On Windows Server 2003 R2 I'm unable to remove PSGuard registry entries using
regedit, even after doing an OS repair the entries still remain.

The registry entry is:
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard\PSGuard\License

System produces error on key deletion attempt that says I cannot the delete
key.

I can't delete the root for the entire branch either:
HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD

I've ran some several spyware scanners and on Spybot S & D it comes up and
requests reboot to remove, once the system reboots the entry remains.


--
Knight Technologies (http://knight-technologies.us)
E4 Chat (http://e4chat.com)

In microsoft.public.win2000.registry
=?Utf-8?B?S25pZ2h0IFRlY2hub2xvZ2llcw==?= wrote:

> On Windows Server 2003 R2 I'm unable to remove PSGuard registry
> entries using regedit, even after doing an OS repair the entries
> still remain.

And PSGuard has provide no help in removing/uninstalling their
software?

> The registry entry is:
> HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard\PSGuard\License
>
> System produces error on key deletion attempt that says I cannot
> the delete key.
>
> I can't delete the root for the entire branch either:
> HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD
>
> I've ran some several spyware scanners and on Spybot S & D it
> comes up and requests reboot to remove, once the system reboots
> the entry remains.

Often this is a permissions issue on the key or sub-key. Have you
taken ownership and set new ACLS (or tried to)?

Since this is a licence key one possibility is that the key was
created in such a way as to be unremovable. Possibly by embedding
null characters that make the key invalid for access by the Win32
APIs used in regedit and most Windows registry tools. In practice
this key may be un-removable.

You might want to run Sysinternals RootkitRevealer to see what can
be seen about it.
http://www.sysinternals.com/utilitie...trevealer.html

What happened was I accidently clicked an advertisement link and browser
popups filled my memory up so I couldn't respond, in the background PSGuard
was installed, took over the desktop, it's designed to fool you by showing a
believable spyware scan in which you are actually seeing your own files and
directory structures being collected in front of you, after completed it's
designed to make your system appear abused then it installs multiple trojans,
viruses, keyloggers, you name it and updates itself. After awhile it's
designed to make hundreds of international 1-900 calls then destroy your
machine when finished to make it harder to track back, luckily I caught it in
time. I used sysinternals connection monitor and took a snapshot of the
remote connection to where it phoned home too.

Anyways, it's pretty cleaned up except for that entry which you're right
about it shows exactly what you said I ran that scanner and it shows
"embedded null's", so what do I do now to get rid of it?


--
Knight Technologies (http://knight-technologies.us)
E4 Chat (http://e4chat.com)


"Mark V" wrote:

> In microsoft.public.win2000.registry
> =?Utf-8?B?S25pZ2h0IFRlY2hub2xvZ2llcw==?= wrote:
>
> > On Windows Server 2003 R2 I'm unable to remove PSGuard registry
> > entries using regedit, even after doing an OS repair the entries
> > still remain.
>
> And PSGuard has provide no help in removing/uninstalling their
> software?
>
> > The registry entry is:
> > HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD\PSGuard\PSGuard\License
> >
> > System produces error on key deletion attempt that says I cannot
> > the delete key.
> >
> > I can't delete the root for the entire branch either:
> > HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD
> >
> > I've ran some several spyware scanners and on Spybot S & D it
> > comes up and requests reboot to remove, once the system reboots
> > the entry remains.
>
> Often this is a permissions issue on the key or sub-key. Have you
> taken ownership and set new ACLS (or tried to)?
>
> Since this is a licence key one possibility is that the key was
> created in such a way as to be unremovable. Possibly by embedding
> null characters that make the key invalid for access by the Win32
> APIs used in regedit and most Windows registry tools. In practice
> this key may be un-removable.
>
> You might want to run Sysinternals RootkitRevealer to see what can
> be seen about it.
> http://www.sysinternals.com/utilitie...trevealer.html
>
>

In microsoft.public.win2000.registry
=?Utf-8?B?S25pZ2h0IFRlY2hub2xvZ2llcw==?= wrote:

> What happened was I accidently clicked an advertisement link and
> browser popups filled my memory up so I couldn't respond, in the
> background PSGuard was installed, took over the desktop, it's

I see I should have Googled PSGuard as I was under the impression
that this was user installed software... Oops.

