PSGuard

Updated:
February 13, 2007 11:49:24 AM
Type:
Misleading Application
Publisher:
psguard.com
Risk Impact:
Medium
File Names:
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\PSGuard spyware remover.ln
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When PSGuard is executed, it performs the following actions:

  1. May create the following folders:
    • %userprofile%\application data\PSGuard.com
    • %userprofile%\application data\Shudder Global Limited

  2. May create some of the following files:

    • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\PSGuard spyware remover.lnk
    • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\P.S.Guard spyware remover.lnk
    • %SystemDrive%\Documents and Settings\All Users\Desktop\PSGuard spyware remover.lnk
    • %SystemDrive%\Documents and Settings\All Users\Desktop\P.S.Guard spyware remover.lnk
    • %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\PSGuard spyware remover\Register PSGuard spyware remover.lnk
    • %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\PSGuard spyware remover\Start PSGuard spyware remover.lnk
    • %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\PSGuard spyware remover\Uninstall.lnk
    • %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\P.S.Guard spyware remover\Register P.S.Guard spyware remover.lnk
    • %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\P.S.Guard spyware remover\Start P.S.Guard spyware remover.lnk
    • %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\P.S.Guard spyware remover\Uninstall.lnk
    • %ProgramFiles%\PSGuard\Core.dll
    • %ProgramFiles%\PSGuard\database.pkg
    • %ProgramFiles%\PSGuard\Localization.dll
    • %ProgramFiles%\PSGuard\Logfile.txt
    • %ProgramFiles%\PSGuard\msvcp71.dll
    • %ProgramFiles%\PSGuard\msvcr71.dll
    • %ProgramFiles%\PSGuard\PSGuard.exe
    • %ProgramFiles%\PSGuard\PSGuard.exe.local
    • %ProgramFiles%\PSGuard\Uninstall.exe
    • %ProgramFiles%\PSGuard\WndSystem.dll
    • %ProgramFiles%\P.S.Guard\Core.dll
    • %ProgramFiles%\P.S.Guard\database.pkg
    • %ProgramFiles%\P.S.Guard\Localization.dll
    • %ProgramFiles%\P.S.Guard\msvcp71.dll
    • %ProgramFiles%\P.S.Guard\msvcr71.dll
    • %ProgramFiles%\P.S.Guard\PSGuard.exe
    • %ProgramFiles%\P.S.Guard\PSGuard.exe.local
    • %ProgramFiles%\P.S.Guard\Uninstall.exe
    • %ProgramFiles%\P.S.Guard\WndSystem.dll

      Note:
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
    • %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  3. May create some of the following registry subkeys:

