Why has Microsoft failed to fix PS Guard

its been around long enough that microsoft antispyware should take care of it.

Our facility was going to put it on all of our computers until we had a
computer get infected with PS guard.

Hi

Yes, this is strange beacuse it´s so easy to go to PS Guards
website and get real material for detection/removals.

Dear Bill, can you send it to MSAS team as a proposal from
this little group ?

--
plun

Mennonite village formulated on fredag :
> its been around long enough that microsoft antispyware should take care of
> it.
>
> Our facility was going to put it on all of our computers until we had a
> computer get infected with PS guard.

Plun, have you forgotten about this?
From Plun:
Hi

PS Guard is a real pest and makes a PC totally crazy with
IE bestwebs blocks and no desktop.

Follow this, used it myself yesterday.

http://forums.techguy.org/printthread.php?t=376692

Maybe you must go to a friend and burn these programs !
Also include latest def file for Ewido if you have no internet
connection beacuse of PS Guard.

It was impossible for me to do anything on the PC I was cleaning with
PS Guard - Smitrem infection beacuse of recreating processes

Ctrl Alt Del and then archive > Run and point to the CD and install
Ewido. Then Ewido first removed all crazy processes

--
plun
--
Andre
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm
"plun" <paralun@msn.com> wrote in message
news:mn.40387d5a16672b74.32385@msn.com...
> Hi
>
> Yes, this is strange beacuse it´s so easy to go to PS Guards
> website and get real material for detection/removals.
>
> Dear Bill, can you send it to MSAS team as a proposal from
> this little group ?
>
> --
> plun
>
> Mennonite village formulated on fredag :
>> its been around long enough that microsoft antispyware should take care
>> of it.
>>
>> Our facility was going to put it on all of our computers until we had a
>> computer get infected with PS guard.
>
>

Hi

No, and I wrote that but in other words

I am not using canned messages

Except for MSAS, Adaware and CCleaner.

And this was about MSAS team getting real material from
PS Guards website (or use Google). Just to take spywarewarriors rouge
list and create defs

Also that MSAS is really weak to stop malicios
processes, hopefully much better in Beta 2.

--
plun


It happens that Andre Da Costa formulated :
> Plun, have you forgotten about this?
> From Plun:
> Hi
>
> PS Guard is a real pest and makes a PC totally crazy with
> IE bestwebs blocks and no desktop.
>
> Follow this, used it myself yesterday.
>
> http://forums.techguy.org/printthread.php?t=376692
>
> Maybe you must go to a friend and burn these programs !
> Also include latest def file for Ewido if you have no internet
> connection beacuse of PS Guard.
>
> It was impossible for me to do anything on the PC I was cleaning with
> PS Guard - Smitrem infection beacuse of recreating processes
>
> Ctrl Alt Del and then archive > Run and point to the CD and install
> Ewido. Then Ewido first removed all crazy processes
>
> --
> plun
> --
> Andre
> Extended64 | http://www.extended64.com
> Blog | http://www.extended64.com/blogs/andre
> http://spaces.msn.com/members/adacosta
> FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm
> "plun" <paralun@msn.com> wrote in message
> news:mn.40387d5a16672b74.32385@msn.com...
>> Hi
>>
>> Yes, this is strange beacuse it´s so easy to go to PS Guards
>> website and get real material for detection/removals.
>>
>> Dear Bill, can you send it to MSAS team as a proposal from
>> this little group ?
>>
>> --
>> plun
>>
>> Mennonite village formulated on fredag :
>>> its been around long enough that microsoft antispyware should take care of
>>> it.
>>>
>>> Our facility was going to put it on all of our computers until we had a
>>> computer get infected with PS guard.
>>
>>

The problem really isnt PSGuard as that can be removed easily along with
Spysheriff/ SpyTrooper and all the other rogue removers if you download it by
itself but its different when they get installed without the users knowledge.
When that happens there is already a very serious infection on the system as
the downloads of PS Guard/Spysheriff and the Fake spyware wallpaper are the
final parts to the infection.

MS could include all the definitions for these trojans and also check the
wininet.dll file as some variants replace that with a trojan which is easily
repaired by using a clean copy from other area's of the system or from
security updates from MS which include the dll file but the infection changes
so fast that Im sure if MSAS did detect and remove every variant the Trojan
writers would just release a new batch of files so its not a simple task for
MS or any Antispy/Antivirus vendor.

