Has anyone run into executable file tnnfsysguard?

[skeet3]

The crazy thing about took over my puter this morning doing the usual thing
of saying my system was infected, throwing all kinds of error messages up
when I tried to get to my virus scanner, spyware scanner, and even when I
tried getting to regedit, msconfig and system restore. Finally was able to
get to registry and delete ooblbipn=C:\\Documents and
Settings\\myname\\Local Settings\\Application Data\\pxupjv\\tnnfsysguard.exe
from [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run].

Checked the file properties on the executable and it shows a description of
Attribute Utility from Microsoft??

Windows XP Pro with SP3, and all current updates
IE 8 with updates
Dell Dimension DM051 Intel R
512 MB RAM

--
Allen Hardy III

"Old age and treachery always wins
over youth and skill" -
Willie Nelson and Waylon Jennings

 

[Pegasus [MVP]]

The crazy thing about took over my puter this morning doing the usual
thing of saying my system was infected, throwing all kinds of error
messages up when I tried to get to my virus scanner, spyware scanner, and
even when I tried getting to regedit, msconfig and system restore.
Finally was able to get to registry and delete ooblbipn=C:\\Documents and
Settings\\myname\\Local Settings\\Application
Data\\pxupjv\\tnnfsysguard.exe from
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run].

Checked the file properties on the executable and it shows a description
of Attribute Utility from Microsoft??

Windows XP Pro with SP3, and all current updates
IE 8 with updates
Dell Dimension DM051 Intel R
512 MB RAM

--
Allen Hardy III

"Old age and treachery always wins
over youth and skill" -
Willie Nelson and Waylon Jennings

No native Windows executables are ever stored in a profile folder. Sounds
like malware or a virus but it could also be part of your virus scanner.

 

[skeet3]

Yes, it was malware. Finally got to run my spyware scanner and dumped the
remaining registry entries.

Thanks

The crazy thing about took over my puter this morning doing the usual
thing of saying my system was infected, throwing all kinds of error
messages up when I tried to get to my virus scanner, spyware scanner,
and even when I tried getting to regedit, msconfig and system restore.
Finally was able to get to registry and delete ooblbipn=C:\\Documents and
Settings\\myname\\Local Settings\\Application
Data\\pxupjv\\tnnfsysguard.exe from
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run].

Checked the file properties on the executable and it shows a description
of Attribute Utility from Microsoft??

Windows XP Pro with SP3, and all current updates
IE 8 with updates
Dell Dimension DM051 Intel R
512 MB RAM

--
Allen Hardy III

"Old age and treachery always wins
over youth and skill" -
Willie Nelson and Waylon Jennings

No native Windows executables are ever stored in a profile folder. Sounds
like malware or a virus but it could also be part of your virus scanner.

 

[PA Bear [MS MVP]]

You are seeing the effects of a hijackware infection!

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

Microsoft PCSafety provides home users (only) with no-charge support in
dealing with malware infections such as viruses, spyware (including unwanted
software), and adware.
https://support.microsoft.com/oas/default.aspx?&prid=7552&st=1

Also available via...

Consumer Security Support home page
https://consumersecuritysupport.microsoft.com/

Otherwise...

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2a. WinXP => Run the Windows Live Safety Center's 'Protection' scan (only!)
in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

2b. Vista or Win7=> Run this scan instead:
http://onecare.live.com/site/en-us/center/whatsnew.htm

3. Now run a thorough check for hijackware, including posting requested logs
in an appropriate forum, not here.

Checking for/Help with Hijackware:
• http://mvps.org/winhelp2002/unwanted.htm
• http://inetexplorer.mvps.org/tshoot.html
• http://www.mvps.org/sramesh2k/Malware_Defence.htm
• http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Chances are you will need to seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php,
http://aumha.net/viewforum.php?f=30 or other appropriate forums.**

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002
www.banthecheck.com

The crazy thing about took over my puter this morning doing the usual
thing
of saying my system was infected, throwing all kinds of error messages up
when I tried to get to my virus scanner, spyware scanner, and even when I
tried getting to regedit, msconfig and system restore. Finally was able
to
get to registry and delete ooblbipn=C:\\Documents and
Settings\\myname\\Local Settings\\Application
Data\\pxupjv\\tnnfsysguard.exe
from [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run].

Checked the file properties on the executable and it shows a description
of
Attribute Utility from Microsoft??