    HKEY_CLASSES_ROOT\CLSID\{049A800A-02EE-4C6E-9181-24BFBA8DEA5C}
    HKEY_CLASSES_ROOT\CLSID\{15DC7116-E58E-4395-A45A-A1C99B17C030}
    HKEY_CLASSES_ROOT\CLSID\{17E02586-A91D-4A9D-A74E-187B05DFFE6F}
    HKEY_CLASSES_ROOT\CLSID\{1BD98DFD-2DA9-4C54-85D7-BE03A0F9C487}
    HKEY_CLASSES_ROOT\CLSID\{1C94EA51-3800-4F08-B5DC-A5B67823FFEA}
    HKEY_CLASSES_ROOT\CLSID\{1EEE90E6-4E6A-4D04-AF01-76AAD5DFA395}
    HKEY_CLASSES_ROOT\CLSID\{20D1AF34-6E19-42D8-AF9F-BDFBE45C2454}
    HKEY_CLASSES_ROOT\CLSID\{21E132C9-1F98-4151-BDAD-7D9B49C60A8E}
    HKEY_CLASSES_ROOT\CLSID\{23BFD1FD-30A8-4223-B9FB-22693B929ADE}
    HKEY_CLASSES_ROOT\CLSID\{23F7AD29-F51A-4BA1-BE70-143B1CB25BD1}
    HKEY_CLASSES_ROOT\CLSID\{2C59D5EC-6B91-4896-BD6F-5F121D87A7F8}
    HKEY_CLASSES_ROOT\CLSID\{2C837723-DDF7-4FEF-A4D1-6BA2FD42B8BA}
    HKEY_CLASSES_ROOT\CLSID\{2F34E0E0-F0BB-477F-AFB8-509262FA0AD1}
    HKEY_CLASSES_ROOT\CLSID\{35ED274E-3F42-4A78-BBDC-3B7D73E85578}
    HKEY_CLASSES_ROOT\CLSID\{3D74D140-F780-4AE3-8D6D-F8DC39107213}
    HKEY_CLASSES_ROOT\CLSID\{400A6349-C86D-43FB-A976-58CB3B97661E}
    HKEY_CLASSES_ROOT\CLSID\{4466DEFD-8540-4A4A-BEE3-B24064539A59}
    HKEY_CLASSES_ROOT\CLSID\{49443D6E-CE4E-47A9-8DEB-F5774CE14984}
    HKEY_CLASSES_ROOT\CLSID\{52034AD2-914C-4634-B375-9299631E5525}
    HKEY_CLASSES_ROOT\CLSID\{65C50C03-EB17-4B2D-9AEB-7ED5D5E632EB}
    HKEY_CLASSES_ROOT\CLSID\{70806AE6-0066-4735-A39C-5ED355B7D2A6}
    HKEY_CLASSES_ROOT\CLSID\{75E18846-78DB-4355-B11C-B1E85D2D70A7}
    HKEY_CLASSES_ROOT\CLSID\{7702C521-76AE-42C0-A181-3B5A96C2EEF7}
    HKEY_CLASSES_ROOT\CLSID\{7ADDA344-1D36-4446-9F4B-B2351FB19EFD}
    HKEY_CLASSES_ROOT\CLSID\{7D98221E-AF8F-4D29-8BB1-1DFABC288173}
    HKEY_CLASSES_ROOT\CLSID\{7FA364DA-1B29-48D3-AA46-DFCB5DA28AB7}
    HKEY_CLASSES_ROOT\CLSID\{96E031E4-56F7-47F6-91D9-8243F66CED92}
    HKEY_CLASSES_ROOT\CLSID\{970E53FA-3080-4C27-BAA8-0A73667443BF}
    HKEY_CLASSES_ROOT\CLSID\{9746B450-6064-4EC8-9480-72A289AA2237}
    HKEY_CLASSES_ROOT\CLSID\{A691CBFD-F4E8-445D-9F40-2765D459CFD3}
    HKEY_CLASSES_ROOT\CLSID\{AC8A294E-6210-42A8-9A2F-CD234A474DF7}
    HKEY_CLASSES_ROOT\CLSID\{B408669A-EF8E-494B-9217-F05458A65F40}
    HKEY_CLASSES_ROOT\CLSID\{BCC4C8A3-F7BD-4DD7-956F-8F6BF24AAFB5}
    HKEY_CLASSES_ROOT\CLSID\{C5A40FCE-0A0F-40CA-985E-661C28B5B431}
    HKEY_CLASSES_ROOT\CLSID\{C7F22879-7151-4C71-8C50-9557AFDA66C6}
    HKEY_CLASSES_ROOT\CLSID\{C8883C4B-DED6-4427-A260-14817C71A7DA}
    HKEY_CLASSES_ROOT\CLSID\{CA5E7959-60B5-47B7-80AC-1606309733F3}
    HKEY_CLASSES_ROOT\CLSID\{CEABF027-6CDC-4D47-ADF6-AC5D065826A6}
    HKEY_CLASSES_ROOT\CLSID\{D16A823F-B13A-4FF7-AB5A-5BC38F2ECE94}
    HKEY_CLASSES_ROOT\CLSID\{E0AA0493-C410-4CBD-B1DB-1723374FA8E0}
    HKEY_CLASSES_ROOT\CLSID\{E5D78BD8-3874-4AA0-9D45-CFB79382C484}
    HKEY_CLASSES_ROOT\CLSID\{EA80D7BE-CFBC-4C7C-9B7D-F410031CD000}
    HKEY_CLASSES_ROOT\CLSID\{EC2851E6-0CC2-4F44-A328-A71F04C98A17}
    HKEY_CLASSES_ROOT\CLSID\{EC4B22D3-85CB-40DA-B541-749DCD88E53F}
    HKEY_CLASSES_ROOT\CLSID\{EDBD06C3-84AD-4F70-8045-EA51ED307B59}