Here's a list of some of the variants which cause the install of PSguard/
Spysheriff/ SecurityiGuard etc.. and its very common to have a few of these
installed at the same time:

http://securityresponse.symantec.co...ntispyware.html

http://securityresponse.symantec.co...ktophijack.html

http://securityresponse.symantec.co...ophijack.b.html

http://securityresponse.symantec.co...ophijack.c.html

http://securityresponse.symantec.co...ktophijack.html

http://securityresponse.symantec.co...ojan.pepop.html

http://securityresponse.symantec.co...ojan.secup.html

http://www.sophos.com/virusinfo/analyses/trojzlobg.html

http://www.sophos.com/virusinfo/ana...trojspyrec.html

http://www3.ca.com/securityadvisor/...s.aspx?ID=43295

http://www3.ca.com/securityadvisor/...s.aspx?id=43297

http://www3.ca.com/securityadvisor/...s.aspx?id=43299

http://www3.ca.com/securityadvisor/...s.aspx?ID=43010

http://www.f-secure.com/v-descs/trdrsmwy.shtml

As you can see these change very fast so its best to try prevent these
getting on the system by using MSAS and a Strong Antivirus both with Real
Time protection updated and enabled, also a strong Firewall would help to
make users aware of activity so they can be blocked and the obvious of making
sure all the security patches and available service packs are installed as
this will reduce the chances of ever being infected with this junk.

Andy

Hi Andy

That´s also true, but as I understands it when I asked the user,
the wallpaper (under the hood also several trojans) was the first step
in this infection and then he was "scared" and clicked on "Click here"
for removal and PS Guard was installed.

Nvertheless as I wrote to you this PC must have been totally filled
with junk, beacuse after Ewido, Adaware detected many, over 7000 TAC
points.

F-Secure woke up after Ewido and took care of several other trojans.

MSAS then some more, minor threats.

The "PS Guard"-"Click here" and the installation which starts must be
the first step for MSAS to deal with. The distribution for this pest
will be changed a lot of times. If MSAS comes up with a "red blocker"
for PS Guard it is a good start and also checks wininet.dll. the user
must do something to get rid of the wallpaper and PS Guard will be
blocked from MSAS.

One more important issue is how MSAS handles malicious processes and
cuts them, Ewido is great for that.

Maybe we also can have a EULA challenge with PS Guard ??

And of course it´s important with a real working firewall....
And Windowsupdate. And antivirus

--
plun


It happens that AndyManchesta formulated :
> The problem really isnt PSGuard as that can be removed easily along with
> Spysheriff/ SpyTrooper and all the other rogue removers if you download it by
> itself but its different when they get installed without the users knowledge.
> When that happens there is already a very serious infection on the system as
> the downloads of PS Guard/Spysheriff and the Fake spyware wallpaper are the
> final parts to the infection.
>
> MS could include all the definitions for these trojans and also check the
> wininet.dll file as some variants replace that with a trojan which is easily
> repaired by using a clean copy from other area's of the system or from
> security updates from MS which include the dll file but the infection changes
> so fast that Im sure if MSAS did detect and remove every variant the Trojan
> writers would just release a new batch of files so its not a simple task for
> MS or any Antispy/Antivirus vendor.
>
> Here's a list of some of the variants which cause the install of PSguard/
> Spysheriff/ SecurityiGuard etc.. and its very common to have a few of these
> installed at the same time:
>
> http://securityresponse.symantec.co...ntispyware.html
>
> http://securityresponse.symantec.co...ktophijack.html
>
> http://securityresponse.symantec.co...ophijack.b.html
>
> http://securityresponse.symantec.co...ophijack.c.html
>
> http://securityresponse.symantec.co...ktophijack.html
>
> http://securityresponse.symantec.co...ojan.pepop.html
>
> http://securityresponse.symantec.co...ojan.secup.html
>
> http://www.sophos.com/virusinfo/analyses/trojzlobg.html
>
> http://www.sophos.com/virusinfo/ana...trojspyrec.html
>
> http://www3.ca.com/securityadvisor/...s.aspx?ID=43295
>
> http://www3.ca.com/securityadvisor/...s.aspx?id=43297
>
> http://www3.ca.com/securityadvisor/...s.aspx?id=43299
>
> http://www3.ca.com/securityadvisor/...s.aspx?ID=43010
>
> http://www.f-secure.com/v-descs/trdrsmwy.shtml
>
> As you can see these change very fast so its best to try prevent these
> getting on the system by using MSAS and a Strong Antivirus both with Real
> Time protection updated and enabled, also a strong Firewall would help to
> make users aware of activity so they can be blocked and the obvious of making
> sure all the security patches and available service packs are installed as
> this will reduce the chances of ever being infected with this junk.
>
> Andy

I don't know the specifics of why Microsoft Antispyware can't deal with this
one. Looking at Andy's message, I suspect that it isn't easy--but I'm sure
this is something Microsoft Antispyware is intended to remove, and that it
will do better with time--especially if they get Suspected Spyware reports
from folks with this in place.

