, including this L2MeFix Tool lately.

I will heed your advice for sure though, and follow-up.

To be honest too, I really don't know? Is VX2 and CoolWWWSearch and the guard.tmp files all really inter-related.. or is it one in the same. And, was it considered malware, spyware, or adware ?? as its formal term??

really don't care at this point, now that it seems gone - but I guess I am curious?!?

Thank you again. I'm totally NEW to the world of craziness when it comes to UNWANTED and UN-invited Spyware MADNESS !
ha ha

take it easy.

 

Go ahead and run the tool I linked and attach the log - Easy way to see if you got everything + will tell if you have the Narrator Trojan.

I'm impressed that you were able to work out a fix! I guess one just gets to a point where the frustration is too much - Frustration is the mother of invention! We've been doing similar procedure with Pocket KillBox and "Using Dummy Files" to replace the baddies! Also, now the L2MeFix Tool addresses this infection and cleans it pretty well.

PP

 

not sure if I'm attaching this the correct way, but here is that log. Thanks a bunch for helping.

ONE Weird one that I'm honestly not sure at all if it's related or not to this stuff.. .but I swear my Recycle Bin isn't working correctly. Whenever I delete anything, it seems to delete, but doesn't GET sent to the recycle bin? And, I did check the MAIN setting (where you can tell it you don't want things to go to Recycle bin), and that is correct. Don't see any fixes on this site, and have tried MSFT forums too. But, have you ever heard of this as an offshoot of this variant as a side-effect.
All else seems fine, so for now I'll live with it, but it is a bit weird? Or, could just be a regular corrupt type bug with my operating system(xp pro)?
thanks

here's the log:

 

Hi Googleman,

I'll edit your post to show you all the bad stuff that remains. On the plus side, you don't have the Narrator!

The recycle bin problem is related to VX2 and we can fix that.

Please download this tool to your Desktop:

L2MeFix Tool

Let me know when you are ready and we'll zip through this!

PP

 

Awesome. I just downloaded that to my desktop. Will wait til you have time for next step. Am I doing this correct to, by replying directly here on the thread, or do I just reply to the email which comes via MajorGeeks ?
thanks.

 

Just keep replying to this thread. And, please attach further logs using the "Manage Attachments" Tool in Additional Options when you post.


Note in your edited post above that you will have to change guard.tmp back to its original name for the tool to be able to remove it. Please do that first!


OKAY:

Please make sure ALL Browser Windows are Closed!

Go to the L2MeFix Tool on your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.

Your computer will go wacky for a bit, but just let it run. It should eventually produce a log in Notepad. Please attach that log with your next post.

Please do not run any other files in the L2MFix folder.

Along with that log, please run another Find.bat log and attach that as well and we'll see how things went. Let me know if you run into any trouble with the above instructions.

PP

 

Just got your note. Will do all that now, but will close out this brower as you noted too. Be back in 5 minutes. Thanks.

 

You need to Shut Everything Down as this process will reboot your machine!

I'll stick around

 

here's the first LOG.. I will post in a moment another find.bat separately.

I think I did this correctly
__________________

 

this second find.bat seems to be taking forever. Just an fyi, it is still running. Will post ASAP.

 

here's the second find.bat

 

By the way, you son of a gun ! I just made up a temporarly TXT file on my desktop, and deleted it... and the DARN thing actually DOES show up in my recycle bin. So, for sure, that l2mfix seemed to fix that recycle bin issue. You are D'A MAN! thanks on that. I actually hadn't thought it was related to any of the spyware "stuff."

 

Couple things we need to clean up manually. You have a couple anomalies that the tool missed because the files were 0kb.

Did you rename guard.tmp? I didn't see it removed. Ah, well, we'll feed it to KillBox.

Please Download these tools:

VX2.BetterInternet Finder XP/2k - Version Msg126

Pocket KillBox

Let me know when you're ready an I'll give you the final instructions.

PP

 

hey don't laugh, but quick fyi. don't know if this changes anything. remember initially that file that was listed as guar66d.tmp or whatever. That was the original "bad" one I think leftover that I had renamed.. and then I created a dummy guard.tmp (0 kb).... I had deleted that guar66d.tmp file by accident RATHER than rename back to guard.tmp as you had said, and I couldn't recover it (as my recycle bin wasn't fixed yet). And, that "bad" version did let me simply delete it. Just so it wouldn't throw off your program you had me download and run, I put another dummy guard.tmp file in the system32 folder ... so that it would delete it (or at least see that file there when running). So, I probably can just go ahead and delete it manually ????? or should we still proceed anyhow?

just an fyi to you here now.

I'll wait to hear back. But, I will grab these tools you last posted in the event you think is still necessary.

? did the other program seem to kill all those other entries in registry, etc. and the extra .dll files?

thanks for everything. I know it's late.

 

I saw it and noted it. Same with that last DLL!

Notice in the l2mefix log it was not deleted (Maybe I missed it?) It will say deleted at the end of the string of DLLs.

PP

 

Happy to help

Did you see that long list of DLLs that were deleted in the l2mefix log?
Fixed the Desktop.ini also -- (Recycle Bin) -- as well as user agent, etc. . .

Here is final set of instructions:

Please run Pocket Killbox.
Select the option to Replace on Reboot .

Now, Copy and Paste C:\WINDOWS\SYSTEM32\o4ns0e57eh.dll into the box and Check the option to Use Dummy. Now, Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\SYSTEM32\guard.tmp into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES .

NEXT:
Open VX2Finder and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are not enabled:

UserAgent$ Button to remove the UserAgent from the registry
-- this should be done already

Guardian.reg

Restore Policy

Allow Machine to Reboot.

NOW:
Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it fixvx2.reg


REGEDIT4
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ThemeManager]


Now:
Click on the fixvx2.reg file you made and allow it to merge the registry entries into the registry.


Finally, attach another Find.bat log and a Fresh HijackThis Log and we'll finish this up! Let me know of any problems with the above instructions.

PP

 

great. I'll try all this now. Don't think over my head, but I'll follow your instructions closely. not sure how long this takes, but will start right now and get back ASAP.

 

OK! This should wrap it up, but I want to see HJT log as well to make sure it's clean too. If runs too late, I'll check tomorrow.

PP

 

quick question. on step 2:
"Now, Copy and Paste C:\WINDOWS\SYSTEM32\guard.tmp into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES . "

I'm assuming I should be pasting in the top line (there are two fields that seem identical).. I did paste to the top line, and it doesn't seem to be blue ?

what should next step be. Just continue with instructions ?

I'll wait.

thanks

 

disregard my last post. I see what you mean, on the blue.
forget it.
I'll continue on. If you have to run, no biggie, I'll post and catch up with ya tomorrow or whenever you have time.
thanks.

 

I'll stick for 15-20 mins. 3:20 AM my time now

 

cool. I'm close to bed time too.. but am on final step.
just finished reboot at the top here:

"Allow Machine to Reboot.

NOW:
Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it fixvx2.reg


REGEDIT4
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ThemeManager]


Now:
Click on the fixvx2.reg file you made and allow it to merge the registry entries into the registry.


Finally, attach another Find.bat log and a Fresh HijackThis Log and we'll finish this up! Let me know of any problems with the above instructions."

 

actually? can you help quick on how to do this last step. Just clarify how to copy/past to "all file" to notepad.

Do you mean, just create a new .txt file on my desktop and past this line into a new .txt file

and, I've never merged anything to registry before.. so may need two seconds of help on that too?

sorry. thought I was on a roll there.

I'll wait.

 

PP: I think I got it. I played around, and re-read a few times your note. and I think I did that correctly for first time. Wow- never did that before. It said it added to registry .. so seemed to work no problem.

I will run those other final scans and post. But, go ahead and let me go now.. head to bed. I much much much much much much much much much appreciate all your help. I owe you one !!! for sure !!!

Googleman

 

last quickie too: you mention to run a final few logs:

"Finally, attach another Find.bat log and a Fresh HijackThis Log and we'll finish this up! Let me know of any problems with the above instructions."

Did I run a HiJack this log yet? Not sure if I have that? I wasn't sure if you meant one of the other programs you had linked me to prior ? by accident.

just confirm exactly which programs you'd like a final look at, so I can post and perhaps you can peek at tomorrow.
thanks. good night.

 

No, you didn't give me HJT yet - I do want to see a fresh HijackThis Log from Normal Windows boot to make sure you are clean.

Also a fresh Find.bat log.

Give me those 2 logs. I will check back tomorrow.

G'Night!

PP

 

Thanks for clarifying.
Signing off myself, but tomorrow I'll get HiJackThis and run that and post that log.

here's the latest find.bat log though: Just ran it now.

 

Before I forget, I just did the HiJack this log too so that all info is posted for you. I think I did this right?!

I will paste here, but also did as an attachment as well this time. Tell me how NOT to be a mule, and the preference for posting? Should one simply add a note, and post the log as an attachment, or just copy/paste like below? Thanks for etiquette lesson too. ha ha

later

googleman

_______________

 

We prefer the logs as attachments.

Everything looks OK - You should be good to go!

Have a look at Chaslang's suggestions: How to Protect yourself from malware!

Happy Computing
PP

 

PP: Thank you Thank you Thank you !
You have no idea how much you helped.
No doubt, I've never had quite these issues (which it seemed were insolvable).

Take 'em easy.... and you also taught me a few things too; even MajorGeeks etiquette. ha ha

Have a great weekend!

p.s. I did seek out your final link too, and have most of those items in place already, but took care of all the rest as well, and will use every one of those tools to protect moving forward.

Googleman

 

Everything is solvable . . . Some things just require a Sledgehammer!!

Glad we could help out.

Happy Computing
PP