    HKEY_CLASSES_ROOT\CLSID\{FF5D6F4B-1177-4AA7-926A-CADD0AEA3BA4}
    HKEY_CLASSES_ROOT\Interface\{019372AD-5071-44E7-A3D5-66765C05DDB2}
    HKEY_CLASSES_ROOT\Interface\{01C9453D-0004-43A5-AB44-6AA307C2A0AA}
    HKEY_CLASSES_ROOT\Interface\{07D4AC1F-1643-42F4-A716-B6C2D65BC999}
    HKEY_CLASSES_ROOT\Interface\{08101C3E-6C90-439E-9734-6E4DD1B53B69}
    HKEY_CLASSES_ROOT\Interface\{09B90087-4FFA-4A44-BE69-DA117A710F07}
    HKEY_CLASSES_ROOT\Interface\{0BC3BCD5-476D-4BE3-A9B9-2225E1B96E90}
    HKEY_CLASSES_ROOT\Interface\{0E5BA51B-28B0-4218-A279-F255F1AD6DE5}
    HKEY_CLASSES_ROOT\Interface\{0E8151FF-3629-49DA-A478-84B5BF09B913}
    HKEY_CLASSES_ROOT\Interface\{1038B941-451A-4A73-B5C0-A9B3243ACFBE}
    HKEY_CLASSES_ROOT\Interface\{1449F89C-AD28-427A-97FF-1D5BD812EA43}
    HKEY_CLASSES_ROOT\Interface\{1B78741D-E716-4995-85F9-7FC3AAD34D92}
    HKEY_CLASSES_ROOT\Interface\{1C08D3D0-1E04-4DDE-AB0A-75355EA2585E}
    HKEY_CLASSES_ROOT\Interface\{1DC6BF4C-5719-4940-90B5-09A8F1330FF1}
    HKEY_CLASSES_ROOT\Interface\{206538F7-F98C-4A46-A7D4-4A37FCDC932B}
    HKEY_CLASSES_ROOT\Interface\{20F8B70D-9F16-4DCB-8788-90A0498E46B9}
    HKEY_CLASSES_ROOT\Interface\{28FEDB90-53C7-4928-994A-CEE782606507}
    HKEY_CLASSES_ROOT\Interface\{2A485044-8E70-4587-8011-E7377BDFF089}
    HKEY_CLASSES_ROOT\Interface\{2AE1F2FA-B42F-4957-98DC-1708DCB514F5}
    HKEY_CLASSES_ROOT\Interface\{2C462D06-3BA0-48BB-9282-BB6519FE86E9}
    HKEY_CLASSES_ROOT\Interface\{3A350193-C7F7-4E10-B347-02FF4C3CC4E9}
    HKEY_CLASSES_ROOT\Interface\{4723879B-8F52-4BE7-9994-626AFA539366}
    HKEY_CLASSES_ROOT\Interface\{47BB3493-CF12-489C-8204-AC8BF2AB4E47}
    HKEY_CLASSES_ROOT\Interface\{48A46AA6-B09A-4A4F-B277-454D47242315}
    HKEY_CLASSES_ROOT\Interface\{58FB965E-8B9E-4CA9-8C88-EA042025D6E4}
    HKEY_CLASSES_ROOT\Interface\{6CF6373A-6EA1-4CC4-8133-93ACCA23D7E6}
    HKEY_CLASSES_ROOT\Interface\{7191660D-8D5C-439C-B8E5-03782457A378}
    HKEY_CLASSES_ROOT\Interface\{7B6A3434-8625-4ABF-B79D-09D98C2498C4}
    HKEY_CLASSES_ROOT\Interface\{7EF2ED85-4190-4E95-8DB3-BD0F211D4DF4}
    HKEY_CLASSES_ROOT\Interface\{80EA3006-9A0D-4854-A15A-C975DDA00105}
    HKEY_CLASSES_ROOT\Interface\{885271AC-373F-4B50-B2FB-B773145BCE81}
    HKEY_CLASSES_ROOT\Interface\{892F1BF2-2411-42BD-BC72-51559B1BC698}
    HKEY_CLASSES_ROOT\Interface\{8A0BD422-1B60-4C72-B962-8546C5068575}
    HKEY_CLASSES_ROOT\Interface\{8B6C0168-BAAC-4C7C-911E-0132590F5661}
    HKEY_CLASSES_ROOT\Interface\{8EC33B7D-9953-4EDB-ACE2-D4C105968601}
    HKEY_CLASSES_ROOT\Interface\{9A1B1E1A-AF53-429D-9AC8-DB2360356FC4}
    HKEY_CLASSES_ROOT\Interface\{9C93EB4D-B7D1-4498-B268-B10881E66DD7}
    HKEY_CLASSES_ROOT\Interface\{A00E2305-7001-4200-BA00-5779F9A3E7D3}
    HKEY_CLASSES_ROOT\Interface\{A20F5672-7486-4D27-BD2B-E555E4692C5F}
    HKEY_CLASSES_ROOT\Interface\{A4B6A8AB-01C1-4F9D-ABE1-11A0A574D987}
    HKEY_CLASSES_ROOT\Interface\{A5E75211-A72B-4BC6-A514-47BB8353D5C2}
    HKEY_CLASSES_ROOT\Interface\{A917B2F3-A9BF-477C-A0E3-0382D0376159}