I'd really recommend that you go ahead and install Microsoft Antispyware on
those machines. The real-time protection should help prevent this kind of
infection, even if we can't yet clean it.

--

"Mennonite village" <Mennonitevillage@discussions.microsoft.com> wrote in
message news:A9E34851-7625-4763-B468-B9C8903718E8@microsoft.com...
> its been around long enough that microsoft antispyware should take care of
> it.
>
> Our facility was going to put it on all of our computers until we had a
> computer get infected with PS guard.

Hi Bill

Maybe you missed my conclusion, it is probably difficult to catch
the distribution and malicious processes installed before a user
installs PS Guard. And the "bad guys" probably changes these a lot.

But it is easy to block the PS Guard install with MSAS and dismantle
the
primary goal with this hijack. No user will pay a penny for PS Guard.
This spyware would then be dead soon I believe.

--
plun



Bill Sanderson pretended :
> I don't know the specifics of why Microsoft Antispyware can't deal with this
> one. Looking at Andy's message, I suspect that it isn't easy--but I'm sure
> this is something Microsoft Antispyware is intended to remove, and that it
> will do better with time--especially if they get Suspected Spyware reports
> from folks with this in place.
>
> I'd really recommend that you go ahead and install Microsoft Antispyware on
> those machines. The real-time protection should help prevent this kind of
> infection, even if we can't yet clean it.

Hi Plun, Hope your well,

The user you helped would of already had a Trojan Infection by the time they
noticed the desktop wallpaper changing to the spyware warning and the icons
on the taskbar (SystemTray) showing the messages :

"Windows has detected spyware activity- Click here"
"Windows has detected a spyware infection and will now download the latest
Antispy remover"
"Your Computer is infected, Click here to protect your computer"

These are caused on most systems by a Trojan file named
intel32.exe/intell32.exe which is the taskbar icon so the damage was already
done by the time they became aware of any changes. If he wouldn't of clicked
the icon the trojans would of still started up everytime he rebooted and
attempted to download the other trojan components which hook into explorer to
start with windows so its ends up being a few files all protecting each other
from being removed or stopped, The trojans can also change the homepage and
delete all BHO's on the system so it does make it difficult to download the
tools needed to remove the junk once its infected the pc, by left clicking
the icon it can automatically start the download of PSguard/ Spysheriff.

I agree MSAS do need to target these Trojans as they could prevent alot of
problems for users by blocking it with the RealTime Protection, I tested PS
Guard earlier today and MSAS didnt find any problems with me installing it
except for a blue pop up asking if I wanted to allow it to add a start up
entry once it had installed, Its abit confusing as MSAS does target a very
small amount of the registry entries but not the files/folder or the registry
HKLM/software folder and run command for PS Guard. Ewido didnt find a problem
with the files in C:drive either but detected a few registry entries. Spybot
and Adaware didnt detect PSGuard at all on the system.

MS Antispy detected these:

PSGuard Potentially Unwanted Software
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss
of computer control, and should be removed unless knowingly installed.

Infected registry keys/values detected
HKEY_CLASSES_ROOT\clsid\{265C2AF8-C94C-4AFF-B2B6-340D3982562C}
HKEY_CLASSES_ROOT\clsid\{C5B70256-5B08-4056-B84E-C6CE084967F5}\TypeLib
{6E9E448E-B195-4627-953C-5377FA9BBA36}
HKEY_CLASSES_ROOT\clsid\{265C2AF8-C94C-4AFF-B2B6-340D3982562C}\InprocServer32 C:\Program Files\P.S.Guard\Core.dll
HKEY_CLASSES_ROOT\clsid\{265C2AF8-C94C-4AFF-B2B6-340D3982562C}\MiscStatus\1
132497
HKEY_CLASSES_ROOT\clsid\{265C2AF8-C94C-4AFF-B2B6-340D3982562C}\MiscStatus 0
HKEY_CLASSES_ROOT\clsid\{265C2AF8-C94C-4AFF-B2B6-340D3982562C}\ToolboxBitmap32 C:\Program Files\P.S.Guard\Core.dll, 119
HKEY_CLASSES_ROOT\clsid\{265C2AF8-C94C-4AFF-B2B6-340D3982562C}\TypeLib
{6E9E448E-B195-4627-953C-5377FA9BBA36}
HKEY_CLASSES_ROOT\clsid\{265C2AF8-C94C-4AFF-B2B6-340D3982562C}\Version 1.0
HKEY_CLASSES_ROOT\clsid\{C5B70256-5B08-4056-B84E-C6CE084967F5}
HKEY_CLASSES_ROOT\clsid\{C5B70256-5B08-4056-B84E-C6CE084967F5}\InprocServer32 C:\Program Files\P.S.Guard\Core.dll