> designed to fool you by showing a believable spyware scan in
> which you are actually seeing your own files and directory
> structures being collected in front of you, after completed it's
> designed to make your system appear abused then it installs
> multiple trojans, viruses, keyloggers, you name it and updates
> itself. After awhile it's designed to make hundreds of
> international 1-900 calls then destroy your machine when
> finished to make it harder to track back, luckily I caught it in
> time. I used sysinternals connection monitor and took a snapshot
> of the remote connection to where it phoned home too.

Well, my answer would be to re-install from scratch or return to a
previous image of the system. I (personally) would never trust
this installation again. Also, don''t forget to change every
password, everywhere and assess the impact if any data anywhere on
the system were now in others unknown hands.

> Anyways, it's pretty cleaned up except for that entry which
> you're right about it shows exactly what you said I ran that
> scanner and it shows "embedded null's", so what do I do now to
> get rid of it?

I know of no safe methods or tools to do so.
Possibly revert to a previous full registry backup (SOFTWARE hive)
if available.

The big issue is I did an OS repair using the Windows Server 2003 SP1
installation CD and the entry is still there.

I don't trust the installation either but have no choice for about 5 months.

I think in a previous post you made for sysinternals there was something
about a C++ registry sample which created and removed such keys, can't find
the sample do you know where it is?

--
Knight Technologies (http://knight-technologies.us)
E4 Chat (http://e4chat.com)


"Mark V" wrote:

> In microsoft.public.win2000.registry
> =?Utf-8?B?S25pZ2h0IFRlY2hub2xvZ2llcw==?= wrote:
>
> > What happened was I accidently clicked an advertisement link and
> > browser popups filled my memory up so I couldn't respond, in the
> > background PSGuard was installed, took over the desktop, it's
>
> I see I should have Googled PSGuard as I was under the impression
> that this was user installed software... Oops.
>
> > designed to fool you by showing a believable spyware scan in
> > which you are actually seeing your own files and directory
> > structures being collected in front of you, after completed it's
> > designed to make your system appear abused then it installs
> > multiple trojans, viruses, keyloggers, you name it and updates
> > itself. After awhile it's designed to make hundreds of
> > international 1-900 calls then destroy your machine when
> > finished to make it harder to track back, luckily I caught it in
> > time. I used sysinternals connection monitor and took a snapshot
> > of the remote connection to where it phoned home too.
>
> Well, my answer would be to re-install from scratch or return to a
> previous image of the system. I (personally) would never trust
> this installation again. Also, don''t forget to change every
> password, everywhere and assess the impact if any data anywhere on
> the system were now in others unknown hands.
>
> > Anyways, it's pretty cleaned up except for that entry which
> > you're right about it shows exactly what you said I ran that
> > scanner and it shows "embedded null's", so what do I do now to
> > get rid of it?
>
> I know of no safe methods or tools to do so.
> Possibly revert to a previous full registry backup (SOFTWARE hive)
> if available.
>
>

In microsoft.public.win2000.registry
=?Utf-8?B?S25pZ2h0IFRlY2hub2xvZ2llcw==?= wrote:

> The big issue is I did an OS repair using the Windows Server
> 2003 SP1 installation CD and the entry is still there.

Ya, the "repair" concentrates on OS registry areas for the most
part.

> I don't trust the installation either but have no choice for
> about 5 months.
>
> I think in a previous post you made for sysinternals there was
> something about a C++ registry sample which created and removed
> such keys, can't find the sample do you know where it is?

Ah, if you are a C programmer and can use Native NT APIs then the
information you need is likely to be in the REGHIDE demo.

http://www.sysinternals.com/Informat....html#HiddenKe
ys

reghide.zip 24,749

C:\TEMP>unzip -l reghide.zip
Archive: reghide.zip
Length Date Time Name
-------- ---- ---- ----
38912 98-05-17 22:25 REGHIDE.MDP
5160 98-05-17 22:25 REGHIDE.C
115712 98-05-17 22:25 REGHIDE.NCB
6669 98-05-17 22:25 REGHIDE.MAK
0 98-05-17 22:24 RELEASE/
1691 98-05-17 12:36 REGHIDE.H
4749 98-05-17 22:25 RELEASE/REGHIDE.OBJ
26624 98-05-17 22:25 RELEASE/REGHIDE.EXE
-------- -------
199517 8 files

If that leads you to write a utility... <G>
It's beyond my knowledge and skills but such a little tool could be
useful (and dangerous of course). Hope that gets you somewhere!

