The crazy thing about took over my puter this morning doing the usual thing
of saying my system was infected, throwing all kinds of error messages up
when I tried to get to my virus scanner, spyware scanner, and even when I
tried getting to regedit, msconfig and system restore. Finally was able to
get to registry and delete ooblbipn=C:\\Documents and
Settings\\myname\\Local Settings\\Application Data\\pxupjv\\tnnfsysguard.exe
from [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run].

Checked the file properties on the executable and it shows a description of
Attribute Utility from Microsoft??

Windows XP Pro with SP3, and all current updates
IE 8 with updates
Dell Dimension DM051 Intel R
512 MB RAM

--
Allen Hardy III

"Old age and treachery always wins
over youth and skill" -
Willie Nelson and Waylon Jennings

"skeet3" <adssuck@adssuck.net> wrote in message
news:O%23I4R2hYKHA.1596@TK2MSFTNGP06.phx.gbl...
> The crazy thing about took over my puter this morning doing the usual
> thing of saying my system was infected, throwing all kinds of error
> messages up when I tried to get to my virus scanner, spyware scanner, and
> even when I tried getting to regedit, msconfig and system restore.
> Finally was able to get to registry and delete ooblbipn=C:\\Documents and
> Settings\\myname\\Local Settings\\Application
> Data\\pxupjv\\tnnfsysguard.exe from
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run].
>
> Checked the file properties on the executable and it shows a description
> of Attribute Utility from Microsoft??
>
> Windows XP Pro with SP3, and all current updates
> IE 8 with updates
> Dell Dimension DM051 Intel R
> 512 MB RAM
>
> --
> Allen Hardy III
>
> "Old age and treachery always wins
> over youth and skill" -
> Willie Nelson and Waylon Jennings

No native Windows executables are ever stored in a profile folder. Sounds
like malware or a virus but it could also be part of your virus scanner.

Yes, it was malware. Finally got to run my spyware scanner and dumped the
remaining registry entries.

Thanks

"Pegasus [MVP]" <news@microsoft.com> wrote in message
news:eRFto9hYKHA.4312@TK2MSFTNGP04.phx.gbl...
>
> "skeet3" <adssuck@adssuck.net> wrote in message
> news:O%23I4R2hYKHA.1596@TK2MSFTNGP06.phx.gbl...
>> The crazy thing about took over my puter this morning doing the usual
>> thing of saying my system was infected, throwing all kinds of error
>> messages up when I tried to get to my virus scanner, spyware scanner,
>> and even when I tried getting to regedit, msconfig and system restore.
>> Finally was able to get to registry and delete ooblbipn=C:\\Documents and
>> Settings\\myname\\Local Settings\\Application
>> Data\\pxupjv\\tnnfsysguard.exe from
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run].
>>
>> Checked the file properties on the executable and it shows a description
>> of Attribute Utility from Microsoft??
>>
>> Windows XP Pro with SP3, and all current updates
>> IE 8 with updates
>> Dell Dimension DM051 Intel R
>> 512 MB RAM
>>
>> --
>> Allen Hardy III
>>
>> "Old age and treachery always wins
>> over youth and skill" -
>> Willie Nelson and Waylon Jennings
>
> No native Windows executables are ever stored in a profile folder. Sounds
> like malware or a virus but it could also be part of your virus scanner.
>

You are seeing the effects of a hijackware infection!

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

Microsoft PCSafety provides home users (only) with no-charge support in
dealing with malware infections such as viruses, spyware (including unwanted
software), and adware.
https://support.microsoft.com/oas/de...prid=7552&st=1

Also available via...

Consumer Security Support home page
https://consumersecuritysupport.microsoft.com/

Otherwise...

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/ma...e/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2a. WinXP => Run the Windows Live Safety Center's 'Protection' scan (only!)
in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

2b. Vista or Win7=> Run this scan instead:
http://onecare.live.com/site/en-us/center/whatsnew.htm

3. Now run a thorough check for hijackware, including posting requested logs
in an appropriate forum, not here.

Checking for/Help with Hijackware:
• http://mvps.org/winhelp2002/unwanted.htm
• http://inetexplorer.mvps.org/tshoot.html
• http://www.mvps.org/sramesh2k/Malware_Defence.htm
• http://www.elephantboycomputers.com/...moving_Malware

**Chances are you will need to seek expert assistance in
http://spywarehammer.com/simplemachi...php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php,
http://aumha.net/viewforum.php?f=30 or other appropriate forums.**

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002
www.banthecheck.com

skeet3 wrote:
> The crazy thing about took over my puter this morning doing the usual
> thing
> of saying my system was infected, throwing all kinds of error messages up
> when I tried to get to my virus scanner, spyware scanner, and even when I
> tried getting to regedit, msconfig and system restore. Finally was able
> to
> get to registry and delete ooblbipn=C:\\Documents and
> Settings\\myname\\Local Settings\\Application
> Data\\pxupjv\\tnnfsysguard.exe
> from [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run].
>
> Checked the file properties on the executable and it shows a description
> of
> Attribute Utility from Microsoft??
>
> Windows XP Pro with SP3, and all current updates
> IE 8 with updates
> Dell Dimension DM051 Intel R
> 512 MB RAM

Pegasus [MVP] wrote:

> No native Windows executables are ever stored in a profile folder. Sounds
> like malware or a virus but it could also be part of your virus scanner.

Not true, plus how did you figure this file was a "Windows executable"?
Google has a history of installing (copying) executable files into
%userprofile% because they know that users have write, read, and
executable permissions there. They sidestep Windows normal installation
process and instead dump their executables under %userprofile%. That
way, the user that is install Googleware (Google Earth, Google Toolbar,
etc) does NOT have to be an admin-level user to do the installation.

To eliminate Google and malware from depositing and RUNNING their
executables from your %userprofile% means having to change your
permissions on your own user profile (and for other accounts, too).

"VanguardLH" <V@nguard.LH> wrote in message
news:hdcue2$2s8$1@news.albasani.net...
> Pegasus [MVP] wrote:
>
>> No native Windows executables are ever stored in a profile folder. Sounds
>> like malware or a virus but it could also be part of your virus scanner.
>
> Not true, plus how did you figure this file was a "Windows executable"?
> Google has a history of installing (copying) executable files into
> %userprofile% because they know that users have write, read, and
> executable permissions there. They sidestep Windows normal installation
> process and instead dump their executables under %userprofile%. That
> way, the user that is install Googleware (Google Earth, Google Toolbar,
> etc) does NOT have to be an admin-level user to do the installation.
>
> To eliminate Google and malware from depositing and RUNNING their
> executables from your %userprofile% means having to change your
> permissions on your own user profile (and for other accounts, too).

The OP wrote "Checked the file properties on the executable and it shows a
description of Attribute Utility from *Microsoft*" (asterisk added by me).
In referring to his comment I then said "native Windows executable", which
clearly refers to executables that are an intrinsic part of Windows. Google
or other third-party executable are add-ons - they are not native Windows
executables. And yes, they can reside just about anywhere.

Pegasus [MVP] wrote:

> "VanguardLH" <V@nguard.LH> wrote in message
> news:hdcue2$2s8$1@news.albasani.net...
>> Pegasus [MVP] wrote:
>>
>>> No native Windows executables are ever stored in a profile folder. Sounds
>>> like malware or a virus but it could also be part of your virus scanner.
>>
>> Not true, plus how did you figure this file was a "Windows executable"?
>> Google has a history of installing (copying) executable files into
>> %userprofile% because they know that users have write, read, and
>> executable permissions there. They sidestep Windows normal installation
>> process and instead dump their executables under %userprofile%. That
>> way, the user that is install Googleware (Google Earth, Google Toolbar,
>> etc) does NOT have to be an admin-level user to do the installation.
>>
>> To eliminate Google and malware from depositing and RUNNING their
>> executables from your %userprofile% means having to change your
>> permissions on your own user profile (and for other accounts, too).
>
> The OP wrote "Checked the file properties on the executable and it shows a
> description of Attribute Utility from *Microsoft*" (asterisk added by me).
> In referring to his comment I then said "native Windows executable", which
> clearly refers to executables that are an intrinsic part of Windows. Google
> or other third-party executable are add-ons - they are not native Windows
> executables. And yes, they can reside just about anywhere.

Again not exactly true. Most installers, including from Microsoft, use
the %temp% folder. They will deposit executable there during the
install (and *maybe* perform a cleanup later). Well, the %temp% folder
is under the %userprofile% path. I haven't been monitoring the %temp%
folder to make sure that no Microsoft OS or application saves some
temporary DLLs into that folder (from which methods get called which are
the equivalent of programs).

I understand what you are trying to describe in that Microsoft normally
doesn't leave executables under the %userprofile% path and run them from
there (after an installation has completed).

The "pxupjv" folder name itself is an indicator of malware. Most
vendors would use some part of their company or product name in the
folder's name. Can't really tell anything on the "tnnfsysguard.exe"
name since a filename can be any string of characters. Looking at the
properties of the .exe file merely returns the strings that the author
put into the file's header (and malware is obviously not averse to
pretending it came from Microsoft).

To the OP:

One check for malware would be to submit the tnnfsysguard.exe to Virus
Total (http://www.virustotal.com/). That has several anti-virus/malware
programs scan against the file; however, just be careful of some of them
that might generate false positives.

The description of alerting to tons of infections (that aren't there) is
typical of rogueware. However, typically at some point they lead you
somewhere to buy their crap and that then divulges the nature of the
beast. There's something about "tnn sysguard" that rings of AntiVirus
2009 from my memory (might not be a variant of that rogueware but
instead just a similar piece of rogueware that does the same crap).

If I google on just "sysguard", there are plenty of articles that
identify it as malware and offer instructions on how to remove it (just
be careful since some of these removal sites want to run programs on
your host and are malware themself).

http://www.threatexpert.com/files/sysguard.exe.html
PCTools site but doesn't tell you how to manual eradicate the pest.