EWIDO

HKLM\SOFTWARE\PSGuard.com
HKLM\SOFTWARE\PSGuard.com\PSGuard
HKLM\SOFTWARE\PSGuard.com\PSGuard\P.S.Guard
HKLM\SOFTWARE\PSGuard.com\PSGuard\P.S.Guard\License
C:\Documents and Settings\Andy Manchesta\Application Data\PSGuard.com ->
C:\Documents and Settings\Andy Manchesta\Application Data\PSGuard.com\
P.S.Guard\BrowserObjects

Which still left all the dll files in the program files folder in place plus
the add/remove screen entry, Using that removed the files and desktop icon
easy enough .It was Ccleaner running on Issues that detected the Run key was
still in place as the rest had been removed.


Its not spyware so I understand why the scanners are not fully removing it
and in Adaware's/ Spybots case not even detecting it but it is rogue and the
results are a joke when I tried it today detecting 8 cookies and not showing
them as cookies or giving the location but showing they are critical spyware
files and then dispalying a warning that I need to pay as my every move is
being monitored

Regarding the original post about not wanting to install MSAS because of the
infection I personally think its a good idea to install them on all your
systems as its amazing the amount of problems it can stop and my opinion is
that its a valued addition to my pc security even at this early stage of the
beta process.

Things can only get better for MS Antispy and I'm sure it will perform well
on any system and would rate as good as any other remover even paid versions
in the amount of malware it can detect and remove, With it being free
protection I think all users should consider installing it and seeing for
themselves how well it does.

Regards

Andy

Hi Andy

Within this message from you MSAS team probably has everything to
to defeat this hijack Absolutetly great !

I also found good pics from noahdfear:
http://noahdfear.geekstogo.com/When...ith_PSGuard.htm

But the Trojan will probably change to something else which
starts this hijack, intel64, amd32 and so on.

You are absolutely right about PS Guard, but this distribution and
the way a user is forced-scared to install it stinks. And then
maybe also a lot of users pays for it !? This is nothing else then
a big fraud against a scared user.

If they uses credit cards also numbers will be out to these "bad guys".

So if MSAS team maybe takes it all is really good but a starting point
must be to put a red blocker for PS Guard so that the user understands
that this is no good for a PC.

Maybe we have som legal aspects on this but this is a fraud and nothing
else.

About MSAS I always recommends it with some warnings, the main problem
now is a bad reputation about removing p2p files. This is spreading
rapidly within communitys and MS must do something about this "Kazaa-My
shared folder" problem.

Something else:
"The list" is also removed beacuse users cannot handle such a list.
They installs all of them instead to ask about a problem and it
leads to a total mess within a PC.

Many users sits and tries them one by one and it´s ends up with
10 Antispyware apps, 10 special tools for antispyware removals
and non removed spyware. ;(