Windows XP Pro with SP3, and all current updates
IE 8 with updates
Dell Dimension DM051 Intel R
512 MB RAM

 

[VanguardLH]

No native Windows executables are ever stored in a profile folder. Sounds
like malware or a virus but it could also be part of your virus scanner.

Not true, plus how did you figure this file was a "Windows executable"?
Google has a history of installing (copying) executable files into
%userprofile% because they know that users have write, read, and
executable permissions there. They sidestep Windows normal installation
process and instead dump their executables under %userprofile%. That
way, the user that is install Googleware (Google Earth, Google Toolbar,
etc) does NOT have to be an admin-level user to do the installation.

To eliminate Google and malware from depositing and RUNNING their
executables from your %userprofile% means having to change your
permissions on your own user profile (and for other accounts, too).

 

[Pegasus [MVP]]

Not true, plus how did you figure this file was a "Windows executable"?
Google has a history of installing (copying) executable files into
%userprofile% because they know that users have write, read, and
executable permissions there. They sidestep Windows normal installation
process and instead dump their executables under %userprofile%. That
way, the user that is install Googleware (Google Earth, Google Toolbar,
etc) does NOT have to be an admin-level user to do the installation.

To eliminate Google and malware from depositing and RUNNING their
executables from your %userprofile% means having to change your
permissions on your own user profile (and for other accounts, too).

The OP wrote "Checked the file properties on the executable and it shows a
description of Attribute Utility from *Microsoft*" (asterisk added by me).
In referring to his comment I then said "native Windows executable", which
clearly refers to executables that are an intrinsic part of Windows. Google
or other third-party executable are add-ons - they are not native Windows
executables. And yes, they can reside just about anywhere.

 

[VanguardLH]

The OP wrote "Checked the file properties on the executable and it shows a
description of Attribute Utility from *Microsoft*" (asterisk added by me).
In referring to his comment I then said "native Windows executable", which
clearly refers to executables that are an intrinsic part of Windows. Google
or other third-party executable are add-ons - they are not native Windows
executables. And yes, they can reside just about anywhere.

Again not exactly true. Most installers, including from Microsoft, use
the %temp% folder. They will deposit executable there during the
install (and *maybe* perform a cleanup later). Well, the %temp% folder
is under the %userprofile% path. I haven't been monitoring the %temp%
folder to make sure that no Microsoft OS or application saves some
temporary DLLs into that folder (from which methods get called which are
the equivalent of programs).

I understand what you are trying to describe in that Microsoft normally
doesn't leave executables under the %userprofile% path and run them from
there (after an installation has completed).

The "pxupjv" folder name itself is an indicator of malware. Most
vendors would use some part of their company or product name in the
folder's name. Can't really tell anything on the "tnnfsysguard.exe"
name since a filename can be any string of characters. Looking at the
properties of the .exe file merely returns the strings that the author
put into the file's header (and malware is obviously not averse to
pretending it came from Microsoft).

To the OP:

One check for malware would be to submit the tnnfsysguard.exe to Virus
Total (http://www.virustotal.com/). That has several anti-virus/malware
programs scan against the file; however, just be careful of some of them
that might generate false positives.

The description of alerting to tons of infections (that aren't there) is
typical of rogueware. However, typically at some point they lead you
somewhere to buy their crap and that then divulges the nature of the
beast. There's something about "tnn sysguard" that rings of AntiVirus
2009 from my memory (might not be a variant of that rogueware but
instead just a similar piece of rogueware that does the same crap).

If I google on just "sysguard", there are plenty of articles that
identify it as malware and offer instructions on how to remove it (just
be careful since some of these removal sites want to run programs on
your host and are malware themself).

http://www.threatexpert.com/files/sysguard.exe.html
PCTools site but doesn't tell you how to manual eradicate the pest.

 

[Nil]

The crazy thing about took over my puter this morning doing the
usual thing of saying my system was infected, throwing all kinds
of error messages up when I tried to get to my virus scanner,
spyware scanner, and even when I tried getting to regedit,
msconfig and system restore. Finally was able to get to registry
and delete ooblbipn=C:\\Documents and Settings\\myname\\Local
Settings\\Application Data\\pxupjv\\tnnfsysguard.exe from
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run].

