Why has Microsoft failed to fix PS Guard

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

its been around long enough that microsoft antispyware should take care of it.

Our facility was going to put it on all of our computers until we had a
computer get infected with PS guard.
 
Hi

Yes, this is strange beacuse it´s so easy to go to PS Guards
website and get real material for detection/removals.

Dear Bill, can you send it to MSAS team as a proposal from
this little group ?
 
Plun, have you forgotten about this? :)
From Plun:
Hi

PS Guard is a real pest and makes a PC totally crazy with
IE bestwebs blocks and no desktop.

Follow this, used it myself yesterday.

http://forums.techguy.org/printthread.php?t=376692

Maybe you must go to a friend and burn these programs !
Also include latest def file for Ewido if you have no internet
connection beacuse of PS Guard.

It was impossible for me to do anything on the PC I was cleaning with
PS Guard - Smitrem infection beacuse of recreating processes

Ctrl Alt Del and then archive > Run and point to the CD and install
Ewido. Then Ewido first removed all crazy processes :)

--
plun
--
Andre
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm
 
Hi

No, and I wrote that but in other words ;)

I am not using canned messages ;)

Except for MSAS, Adaware and CCleaner.

And this was about MSAS team getting real material from
PS Guards website (or use Google). Just to take spywarewarriors rouge
list and create defs ;)

Also that MSAS is really weak to stop malicios
processes, hopefully much better in Beta 2.
 
The problem really isnt PSGuard as that can be removed easily along with
Spysheriff/ SpyTrooper and all the other rogue removers if you download it by
itself but its different when they get installed without the users knowledge.
When that happens there is already a very serious infection on the system as
the downloads of PS Guard/Spysheriff and the Fake spyware wallpaper are the
final parts to the infection.

MS could include all the definitions for these trojans and also check the
wininet.dll file as some variants replace that with a trojan which is easily
repaired by using a clean copy from other area's of the system or from
security updates from MS which include the dll file but the infection changes
so fast that Im sure if MSAS did detect and remove every variant the Trojan
writers would just release a new batch of files so its not a simple task for
MS or any Antispy/Antivirus vendor.

Here's a list of some of the variants which cause the install of PSguard/
Spysheriff/ SecurityiGuard etc.. and its very common to have a few of these
installed at the same time:

http://securityresponse.symantec.com/avcenter/venc/data/adware.topantispyware.html

http://securityresponse.symantec.com/avcenter/venc/data/trojan.desktophijack.html

http://securityresponse.symantec.com/avcenter/venc/data/trojan.desktophijack.b.html

http://securityresponse.symantec.com/avcenter/venc/data/trojan.desktophijack.c.html

http://securityresponse.symantec.com/avcenter/venc/data/w32.desktophijack.html

http://securityresponse.symantec.com/avcenter/venc/data/trojan.pepop.html

http://securityresponse.symantec.com/avcenter/venc/data/trojan.secup.html

http://www.sophos.com/virusinfo/analyses/trojzlobg.html

http://www.sophos.com/virusinfo/analyses/trojspyrec.html

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=43295

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=43297

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=43299

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=43010

http://www.f-secure.com/v-descs/trdrsmwy.shtml

As you can see these change very fast so its best to try prevent these
getting on the system by using MSAS and a Strong Antivirus both with Real
Time protection updated and enabled, also a strong Firewall would help to
make users aware of activity so they can be blocked and the obvious of making
sure all the security patches and available service packs are installed as
this will reduce the chances of ever being infected with this junk.

Andy :)
 
Hi Andy

That´s also true, but as I understands it when I asked the user,
the wallpaper (under the hood also several trojans) was the first step
in this infection and then he was "scared" and clicked on "Click here"
for removal and PS Guard was installed.

Nvertheless as I wrote to you this PC must have been totally filled
with junk, beacuse after Ewido, Adaware detected many, over 7000 TAC
points.

F-Secure woke up after Ewido and took care of several other trojans.

MSAS then some more, minor threats.

