Can't remove spyware registry entries for PSGuard Spyware?

[Guest]

On Windows Server 2003 R2 I'm unable to remove PSGuard registry entries using
regedit, even after doing an OS repair the entries still remain.

The registry entry is:
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard\PSGuard\License

System produces error on key deletion attempt that says I cannot the delete
key.

I can't delete the root for the entire branch either:
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD

I've ran some several spyware scanners and on Spybot S & D it comes up and
requests reboot to remove, once the system reboots the entry remains.

 

[Mark V]

In microsoft.public.win2000.registry

On Windows Server 2003 R2 I'm unable to remove PSGuard registry
entries using regedit, even after doing an OS repair the entries
still remain.

And PSGuard has provide no help in removing/uninstalling their
software?

The registry entry is:
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard\PSGuard\License

System produces error on key deletion attempt that says I cannot
the delete key.

I can't delete the root for the entire branch either:
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD

I've ran some several spyware scanners and on Spybot S & D it
comes up and requests reboot to remove, once the system reboots
the entry remains.

Often this is a permissions issue on the key or sub-key. Have you
taken ownership and set new ACLS (or tried to)?

Since this is a licence key one possibility is that the key was
created in such a way as to be unremovable. Possibly by embedding
null characters that make the key invalid for access by the Win32
APIs used in regedit and most Windows registry tools. In practice
this key may be un-removable.

You might want to run Sysinternals RootkitRevealer to see what can
be seen about it.
http://www.sysinternals.com/utilities/rootkitrevealer.html

 

[Guest]

What happened was I accidently clicked an advertisement link and browser
popups filled my memory up so I couldn't respond, in the background PSGuard
was installed, took over the desktop, it's designed to fool you by showing a
believable spyware scan in which you are actually seeing your own files and
directory structures being collected in front of you, after completed it's
designed to make your system appear abused then it installs multiple trojans,
viruses, keyloggers, you name it and updates itself. After awhile it's
designed to make hundreds of international 1-900 calls then destroy your
machine when finished to make it harder to track back, luckily I caught it in
time. I used sysinternals connection monitor and took a snapshot of the
remote connection to where it phoned home too.

Anyways, it's pretty cleaned up except for that entry which you're right
about it shows exactly what you said I ran that scanner and it shows
"embedded null's", so what do I do now to get rid of it?

 

[Mark V]

In microsoft.public.win2000.registry

What happened was I accidently clicked an advertisement link and
browser popups filled my memory up so I couldn't respond, in the
background PSGuard was installed, took over the desktop, it's

I see I should have Googled PSGuard as I was under the impression
that this was user installed software... Oops.

designed to fool you by showing a believable spyware scan in
which you are actually seeing your own files and directory
structures being collected in front of you, after completed it's
designed to make your system appear abused then it installs
multiple trojans, viruses, keyloggers, you name it and updates
itself. After awhile it's designed to make hundreds of
international 1-900 calls then destroy your machine when
finished to make it harder to track back, luckily I caught it in
time. I used sysinternals connection monitor and took a snapshot
of the remote connection to where it phoned home too.

Well, my answer would be to re-install from scratch or return to a
previous image of the system. I (personally) would never trust
this installation again. Also, don''t forget to change every
password, everywhere and assess the impact if any data anywhere on
the system were now in others unknown hands.

Anyways, it's pretty cleaned up except for that entry which
you're right about it shows exactly what you said I ran that
scanner and it shows "embedded null's", so what do I do now to
get rid of it?

I know of no safe methods or tools to do so.
Possibly revert to a previous full registry backup (SOFTWARE hive)
if available.

 

[Guest]

The big issue is I did an OS repair using the Windows Server 2003 SP1
installation CD and the entry is still there.

I don't trust the installation either but have no choice for about 5 months.

I think in a previous post you made for sysinternals there was something
about a C++ registry sample which created and removed such keys, can't find
the sample do you know where it is?

 

[Mark V]

In microsoft.public.win2000.registry

The big issue is I did an OS repair using the Windows Server
2003 SP1 installation CD and the entry is still there.

Ya, the "repair" concentrates on OS registry areas for the most
part.

I don't trust the installation either but have no choice for
about 5 months.

I think in a previous post you made for sysinternals there was
something about a C++ registry sample which created and removed
such keys, can't find the sample do you know where it is?