Best regards
plun


AndyManchesta laid this down on his screen :
> Hi Plun, Hope your well,
>
> The user you helped would of already had a Trojan Infection by the time they
> noticed the desktop wallpaper changing to the spyware warning and the icons
> on the taskbar (SystemTray) showing the messages :
>
> "Windows has detected spyware activity- Click here"
> "Windows has detected a spyware infection and will now download the latest
> Antispy remover"
> "Your Computer is infected, Click here to protect your computer"
>
> These are caused on most systems by a Trojan file named
> intel32.exe/intell32.exe which is the taskbar icon so the damage was already
> done by the time they became aware of any changes. If he wouldn't of clicked
> the icon the trojans would of still started up everytime he rebooted and
> attempted to download the other trojan components which hook into explorer to
> start with windows so its ends up being a few files all protecting each other
> from being removed or stopped, The trojans can also change the homepage and
> delete all BHO's on the system so it does make it difficult to download the
> tools needed to remove the junk once its infected the pc, by left clicking
> the icon it can automatically start the download of PSguard/ Spysheriff.
>
> I agree MSAS do need to target these Trojans as they could prevent alot of
> problems for users by blocking it with the RealTime Protection, I tested PS
> Guard earlier today and MSAS didnt find any problems with me installing it
> except for a blue pop up asking if I wanted to allow it to add a start up
> entry once it had installed, Its abit confusing as MSAS does target a very
> small amount of the registry entries but not the files/folder or the registry
> HKLM/software folder and run command for PS Guard. Ewido didnt find a problem
> with the files in C:drive either but detected a few registry entries. Spybot
> and Adaware didnt detect PSGuard at all on the system.
>
> MS Antispy detected these:
>
> PSGuard Potentially Unwanted Software
> Status: Removed
> High threat - High-risk items have a large potential for harm, such as loss
> of computer control, and should be removed unless knowingly installed.
>
> Infected registry keys/values detected
> HKEY_CLASSES_ROOT\clsid\{265C2AF8-C94C-4AFF-B2B6-340D3982562C}
> HKEY_CLASSES_ROOT\clsid\{C5B70256-5B08-4056-B84E-C6CE084967F5}\TypeLib
> {6E9E448E-B195-4627-953C-5377FA9BBA36}
> HKEY_CLASSES_ROOT\clsid\{265C2AF8-C94C-4AFF-B2B6-340D3982562C}\InprocServer32
> C:\Program Files\P.S.Guard\Core.dll
> HKEY_CLASSES_ROOT\clsid\{265C2AF8-C94C-4AFF-B2B6-340D3982562C}\MiscStatus\1
> 132497
> HKEY_CLASSES_ROOT\clsid\{265C2AF8-C94C-4AFF-B2B6-340D3982562C}\MiscStatus 0
> HKEY_CLASSES_ROOT\clsid\{265C2AF8-C94C-4AFF-B2B6-340D3982562C}\ToolboxBitmap32
> C:\Program Files\P.S.Guard\Core.dll, 119
> HKEY_CLASSES_ROOT\clsid\{265C2AF8-C94C-4AFF-B2B6-340D3982562C}\TypeLib
> {6E9E448E-B195-4627-953C-5377FA9BBA36}
> HKEY_CLASSES_ROOT\clsid\{265C2AF8-C94C-4AFF-B2B6-340D3982562C}\Version 1.0
> HKEY_CLASSES_ROOT\clsid\{C5B70256-5B08-4056-B84E-C6CE084967F5}
> HKEY_CLASSES_ROOT\clsid\{C5B70256-5B08-4056-B84E-C6CE084967F5}\InprocServer32
> C:\Program Files\P.S.Guard\Core.dll
>
> EWIDO
>
> HKLM\SOFTWARE\PSGuard.com
> HKLM\SOFTWARE\PSGuard.com\PSGuard
> HKLM\SOFTWARE\PSGuard.com\PSGuard\P.S.Guard
> HKLM\SOFTWARE\PSGuard.com\PSGuard\P.S.Guard\License
> C:\Documents and Settings\Andy Manchesta\Application Data\PSGuard.com ->
> C:\Documents and Settings\Andy Manchesta\Application Data\PSGuard.com\
> P.S.Guard\BrowserObjects
>
> Which still left all the dll files in the program files folder in place plus
> the add/remove screen entry, Using that removed the files and desktop icon
> easy enough .It was Ccleaner running on Issues that detected the Run key was
> still in place as the rest had been removed.
>
>
> Its not spyware so I understand why the scanners are not fully removing it
> and in Adaware's/ Spybots case not even detecting it but it is rogue and the
> results are a joke when I tried it today detecting 8 cookies and not showing
> them as cookies or giving the location but showing they are critical spyware
> files and then dispalying a warning that I need to pay as my every move is
> being monitored
>
> Regarding the original post about not wanting to install MSAS because of the
> infection I personally think its a good idea to install them on all your
> systems as its amazing the amount of problems it can stop and my opinion is
> that its a valued addition to my pc security even at this early stage of the
> beta process.
>
> Things can only get better for MS Antispy and I'm sure it will perform well
> on any system and would rate as good as any other remover even paid versions
> in the amount of malware it can detect and remove, With it being free
> protection I think all users should consider installing it and seeing for
> themselves how well it does.
>
> Regards
>
> Andy