That's just what I needed thank you very much, it's been awhile since I've
messed with C but within a few seconds of analyzing those simple code
snippets I was able to immediately adopt the method to effectively remove
that entry for good.

It appears the method used was the same method as shown in the source code
so using the final step in the removal process came in handy as it's the same
signature, so what I did in simpler terms was changed the existing keys to
match to re-create the effect, the routine already automatically disables
upon clicking OK, thus, it removed the foul registry entry for me, then I did
some minor tidying up in RegEdit to remove the remaining structure.

In simple terms I kicked it's ass.

Thanks again!!!


--
Knight Technologies (http://knight-technologies.us)
E4 Chat (http://e4chat.com)


"Mark V" wrote:

> In microsoft.public.win2000.registry
> =?Utf-8?B?S25pZ2h0IFRlY2hub2xvZ2llcw==?= wrote:
>
> > The big issue is I did an OS repair using the Windows Server
> > 2003 SP1 installation CD and the entry is still there.
>
> Ya, the "repair" concentrates on OS registry areas for the most
> part.
>
> > I don't trust the installation either but have no choice for
> > about 5 months.
> >
> > I think in a previous post you made for sysinternals there was
> > something about a C++ registry sample which created and removed
> > such keys, can't find the sample do you know where it is?
>
> Ah, if you are a C programmer and can use Native NT APIs then the
> information you need is likely to be in the REGHIDE demo.
>
> http://www.sysinternals.com/Informat....html#HiddenKe
> ys
>
> reghide.zip 24,749
>
> C:\TEMP>unzip -l reghide.zip
> Archive: reghide.zip
> Length Date Time Name
> -------- ---- ---- ----
> 38912 98-05-17 22:25 REGHIDE.MDP
> 5160 98-05-17 22:25 REGHIDE.C
> 115712 98-05-17 22:25 REGHIDE.NCB
> 6669 98-05-17 22:25 REGHIDE.MAK
> 0 98-05-17 22:24 RELEASE/
> 1691 98-05-17 12:36 REGHIDE.H
> 4749 98-05-17 22:25 RELEASE/REGHIDE.OBJ
> 26624 98-05-17 22:25 RELEASE/REGHIDE.EXE
> -------- -------
> 199517 8 files
>
> If that leads you to write a utility... <G>
> It's beyond my knowledge and skills but such a little tool could be
> useful (and dangerous of course). Hope that gets you somewhere!
>

In microsoft.public.win2000.registry
=?Utf-8?B?S25pZ2h0IFRlY2hub2xvZ2llcw==?= wrote:

> That's just what I needed thank you very much, it's been awhile
> since I've messed with C but within a few seconds of analyzing
> those simple code snippets I was able to immediately adopt the
> method to effectively remove that entry for good.
>
> It appears the method used was the same method as shown in the
> source code so using the final step in the removal process came
> in handy as it's the same signature, so what I did in simpler
> terms was changed the existing keys to match to re-create the
> effect, the routine already automatically disables upon clicking
> OK, thus, it removed the foul registry entry for me, then I did
> some minor tidying up in RegEdit to remove the remaining
> structure.
>
> In simple terms I kicked it's ass.
>
> Thanks again!!!

You are very welcome indeed and I am thrilled that you have your
solution. I will revisit both the example code and some dusty
programming books. <G>.

Same here great thread!

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

"Mark V" wrote:
<snip>
I will revisit both the example code and some dusty
| programming books. <G>.

In microsoft.public.win2000.registry Dave Patrick wrote:

> Same here great thread!

Thanks Dave. It's contributing to new knowledge and success stories
like this one that keeps me posting past the "dull stuff". <G> All
the time learning new things myself!