Ah, if you are a C programmer and can use Native NT APIs then the
information you need is likely to be in the REGHIDE demo.

http://www.sysinternals.com/Information/TipsAndTrivia.html#HiddenKe
ys

reghide.zip 24,749

C:\TEMP>unzip -l reghide.zip
Archive: reghide.zip
Length Date Time Name
-------- ---- ---- ----
38912 98-05-17 22:25 REGHIDE.MDP
5160 98-05-17 22:25 REGHIDE.C
115712 98-05-17 22:25 REGHIDE.NCB
6669 98-05-17 22:25 REGHIDE.MAK
0 98-05-17 22:24 RELEASE/
1691 98-05-17 12:36 REGHIDE.H
4749 98-05-17 22:25 RELEASE/REGHIDE.OBJ
26624 98-05-17 22:25 RELEASE/REGHIDE.EXE
-------- -------
199517 8 files

If that leads you to write a utility... <G>
It's beyond my knowledge and skills but such a little tool could be
useful (and dangerous of course). Hope that gets you somewhere!

 

[Guest]

That's just what I needed thank you very much, it's been awhile since I've
messed with C but within a few seconds of analyzing those simple code
snippets I was able to immediately adopt the method to effectively remove
that entry for good.

It appears the method used was the same method as shown in the source code
so using the final step in the removal process came in handy as it's the same
signature, so what I did in simpler terms was changed the existing keys to
match to re-create the effect, the routine already automatically disables
upon clicking OK, thus, it removed the foul registry entry for me, then I did
some minor tidying up in RegEdit to remove the remaining structure.

In simple terms I kicked it's ass.

Thanks again!!!

 

[Mark V]

In microsoft.public.win2000.registry

That's just what I needed thank you very much, it's been awhile
since I've messed with C but within a few seconds of analyzing
those simple code snippets I was able to immediately adopt the
method to effectively remove that entry for good.

It appears the method used was the same method as shown in the
source code so using the final step in the removal process came
in handy as it's the same signature, so what I did in simpler
terms was changed the existing keys to match to re-create the
effect, the routine already automatically disables upon clicking
OK, thus, it removed the foul registry entry for me, then I did
some minor tidying up in RegEdit to remove the remaining
structure.

In simple terms I kicked it's ass.

Thanks again!!!

You are very welcome indeed and I am thrilled that you have your
solution. I will revisit both the example code and some dusty
programming books. <G>.

 

[Dave Patrick]

Same here great thread!

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
<snip>
I will revisit both the example code and some dusty
| programming books. <G>.

 

[Mark V]

Same here great thread!

Thanks Dave. It's contributing to new knowledge and success stories
like this one that keeps me posting past the "dull stuff". <G> All
the time learning new things myself!

 

[Dave Patrick]

Yepper, ditto that.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Thanks Dave. It's contributing to new knowledge and success stories
| like this one that keeps me posting past the "dull stuff". <G> All
| the time learning new things myself!

 

[kazanova]

if you are searching for manual removal of psguard parasite visit http://www.spyware-removal-guideline.com/psguard-removal

 

[mike hinde]

psguard

has anybody been successfull in removing psguard?

 

[Guest]

If anyone is still having issues, Try this link

http://users.telenet.be/bluepatchy/miekiemoes/tools/Psguardregfix.zip

run the fix tool. Worked great for us

 

[nickp]

*On Windows Server 2003 R2 I'm unable to remove PSGuard registry
entries using
regedit, even after doing an OS repair the entries still remain.

The registry entry is:
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard\PSGuard\License

System produces error on key deletion attempt that says I cannot the
delete
key.

I can't delete the root for the entire branch either:
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD

I've ran some several spyware scanners and on Spybot S & D it comes
up and
requests reboot to remove, once the system reboots the entry
remains.

 

[Mark V]

Just guessing but this could be a "protected" key by means of
having nul characters in it. Some trial software does this. Try
running RootkitRevealer (Sysinternals) and check the results for
that key. If appropriate then seek Sysinternals RegDelNull.exe
In all cases secure a Full Registry Backup (not "export") in
advance.

Of course the original software using this key should have been
uninstalled first. And I have skipped over the obvious things such
as registry key Permissions (ACLs).