The "PS Guard"-"Click here" and the installation which starts must be
the first step for MSAS to deal with. The distribution for this pest
will be changed a lot of times. If MSAS comes up with a "red blocker"
for PS Guard it is a good start and also checks wininet.dll. the user
must do something to get rid of the wallpaper and PS Guard will be
blocked from MSAS.

One more important issue is how MSAS handles malicious processes and
cuts them, Ewido is great for that.

Maybe we also can have a EULA challenge with PS Guard ??

And of course it´s important with a real working firewall.... ;)
And Windowsupdate. And antivirus ;)
 
I don't know the specifics of why Microsoft Antispyware can't deal with this
one. Looking at Andy's message, I suspect that it isn't easy--but I'm sure
this is something Microsoft Antispyware is intended to remove, and that it
will do better with time--especially if they get Suspected Spyware reports
from folks with this in place.

I'd really recommend that you go ahead and install Microsoft Antispyware on
those machines. The real-time protection should help prevent this kind of
infection, even if we can't yet clean it.
 
Hi Bill

Maybe you missed my conclusion, it is probably difficult to catch
the distribution and malicious processes installed before a user
installs PS Guard. And the "bad guys" probably changes these a lot.

But it is easy to block the PS Guard install with MSAS and dismantle
the
primary goal with this hijack. No user will pay a penny for PS Guard.
This spyware would then be dead soon I believe.

--
plun



Bill Sanderson pretended :
 
Hi Plun, Hope your well, :)

The user you helped would of already had a Trojan Infection by the time they
noticed the desktop wallpaper changing to the spyware warning and the icons
on the taskbar (SystemTray) showing the messages :

"Windows has detected spyware activity- Click here"
"Windows has detected a spyware infection and will now download the latest
Antispy remover"
"Your Computer is infected, Click here to protect your computer"

These are caused on most systems by a Trojan file named
intel32.exe/intell32.exe which is the taskbar icon so the damage was already
done by the time they became aware of any changes. If he wouldn't of clicked
the icon the trojans would of still started up everytime he rebooted and
attempted to download the other trojan components which hook into explorer to
start with windows so its ends up being a few files all protecting each other
from being removed or stopped, The trojans can also change the homepage and
delete all BHO's on the system so it does make it difficult to download the
tools needed to remove the junk once its infected the pc, by left clicking
the icon it can automatically start the download of PSguard/ Spysheriff.

I agree MSAS do need to target these Trojans as they could prevent alot of
problems for users by blocking it with the RealTime Protection, I tested PS
Guard earlier today and MSAS didnt find any problems with me installing it
except for a blue pop up asking if I wanted to allow it to add a start up
entry once it had installed, Its abit confusing as MSAS does target a very
small amount of the registry entries but not the files/folder or the registry
HKLM/software folder and run command for PS Guard. Ewido didnt find a problem
with the files in C:drive either but detected a few registry entries. Spybot
and Adaware didnt detect PSGuard at all on the system.

MS Antispy detected these:

PSGuard Potentially Unwanted Software
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss
of computer control, and should be removed unless knowingly installed.

Infected registry keys/values detected
HKEY_CLASSES_ROOT\clsid\{265C2AF8-C94C-4AFF-B2B6-340D3982562C}
HKEY_CLASSES_ROOT\clsid\{C5B70256-5B08-4056-B84E-C6CE084967F5}\TypeLib
{6E9E448E-B195-4627-953C-5377FA9BBA36}
HKEY_CLASSES_ROOT\clsid\{265C2AF8-C94C-4AFF-B2B6-340D3982562C}\InprocServer32 C:\Program Files\P.S.Guard\Core.dll
HKEY_CLASSES_ROOT\clsid\{265C2AF8-C94C-4AFF-B2B6-340D3982562C}\MiscStatus\1
132497
HKEY_CLASSES_ROOT\clsid\{265C2AF8-C94C-4AFF-B2B6-340D3982562C}\MiscStatus 0
HKEY_CLASSES_ROOT\clsid\{265C2AF8-C94C-4AFF-B2B6-340D3982562C}\ToolboxBitmap32 C:\Program Files\P.S.Guard\Core.dll, 119
HKEY_CLASSES_ROOT\clsid\{265C2AF8-C94C-4AFF-B2B6-340D3982562C}\TypeLib
{6E9E448E-B195-4627-953C-5377FA9BBA36}
HKEY_CLASSES_ROOT\clsid\{265C2AF8-C94C-4AFF-B2B6-340D3982562C}\Version 1.0
HKEY_CLASSES_ROOT\clsid\{C5B70256-5B08-4056-B84E-C6CE084967F5}
HKEY_CLASSES_ROOT\clsid\{C5B70256-5B08-4056-B84E-C6CE084967F5}\InprocServer32 C:\Program Files\P.S.Guard\Core.dll

EWIDO

HKLM\SOFTWARE\PSGuard.com
HKLM\SOFTWARE\PSGuard.com\PSGuard
HKLM\SOFTWARE\PSGuard.com\PSGuard\P.S.Guard
HKLM\SOFTWARE\PSGuard.com\PSGuard\P.S.Guard\License
C:\Documents and Settings\Andy Manchesta\Application Data\PSGuard.com ->
C:\Documents and Settings\Andy Manchesta\Application Data\PSGuard.com\
P.S.Guard\BrowserObjects

Which still left all the dll files in the program files folder in place plus
the add/remove screen entry, Using that removed the files and desktop icon
easy enough .It was Ccleaner running on Issues that detected the Run key was
still in place as the rest had been removed.


Its not spyware so I understand why the scanners are not fully removing it
and in Adaware's/ Spybots case not even detecting it but it is rogue and the
results are a joke when I tried it today detecting 8 cookies and not showing
them as cookies or giving the location but showing they are critical spyware
files and then dispalying a warning that I need to pay as my every move is
being monitored :)

Regarding the original post about not wanting to install MSAS because of the
infection I personally think its a good idea to install them on all your
systems as its amazing the amount of problems it can stop and my opinion is
that its a valued addition to my pc security even at this early stage of the
beta process.

Things can only get better for MS Antispy and I'm sure it will perform well
on any system and would rate as good as any other remover even paid versions
in the amount of malware it can detect and remove, With it being free
protection I think all users should consider installing it and seeing for
themselves how well it does.

Regards

Andy
 
Hi Andy

Within this message from you MSAS team probably has everything to
to defeat this hijack ;) Absolutetly great !

I also found good pics from noahdfear:
http://noahdfear.geekstogo.com/When_infected_with_PSGuard.htm

But the Trojan will probably change to something else which
starts this hijack, intel64, amd32 and so on.

You are absolutely right about PS Guard, but this distribution and
the way a user is forced-scared to install it stinks. And then
maybe also a lot of users pays for it !? This is nothing else then
a big fraud against a scared user.

If they uses credit cards also numbers will be out to these "bad guys".

So if MSAS team maybe takes it all is really good but a starting point
must be to put a red blocker for PS Guard so that the user understands
that this is no good for a PC.

Maybe we have som legal aspects on this but this is a fraud and nothing
else.

About MSAS I always recommends it with some warnings, the main problem
now is a bad reputation about removing p2p files. This is spreading
rapidly within communitys and MS must do something about this "Kazaa-My
shared folder" problem.

Something else:
"The list" is also removed beacuse users cannot handle such a list.
They installs all of them instead to ask about a problem and it
leads to a total mess within a PC.

Many users sits and tries them one by one and it´s ends up with
10 Antispyware apps, 10 special tools for antispyware removals
and non removed spyware. ;(

Best regards
plun


AndyManchesta laid this down on his screen :
 
Hi Andy again

Maybe this is a better conclusion !?!

Leave PS Guard and a lot of users learns
a real lesson why they must protect a PC.
But this is indeed a hard way to learn it ;)

--
plun



plun formulated the question :
 
Hey Plun

I agree with you about the list of tools and removers , For a novice user it
can cause more problems than they solve so its always best if they have what
they need and if they have spyware/virus problems they can ask for advise as
there always a tool or remover that can stop any infection. Dave (Noahdfear)
has done a excellent job removing these trojans and the rogue removers plus
he is constantly updating the tool so his efforts are really appreciated.

Your right about these trojan writers as soon as vendors start to include
all the variants they will just move on and release new Trojan files so its
always going to be a never ending fight, Thats also true when windows
releases patches, Im sure there is alot of hackers who reverse engineer the
patch to see what the vunrability was then within a day or two then then
start exploiting that knowing that some users wouldnt of updated them, I also
think giving this scum credit card info is a bad move and could come back to
haunt users so blocking these rogue programs is a great idea even though they
are not spyware they can do alot of damage and the legal issue is probably
valid but untill they start showing the correct results and stop showing
cookies as critical spyware they get what they deserve.

I was testing the other day and got infected with the SSA keylogger (CWS ID
Theft) so thats another one to look out for as its still around, the main
file is 'winldra.exe' so if anyone gets that you have big problems and need
to change all passwords and contact banks if you use them online and reset
the hosts file.

Spybot picked up a couple of files from that Keylogger but called them
surfsidekick & shopathome and one was the log they make with all the details
that gets emailed out. Adaware detects files from that keylogger as
Trojan.Sars, the SSA keylogger remover from Sunbelt is the best option if its
needed.

I also got the robobot worm from some junk site and turned my pc into a
zombie, I only noticed it from reading the packet sniffing logs but Id been
sending out hundeds of emails for cheap meds advertising some site without
knowing :) That used the system file SMSS.exe which couldnt be killed by task
manager as it was showing as a critical system file so I just used APT from
diamond CS to kill it so it kept me quite for a while and It was suprising
when I started reading all the logs to see Id sent over 400 emails without
knowing :o)

Andy
 
Hey Plun

That is abit messy that the smitfraud infection is adding sites to the
restricted zone, even though most would of been protective Grinler was right
to advise deldomains as using spybots immunize and spywareblaster/IESpyad is
enough protection for anyone and alot better that keeping the smitfraud
entries, just need to remember to re-enable them all after using del domains
..

With the infections the keyogger came with alot of other junk like CWS, IST,
PD-Pinch password stealers and Trojans and zonealarm was shut down by the
infection although it was just a test setup so I wasnt that concerned about
the problems,

With the Robobot worm The ZoneAlarm alerts were showing genuine sounding
names connecting out so I didnt pay much attention to them as I was looking
for a Vundo installer on a few junk sites but still cannot find any. I only
realized it was active after closing all IE Windows and the Packet Sniffing
tool carried on sending and receiving packets which were all the emails I was
sending out and confirmations if they had been received. Checking task
manager showed two SMSS.exe processes so I knew then it was a virus as one
was running from system32 and the worm running from the windows folder,

Regards

Andy
 
Hi Andy

Ok about the worm.

Spybots immunizer, Spywareblaster, MSAS AND a security suite.

It seems that maybe Spybots immunizer is a "Blocker" for some
removals and only causes trouble.

I am not so sure about if it is a good idea to run this function
within Spybot ??? (for a normal user).

Some users have them all and perhaps this causing more trouble
then protection when his/hers PC is hit with something unknown ?

...
plun


AndyManchesta presented the following explanation :
 
In a small not for profit health care facility, good is not good enough. We
have to have a single system that we can count on. HIPPA will not allow us to
put on a tool that can allow something like this to propagate or send out
info.

The fines alone would put the company under. The goal was to save a company
$, a lot as SMB anti-spyware is more than a not for profit can afford.

It boils down to staff who are totally out of there depth just using a
computer, having anything like this come through even in an email “ help
protect your computer click here “ could cause a nightmare.
 
Hi

Takes this phone number also in this thread.

Call MS, if HIPPA also is involved it´s high time.

No-Charge Support
1-866-PCSAFETY
or
1-866-727-2338
This phone number is for virus and other security-related support. It
is available 24 hours a day for the U.S. and Canada.

For phone numbers outside of the U.S. and Canada, select your region.
 
Back
Top