The crazy thing about took over my puter this morning doing the usual thing
of saying my system was infected, throwing all kinds of error messages up
when I tried to get to my virus scanner, spyware scanner, and even when I
tried getting to regedit, msconfig and system restore. Finally was able to
get to registry and delete ooblbipn=C:\\Documents and
Settings\\myname\\Local Settings\\Application Data\\pxupjv\\tnnfsysguard.exe
from [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run].

Checked the file properties on the executable and it shows a description of
Attribute Utility from Microsoft??

Windows XP Pro with SP3, and all current updates
IE 8 with updates
Dell Dimension DM051 Intel R
512 MB RAM

--
Allen Hardy III

"Old age and treachery always wins
over youth and skill" -
Willie Nelson and Waylon Jennings

"skeet3" > wrote in message
...
> The crazy thing about took over my puter this morning doing the usual
> thing of saying my system was infected, throwing all kinds of error
> messages up when I tried to get to my virus scanner, spyware scanner, and
> even when I tried getting to regedit, msconfig and system restore.
> Finally was able to get to registry and delete ooblbipn=C:\\Documents and
> Settings\\myname\\Local Settings\\Application
> Data\\pxupjv\\tnnfsysguard.exe from
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run].
>
> Checked the file properties on the executable and it shows a description
> of Attribute Utility from Microsoft??
>
> Windows XP Pro with SP3, and all current updates
> IE 8 with updates
> Dell Dimension DM051 Intel R
> 512 MB RAM
>
> --
> Allen Hardy III
>
> "Old age and treachery always wins
> over youth and skill" -
> Willie Nelson and Waylon Jennings

No native Windows executables are ever stored in a profile folder. Sounds
like malware or a virus but it could also be part of your virus scanner.

Yes, it was malware. Finally got to run my spyware scanner and dumped the
remaining registry entries.

Thanks

"Pegasus [MVP]" > wrote in message
...
>
> "skeet3" > wrote in message
> ...
>> The crazy thing about took over my puter this morning doing the usual
>> thing of saying my system was infected, throwing all kinds of error
>> messages up when I tried to get to my virus scanner, spyware scanner,
>> and even when I tried getting to regedit, msconfig and system restore.
>> Finally was able to get to registry and delete ooblbipn=C:\\Documents and
>> Settings\\myname\\Local Settings\\Application
>> Data\\pxupjv\\tnnfsysguard.exe from
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run].
>>
>> Checked the file properties on the executable and it shows a description
>> of Attribute Utility from Microsoft??
>>
>> Windows XP Pro with SP3, and all current updates
>> IE 8 with updates
>> Dell Dimension DM051 Intel R
>> 512 MB RAM
>>
>> --
>> Allen Hardy III
>>
>> "Old age and treachery always wins
>> over youth and skill" -
>> Willie Nelson and Waylon Jennings
>
> No native Windows executables are ever stored in a profile folder. Sounds
> like malware or a virus but it could also be part of your virus scanner.
>

You are seeing the effects of a hijackware infection!

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

Microsoft PCSafety provides home users (only) with no-charge support in
dealing with malware infections such as viruses, spyware (including unwanted
software), and adware.
https://support.microsoft.com/oas/default.aspx?&prid=7552&st=1

Also available via...

Consumer Security Support home page
https://consumersecuritysupport.microsoft.com/

Otherwise...

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2a. WinXP => Run the Windows Live Safety Center's 'Protection' scan (only!)
in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

2b. Vista or Win7=> Run this scan instead:
http://onecare.live.com/site/en-us/center/whatsnew.htm

3. Now run a thorough check for hijackware, including posting requested logs
in an appropriate forum, not here.

Checking for/Help with Hijackware:
• http://mvps.org/winhelp2002/unwanted.htm
• http://inetexplorer.mvps.org/tshoot.html
• http://www.mvps.org/sramesh2k/Malware_Defence.htm
• http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Chances are you will need to seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php,
http://aumha.net/viewforum.php?f=30 or other appropriate forums.**

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002
www.banthecheck.com

skeet3 wrote:
> The crazy thing about took over my puter this morning doing the usual
> thing
> of saying my system was infected, throwing all kinds of error messages up
> when I tried to get to my virus scanner, spyware scanner, and even when I
> tried getting to regedit, msconfig and system restore. Finally was able
> to
> get to registry and delete ooblbipn=C:\\Documents and
> Settings\\myname\\Local Settings\\Application
> Data\\pxupjv\\tnnfsysguard.exe
> from [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run].
>
> Checked the file properties on the executable and it shows a description
> of
> Attribute Utility from Microsoft??
>
> Windows XP Pro with SP3, and all current updates
> IE 8 with updates
> Dell Dimension DM051 Intel R
> 512 MB RAM

Pegasus [MVP] wrote:

> No native Windows executables are ever stored in a profile folder. Sounds
> like malware or a virus but it could also be part of your virus scanner.

Not true, plus how did you figure this file was a "Windows executable"?
Google has a history of installing (copying) executable files into
%userprofile% because they know that users have write, read, and
executable permissions there. They sidestep Windows normal installation
process and instead dump their executables under %userprofile%. That
way, the user that is install Googleware (Google Earth, Google Toolbar,
etc) does NOT have to be an admin-level user to do the installation.

To eliminate Google and malware from depositing and RUNNING their
executables from your %userprofile% means having to change your
permissions on your own user profile (and for other accounts, too).

"VanguardLH" > wrote in message
...
> Pegasus [MVP] wrote:
>
>> No native Windows executables are ever stored in a profile folder. Sounds
>> like malware or a virus but it could also be part of your virus scanner.
>
> Not true, plus how did you figure this file was a "Windows executable"?
> Google has a history of installing (copying) executable files into
> %userprofile% because they know that users have write, read, and
> executable permissions there. They sidestep Windows normal installation
> process and instead dump their executables under %userprofile%. That
> way, the user that is install Googleware (Google Earth, Google Toolbar,
> etc) does NOT have to be an admin-level user to do the installation.
>
> To eliminate Google and malware from depositing and RUNNING their
> executables from your %userprofile% means having to change your
> permissions on your own user profile (and for other accounts, too).

The OP wrote "Checked the file properties on the executable and it shows a
description of Attribute Utility from *Microsoft*" (asterisk added by me).
In referring to his comment I then said "native Windows executable", which
clearly refers to executables that are an intrinsic part of Windows. Google
or other third-party executable are add-ons - they are not native Windows
executables. And yes, they can reside just about anywhere.

Pegasus [MVP] wrote:

> "VanguardLH" > wrote in message
> ...
>> Pegasus [MVP] wrote:
>>
>>> No native Windows executables are ever stored in a profile folder. Sounds
>>> like malware or a virus but it could also be part of your virus scanner.
>>
>> Not true, plus how did you figure this file was a "Windows executable"?
>> Google has a history of installing (copying) executable files into
>> %userprofile% because they know that users have write, read, and
>> executable permissions there. They sidestep Windows normal installation
>> process and instead dump their executables under %userprofile%. That
>> way, the user that is install Googleware (Google Earth, Google Toolbar,
>> etc) does NOT have to be an admin-level user to do the installation.
>>
>> To eliminate Google and malware from depositing and RUNNING their
>> executables from your %userprofile% means having to change your
>> permissions on your own user profile (and for other accounts, too).
>
> The OP wrote "Checked the file properties on the executable and it shows a
> description of Attribute Utility from *Microsoft*" (asterisk added by me).
> In referring to his comment I then said "native Windows executable", which
> clearly refers to executables that are an intrinsic part of Windows. Google
> or other third-party executable are add-ons - they are not native Windows
> executables. And yes, they can reside just about anywhere.

Again not exactly true. Most installers, including from Microsoft, use
the %temp% folder. They will deposit executable there during the
install (and *maybe* perform a cleanup later). Well, the %temp% folder
is under the %userprofile% path. I haven't been monitoring the %temp%
folder to make sure that no Microsoft OS or application saves some
temporary DLLs into that folder (from which methods get called which are
the equivalent of programs).

I understand what you are trying to describe in that Microsoft normally
doesn't leave executables under the %userprofile% path and run them from
there (after an installation has completed).

The "pxupjv" folder name itself is an indicator of malware. Most
vendors would use some part of their company or product name in the
folder's name. Can't really tell anything on the "tnnfsysguard.exe"
name since a filename can be any string of characters. Looking at the
properties of the .exe file merely returns the strings that the author
put into the file's header (and malware is obviously not averse to
pretending it came from Microsoft).

To the OP:

One check for malware would be to submit the tnnfsysguard.exe to Virus
Total (http://www.virustotal.com/). That has several anti-virus/malware
programs scan against the file; however, just be careful of some of them
that might generate false positives.

The description of alerting to tons of infections (that aren't there) is
typical of rogueware. However, typically at some point they lead you
somewhere to buy their crap and that then divulges the nature of the
beast. There's something about "tnn sysguard" that rings of AntiVirus
2009 from my memory (might not be a variant of that rogueware but
instead just a similar piece of rogueware that does the same crap).

If I google on just "sysguard", there are plenty of articles that
identify it as malware and offer instructions on how to remove it (just
be careful since some of these removal sites want to run programs on
your host and are malware themself).

http://www.threatexpert.com/files/sysguard.exe.html
PCTools site but doesn't tell you how to manual eradicate the pest.

On 10 Nov 2009, "skeet3" > wrote in
microsoft.public.windowsxp.general:

> The crazy thing about took over my puter this morning doing the
> usual thing of saying my system was infected, throwing all kinds
> of error messages up when I tried to get to my virus scanner,
> spyware scanner, and even when I tried getting to regedit,
> msconfig and system restore. Finally was able to get to registry
> and delete ooblbipn=C:\\Documents and Settings\\myname\\Local
> Settings\\Application Data\\pxupjv\\tnnfsysguard.exe from
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run].

I think I've just encountered the same bug. My friend visited some web
site that seems to have installed a program that flashes notices that
"your computer is infected with a virus, Do you want to scan?". It has
also blocked access to Avast's, Superantispyware's, and Spybot's
updates (but not Ad-Aware's). It has also blocked access to Task
Manager and system shutdown.

In this case the location was \Documents and Settings\<account
name>\local settings\application data\krrxov\waqpsysguard.exe. I find a
suspicious file in the Temp folder named 572.exe - it has the same date
and time and size as waqpsysguard.exe.

So far I've been able to kill the process and remove the entry from the
registry. I hope it doesn't take too much more time to squash this. I
have better things to do tonight.

On Nov 29, 6:16*pm, Nil > wrote:
> On 10 Nov 2009, "skeet3" > wrote in
> microsoft.public.windowsxp.general:
>
> > The crazy thing about took over my puter this morning doing the
> > usual thing of saying my system was infected, throwing all kinds
> > of error messages up when I tried to get to my virus scanner,
> > spyware scanner, *and even when I tried getting to regedit,
> > msconfig and system restore. *Finally was able to get to registry
> > and delete ooblbipn=C:\\Documents and Settings\\myname\\Local
> > Settings\\Application Data\\pxupjv\\tnnfsysguard.exe from
> > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run].
>
> I think I've just encountered the same bug. My friend visited some web
> site that seems to have installed a program that flashes notices that
> "your computer is infected with a virus, Do you want to scan?". It has
> also blocked access to Avast's, Superantispyware's, and Spybot's
> updates (but not Ad-Aware's). It has also blocked access to Task
> Manager and system shutdown.
>
> In this case the location was \Documents and Settings\<account
> name>\local settings\application data\krrxov\waqpsysguard.exe. I find a
> suspicious file in the Temp folder named 572.exe - it has the same date
> and time and size as waqpsysguard.exe.
>
> So far I've been able to kill the process and remove the entry from the
> registry. I hope it doesn't take too much more time to squash this. I
> have better things to do tonight.


Perform some scans for malicious software first, then fix any
remaining issues:

Download, install, update and do a full scan with these free malware
detection programs:

Malwarebytes (MBAM): http://malwarebytes.org/
SUPERAntiSpyware: (SAS): http://www.superantispyware.com/

They can be uninstalled later if desired.

You will most likely still have some things that do not work correctly
after the scans, but this is not unusual.

These can be fixed when the scans runs clean.

On 29 Nov 2009, Jose > wrote in
microsoft.public.windowsxp.general:

> Perform some scans for malicious software first, then fix any
> remaining issues:
>
> Download, install, update and do a full scan with these free
> malware detection programs:
>
> Malwarebytes (MBAM): http://malwarebytes.org/
> SUPERAntiSpyware: (SAS): http://www.superantispyware.com/
>
> They can be uninstalled later if desired.
>
> You will most likely still have some things that do not work
> correctly after the scans, but this is not unusual.
>
> These can be fixed when the scans runs clean.

I think I have it licked now. Seems that the program did two things:
install itself to start automatically on bootup, and install itself
as a local proxy server on port 5555. I killed the process, removed
the program, and undid the proxy settings in Internet Options, and
things look like they will be back to normal. I'm running
Microsoft's Malicious Software Tool now, and then I'll run
Malwarebytes, SuperAntiSpyware, Spybot, Ad-Aware, and Avast.

This is the program I was seeing:

<http://www.bleepingcomputer.com/virus-removal/remove-spyware-protect-2009>

<http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Trojan%3aWin32%2fFakeSpypro>

None of the descriptions or repair instructions I've found mention
the proxy server, though. Maybe this is a new variety with that
extra added feature. I expect there will be many people who will
follow all the instructions but will still have internet connection
problems.

Thanks for your help.

> I think I have it licked now. Seems that the program did two things:
> install itself to start automatically on bootup, and install itself
> as a local proxy server on port 5555. I killed the process, removed
> the program, and undid the proxy settings in Internet Options, and
> things look like they will be back to normal. I'm running
> Microsoft's Malicious Software Tool now, and then I'll run
> Malwarebytes, SuperAntiSpyware, Spybot, Ad-Aware, and Avast.
>
> This is the program I was seeing:
>
> <http://www.bleepingcomputer.com/virus-removal/remove-spyware-protect-...>
>
> <http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.as...>
>
> None of the descriptions or repair instructions I've found mention
> the proxy server, though. Maybe this is a new variety with that
> extra added feature. I expect there will be many people who will
> follow all the instructions but will still have internet connection
> problems.
>
> Thanks for your help.

Yes - it is best to follow the removal procedures if there are some
specific ones (like that one) and MBAM and SAS are also good ideas for
you.

You mentioned without much detail:

It has also blocked access to Task Manager and system shutdown.

Things like that sometimes remain inaccessible and need additional
attention even after scanning, so see how things look when you are
done.