I think I've just encountered the same bug. My friend visited some web
site that seems to have installed a program that flashes notices that
"your computer is infected with a virus, Do you want to scan?". It has
also blocked access to Avast's, Superantispyware's, and Spybot's
updates (but not Ad-Aware's). It has also blocked access to Task
Manager and system shutdown.

In this case the location was \Documents and Settings\<account
name>\local settings\application data\krrxov\waqpsysguard.exe. I find a
suspicious file in the Temp folder named 572.exe - it has the same date
and time and size as waqpsysguard.exe.

So far I've been able to kill the process and remove the entry from the
registry. I hope it doesn't take too much more time to squash this. I
have better things to do tonight.

 

[Jose]

The crazy thing about took over my puter this morning doing the
usual thing of saying my system was infected, throwing all kinds
of error messages up when I tried to get to my virus scanner,
spyware scanner,  and even when I tried getting to regedit,
msconfig and system restore.  Finally was able to get to registry
and delete ooblbipn=C:\\Documents and Settings\\myname\\Local
Settings\\Application Data\\pxupjv\\tnnfsysguard.exe from
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run].

I think I've just encountered the same bug. My friend visited some web
site that seems to have installed a program that flashes notices that
"your computer is infected with a virus, Do you want to scan?". It has
also blocked access to Avast's, Superantispyware's, and Spybot's
updates (but not Ad-Aware's). It has also blocked access to Task
Manager and system shutdown.

In this case the location was \Documents and Settings\<account
name>\local settings\application data\krrxov\waqpsysguard.exe. I find a
suspicious file in the Temp folder named 572.exe - it has the same date
and time and size as waqpsysguard.exe.

So far I've been able to kill the process and remove the entry from the
registry. I hope it doesn't take too much more time to squash this. I
have better things to do tonight.

Perform some scans for malicious software first, then fix any
remaining issues:

Download, install, update and do a full scan with these free malware
detection programs:

Malwarebytes (MBAM): http://malwarebytes.org/
SUPERAntiSpyware: (SAS): http://www.superantispyware.com/

They can be uninstalled later if desired.

You will most likely still have some things that do not work correctly
after the scans, but this is not unusual.

These can be fixed when the scans runs clean.

 

[Nil]

Perform some scans for malicious software first, then fix any
remaining issues:

Download, install, update and do a full scan with these free
malware detection programs:

Malwarebytes (MBAM): http://malwarebytes.org/
SUPERAntiSpyware: (SAS): http://www.superantispyware.com/

They can be uninstalled later if desired.

You will most likely still have some things that do not work
correctly after the scans, but this is not unusual.

These can be fixed when the scans runs clean.

I think I have it licked now. Seems that the program did two things:
install itself to start automatically on bootup, and install itself
as a local proxy server on port 5555. I killed the process, removed
the program, and undid the proxy settings in Internet Options, and
things look like they will be back to normal. I'm running
Microsoft's Malicious Software Tool now, and then I'll run
Malwarebytes, SuperAntiSpyware, Spybot, Ad-Aware, and Avast.

This is the program I was seeing:

<http://www.bleepingcomputer.com/virus-removal/remove-spyware-protect-2009>

<http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Trojan:Win32/FakeSpypro>

None of the descriptions or repair instructions I've found mention
the proxy server, though. Maybe this is a new variety with that
extra added feature. I expect there will be many people who will
follow all the instructions but will still have internet connection
problems.

Thanks for your help.

 

[Jose]

I think I have it licked now. Seems that the program did two things:
install itself to start automatically on bootup, and install itself
as a local proxy server on port 5555. I killed the process, removed
the program, and undid the proxy settings in Internet Options, and
things look like they will be back to normal. I'm running
Microsoft's Malicious Software Tool now, and then I'll run
Malwarebytes, SuperAntiSpyware, Spybot, Ad-Aware, and Avast.

This is the program I was seeing:

<http://www.bleepingcomputer.com/virus-removal/remove-spyware-protect-...>

<http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.as...>

None of the descriptions or repair instructions I've found mention
the proxy server, though. Maybe this is a new variety with that
extra added feature. I expect there will be many people who will
follow all the instructions but will still have internet connection
problems.

Thanks for your help.

Yes - it is best to follow the removal procedures if there are some
specific ones (like that one) and MBAM and SAS are also good ideas for
you.

You mentioned without much detail:

It has also blocked access to Task Manager and system shutdown.

Things like that sometimes remain inaccessible and need additional
attention even after scanning, so see how things look when you are
done.