    HKEY_CLASSES_ROOT\Interface\{A94E842A-8573-4A2C-9F32-98CA36A64C3E}
    HKEY_CLASSES_ROOT\Interface\{B26B5883-F15F-4283-B3D5-A1728077DE47}
    HKEY_CLASSES_ROOT\Interface\{B7806CFE-64CD-4C53-A25D-90398D78A268}
    HKEY_CLASSES_ROOT\Interface\{B803D266-A08D-4A4C-9604-6D35689ABE09}
    HKEY_CLASSES_ROOT\Interface\{BC554DBB-48E6-4AD1-B30C-A9192F9B4657}
    HKEY_CLASSES_ROOT\Interface\{BF12A83A-C700-48E7-A4ED-D732DC915D62}
    HKEY_CLASSES_ROOT\Interface\{C6E2A22C-B3A8-43A4-B5EC-A5BB671AB3F7}
    HKEY_CLASSES_ROOT\Interface\{CABD3101-8501-45B0-928F-86086D66B4B8}
    HKEY_CLASSES_ROOT\Interface\{CB9385AB-8541-4B2F-A363-48F64C612993}
    HKEY_CLASSES_ROOT\Interface\{CC918120-3F75-40CB-AD3A-4CF8C9A44F4F}
    HKEY_CLASSES_ROOT\Interface\{CF1674CC-EC9A-4AEE-996E-65A8F7C0B0E4}
    HKEY_CLASSES_ROOT\Interface\{D21611BA-8134-4EF5-A9A9-ED4C382D8500}
    HKEY_CLASSES_ROOT\Interface\{D496EA3F-51C5-444D-8CF1-ACD98E6A469E}
    HKEY_CLASSES_ROOT\Interface\{D5D6E9B5-30D5-4457-AC8B-399205F50411}
    HKEY_CLASSES_ROOT\Interface\{D6A7D177-0B2F-4283-B2E8-B6310A45E606}
    HKEY_CLASSES_ROOT\Interface\{D81EA1B3-BD35-462E-B89D-3884D59A7F49}
    HKEY_CLASSES_ROOT\Interface\{DE0E313E-BBFD-49FE-9B90-ADD79890CA1E}
    HKEY_CLASSES_ROOT\Interface\{DFA5152F-F53B-4511-9BEA-2D8533D8ACD0}
    HKEY_CLASSES_ROOT\Interface\{E0D6C30A-B9A3-4181-8099-3B0D5A2B98AF}
    HKEY_CLASSES_ROOT\Interface\{E2605A54-EC78-4618-83D8-BFEF45BF370B}
    HKEY_CLASSES_ROOT\Interface\{E68572C0-6051-4ACE-93D3-9981F91DA24F}
    HKEY_CLASSES_ROOT\Interface\{F100A342-3AC5-47FF-B5B3-FCDB6FC9F016}
    HKEY_CLASSES_ROOT\Interface\{F4364EEC-31F5-4B8B-A7E0-3B6394C9D23F}
    HKEY_CLASSES_ROOT\Interface\{F4D0173D-FAD7-47B0-A8BE-3FE9594B714D}
    HKEY_CLASSES_ROOT\Interface\{FA097087-B52B-49D1-AB16-DEA8BEBAEF9F}
    HKEY_CLASSES_ROOT\TypeLib\{982392F9-9C65-48B4-B667-3459C46630D1}
    HKEY_CLASSES_ROOT\TypeLib\{C217EA85-BD29-490A-B890-559E719AE80A}
    HKEY_CLASSES_ROOT\TypeLib\{F2D87C28-70CF-4BC2-8FCB-6F3CD388A443}
    HKEY_CLASSES_ROOT\TypeLib\{F61D1CE1-5199-4B57-B59E-C6819EA92F3B}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PSGuard spyware remover
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\P.S.Guard spyware remover
    HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD
    HKEY_LOCAL_MACHINE\SOFTWARE\PSGuard.com

  4. Adds one of the following values:

    "P.S.Guard" = "%ProgramFiles%\P.S.Guard\PSGuard.exe"
    "PSGuard" = "%ProgramFiles%\PSGuard\PSGuard.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  5. Adds the value:

    Display Inline Images = "yes"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

  6. Modifies the value:

    SeparateProcess = 0x00000001

    in the registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

  7. Adds the values:

    "1200" = "0"
    "1201" = "0"
    "1400" = "0"


    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0

    which modifies the security zone permissions in Internet Explorer.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver