Horrific guard32.dll experience

Hi all. I’d love to get some feedback as to possibly why this happened to me. Below is a log of what was going on with my computer yesterday after attempting to install CIS Free, and telling WinPatrol that guard32.dll was OK to run on startup. Nothing, absolutely nothing, would let me uninstall CIS and let me start over fresh. No DOS commands, no safe mode, nothing. Avast and Malwarebytes wouldn’t let me scan my computer. I finally was able to run HijackThis, found guard32.dll in my System32 folder, and told HijackThis to remove it. It did, I rebooted, and I was back to normal.

If anybody could tell me why this happened, I’d be most grateful. CIS seems like a great program, and I’d like to try it again, but I most definitely can’t risk this catastrophe again. This is not a post to slam CIS. I’m asking how to prevent it from happening again, and/or possibly giving the admins a heads-up about a possibly contaminated download from Cnet. Something in the install package caused something dreadful to happen to my machine.

BTW, I run XP Home SP3. I had disabled avast 5 and all other anti-malware programs before installing, and I had uninstalled my previous firewall.

[i]Today I replaced my previous firewall and real-time malware protection with Comodo Security. It has made nearly everything about my machine go wild, and I CANNOT uninstall it. I did not install the Comodo antivirus, as I’m happy with avast! 5, nor did I install the optional homepage and search engine defaults. I chose the Maximum Security option when I installed it.

Here are just a FEW of the problems that I’m now having:

• avast is disabled and I can’t enable it
• I can’t reinstall Comodo
• I can’t enable Windows XP firewall
• I can’t copy and paste anything
• I can’t move any desktop icons at all
• I can’t access system restore
• I can’t minimize browser windows to the taskbar. They minimize to the very very bottom of the desktop in the form of very small boxes.
• I have no sound
• I can’t do a Windows search
• and on and on …

What could possibly be wrong? Did installing Comodo activate some hidden worm? I’m VERY careful and well-protected, and I don’t know how I could have had anything on my machine. I keep all of my security programs updated and I scan very frequently.

I’ve tried every suggestion that I’ve seen for uninstalling, and none have remotely worked. I’ve tried Revo Uninstaller, in addition to the typical add/remove programs and DOS commands. Even the ideas on the Comodo website don’t work.[/i]

Perhaps “something” already installed on the system is incompatible with CIS and unleashed this can of worms.

System restore would be a quick solution IIRC it should be also available after booting in Windows Safe mode

Thanks for the suggestion. I did indeed try and fail to access system restore while in safe mode. I always got the “system restore cannot repair your computer; reboot and try again” dealio.

I just wish I knew what happened, so that I could venture to try CIS again. ???

did you already have CIS installed before? If so I suspect the .dll got left over from the old uninstall. I recommend running Revo uninstaller set to moderate when uninstalling CIS or running the batch file found on the forum after you uninstall CIS to remove left over files and registry keys.

I had never before had CIS on my machine, no. Revo did not work no matter what it was set on, and it was a geek who was very experienced with Revo who tried.

The thing of it is, when HijackThis removed guard32.dll from the System32 folder, everything went back to normal, despite CIS still being officially installed. I of course uninstalled it immediately upon being able to do so, but still, it’s odd.

I’ve been reading of guard32.dll being a falsely-named piece of malware when it’s in the system32 folder as opposed to the Comodo folder, and I suspect that happened to me. JMHO. Just wish I knew if that’s correct, how the install file became infected, being that it was from CNET and that I do keep my machine clean.

Thanks for your time, languy99.

Legitimate copy of guard32.dll is placed in system32 folder. The file is digitally signed and it it possible to verify if it is legit (right click > Properties…\ Digital signatures Tab \Details button).

I suspect your concern of infection is unwarranted though such system-wide effects appears indicative of a conflict with other 3rd party security/utility software (or perhaps a combination of them).

hi,
your problem seems to be very diffcult to solve, fresh insstall seems to be the answer only.

however as you said your computer was OK before comodo, try this to disable Comodo. when CIs ver4.o is installed system restore does not works even in safe mode.

as you have said your computer can boot in safe mode, Try these

step-1 Boot into safe mode( press F8 key when your Bios screen is about to end and then choose safe mode)

step-2:
Delete folowing enteries from registry

1-HKLM\SYSTEM\CurrentControlset\Services\cmdguard
2- …do…\cmderd
3-…do…\cmdagent
4-…do…\cmdhelp
5- …do…\inspect

and then boot into normal mode
this will effectively disable comodo.
then try to repair your avast
now you can uninstall your avast and use the original installer of CIS to repair and remove the CIS

regards

Adi

For some reason, my last post was removed. All I’m trying to do is to better understand what happened. I think CIS sounds like a great program, and I want to try it again, minus the meltdown.

Let’s leave it at this:

1. Guard32.dll is indeed a legit app from CIS, while it remains possible that malware can rename itself to guard32 and install into the System 32 folder

2. For whatever reason, whether infection or conflict with another program(s), my particular computer did not like this particular guard32.dll and reverted to normal once that file alone was gone

And Adi, thank you for your detailed advice. If I have the same problem again, I’ll try it.

Having successfully installed V4 on Windows XP SP3 many times the only foreseeable difference would be already installed security/utility softwares.

It is a pity that it was not possible to confirm specifically what products are necessary to trigger those systemwide effects apart CIS ( whenever narrowed down to one of its component, namely guard32.dll).

I would likely advise everybody that in case of software conflict it matters not what was the last software added whereas a combination of two (or more) might be necessary to trigger an issue.

Though such suspect was seemingly based on completely misleading information (whereas * legit copy of guard32.dll is actually placed in the system32 folder*) in case such file was not digitally signed or got an invalid digital signature it would have been reasonable to save a copy and submit it to any AV analysis labs of choice. :-La

Of course submission to AV labs would apply to any suspicious file regardless the name it got and whatever directory is placed into.

It is indeed a pity that infection still remains a possibility whereas submission to a 3rd party AV lab would have been obviously possible in case a specific file would have been suspected.

Maybe a reformat is in order. This would also provide the chance to install CIS before anything else (and rebooting after installing each one of other security/utility software as a starting point to troubleshoot potential conflicts)

Before installation it might be also reasonable to check if the installer digital signature is valid (right click > Properties…\ Digital signatures Tab \Details button) to confirm that the installer is not corrupted and also take additional steps confirm whenever the most recent version was downloaded.

This of course won’t dismiss the chance the system was already infected before installation though the possibility of software conflict appeared more reasonable explanation.

Thanks much for the time and details, Endymion. You’re very correct that it’s a shame that I didn’t think to try and decipher which program(s) was/were conflicting with guard32.dll and/or sending that file for analysis. I was just desperate to get my only computer back in bidness.

I’ll accept that it was very likely a conflict, as the chances of an already-infected machine are as close to nil as possible. I’m very astute with my security programs.

Many thanks to all who kindly responded. I hope to see you around again as I peruse this good site. :-TU