I updated the Norton Antivirus 2055 virus definitions on R.B's laptop from ones dated 8/3/2005 to ones dated 9/26/2005 using the latest Intelligent Updater virus definitions to prepare for running a full scan of the system. But before I could run the scan a window opened displaying a virus alert.
| Norton AntiVirus | |
| Virus Alert | |
| Object Name | C:\WINDOWS\system32\hhk.dll |
| Virus Name | Trojan Horse |
| Action Taken | Unable to repair this file. |
When I clicked on "OK", I got the message "Access to the file was denied". And when I clicked on "OK" for that message I was back to the original message and was stuck in a circle with clicking on one message bringing up the other over and over again.
Clicking on the Trojan Horse link just brought up a Symantec webpage with generic information on trojans, which was of no help at all. Unfortunately, Symantec seems to provide a generic "trojan" page for many trojans when surely they must have some information on particular trojans.
Sophos links hhk.dll to Troj/Puper-D, which it describes as a "a browser hacking Trojan for the Windows platform." It indicates that the file shnlog.exe is associated with this trojan. I've seen references to shnlog.exe not closing properly when I shut down the system, i.e. messages indicating the application failed to initialize because the system is shutting down.
I ran a complete scan of the system even though the hhk.dll virus alert couldn't be dismissed. That scan found the following:
| Filename | THreat name | Action | Status |
|---|---|---|---|
| hhk.dll | Trojan Horse | Virus found | Infected |
| hp832A.tmp | Trojan Horse | Virus found | Infected |
| intmon.exe | Trojan Horse | Virus found | Infected |
| popuper.exe | Adware.popuppers | Adware found | At risk |
| shnlog.exe | Adware.popuppers | Adware found | At risk |
The files were found in the following locations:
| File | Location |
|---|---|
| hhk.dll | c:\windows\system32 |
| hp832A.tmp | c:\windows\system32 |
| intmon.exe | c:\windows\system32 |
| popuper.exe | c:\windows |
| shnlog.exe | c:\windows\system32 |
I opted to have Norton AntiVirus attempt to fix the problems. It reported "quarantine failed" for hhk.dll and hp832A.tmp. It then asked if I wanted to delete files. It was still unable to remove everything, reporting "delete failed" for hhk.dll, hp832A.tmp, popuper.exe, and shnlog.exe. It reported intmon.exe as "quarantined".
I started regedit. I noticed that there was still a key under HKLM\Software\Microsoft\WIndows\Current\Version\Run for "PSGuard spware remover" with a value of "C:\Program Files\PSGuard\PSGuard.exe". That malware had previously been removed, so I removed the key.
And since the Sophos webpage states in regard to the Troj/Puper-D trojan that it creates a regisry key under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run named paint.exe, which points to shnlog.exe, in order to run itself on startup, I removed that, as well as one that was named notepad2.exe, which pointed to popuper.exe.
| Name | Type | Data |
|---|---|---|
| paint.exe | REG_SZ | shnlog.exe |
| notepad2.exe | REG_SZ | popuper.exe |
I then rebooted. Norton AntiVirus was then reporting hp8A66.tmp as a Trojan Horse and indicating it couldn't repair it. When I dismissed its warnings for that file, it reported it couldn't repair HHK.DLL again.
I tried deleting shnlog.exe, but couldn't delete the file and when I checked the registry under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run, I found the paint.exe entry was back pointing to shnlog.exe. I deleted it again and within a few moments it was back again.
I then rebooted the system into Safe Mode and ran a scan of the system with Spybot Search & Destroy 1.4 using adware/spyware definitions from 9/23/2005. It found a plethora of malware, including AV-Gold. On a BleepingComputer.Com webpage titled "How to remove AntiVirus Gold or AVGold", I found the following description for it:
Antivirus Gold is a supposed AntiSpyware application that gets installed by Spyware/malware without asking for permission. This infection hijacks your desktop to display an ad stating you need to buy an antispyware program.
There were also removal instructions on that webpage, but I chose to have Spybot remove it. Spybot also found remnants of PSGuard, which also purports to offer you protection for your system, still on the system. It also reported CoolWWWSearch.ToonComics, PSGuard.msmsgs, QuickNavigate, Smitfraud-C, and Zonemap.Ranges. When I chose to have Spybot remove everything it found, it reported that it couldn't fix 14 items and asked if it could run again when the system was rebooted. I indicated "yes" and rebooted. A Spybot scan ran again immediately after I rebooted, but again it couldn't remove everything and suggested it be run immediately after a system restart, so I rebooted again after it completed its second scan. On the next scan, it found 27 registry entries related to Smitfraud-C, which I requested it fix. However, Spybot reported it fixed 0 of the 27 problems it found and again suggested a reboot to fix the problems it couldn't fix. But again it found 27 entries for Smitfraud-C and reported "Some problems couldn't be fixed; the reason cold be that the associated files are still in use (in memory). This could be fixed after a restart." Again it asked "May Spybot S&D run on your next system startup?" This time I answered "no", since it seemed unable to deal with the problem. But it seems to have dealt with HKK.DLL, since it was no longer in the c:\windows\system32 folder and Norton AntiVirus is no longer displaying alerts immediately after the system is rebooted.
I noticed SpyCatcher was on the system, though I didn't see any process named "spycatcher" in the Task Manager processes list. When I went to "Start" and "Programs", there was a group under titled "SpyCatcher", but the only entry within it was "Uninstall Spycatcher", though all of the files, including a SpyCatcher.exe, appeared to be present under "C:\Program Files\SpyCatcher". At the Tenebril webpage selling the product, the first feature listed for it is "Allows novice PC users to remove aggressive spyware". The Spyware Warrior Rogue/Suspect Anti-Spyware Products & Web Sites stated it was a lesser-known antispyware product that had been tested but not found to be a rogue/suspect antispyware product. Products purporting to be antispyware programs that "are of unknown, questionable, or dubious value as anti-spyware protection" are placed on the rogue/suspect list maintained at this webpage.
In addition to selling SpyCatcher, the Tenebril website also offers a free online scan for spyware at Free Online Spyware Scan.
Since SpyCatcher wasn't listed as a dubious antispyware program, I started it, but was presented with the message "Before using SpyCatcher, you must register the product with your e-mail address and CD order number." I found a positive review, SpyCatcher Review by Chris Hall at Pocket-lint.co.uk and a four-star rating for it at SpyCatcher - adware and spyware scanner on the SnapFiles website.
Since the price was only $19.95, I decided to try the product to see how it performed. After purchasing it, I was given a serial number, which I entered on the infected system. I couldn't immediately run the software, however. It insisted I must log onto the Internet to unlock SpyCatcher. So, if you had a serious adware/spyware problem that prevented you from accessing the Internet, which I've seen occur on many systems, you wouldn't be able to use the software unless you already had it installed and registed on the infected system.
I updated SpyCatcher and had it scan the system. It appeared to get stuck on the "Loadin fingerprint library" phase. It indicated it loaded 13,336 fingerprints and then appeared to hang. It didn't show any updates to the "running programs scanned", "registry items scanned", nor "files and folders scanned".
After killing the SpyCatcher.exe process and restarting it only to get the same results, I gave up on it and installed Microsoft AntiSpyware Beta1. I ran the default "intelligent quick scan", but it found nothing, so I ran a "full scan" with all options selected. It took twice as long - about 10 minutes versus about 5 minutes for the quick scan, but also found nothing.
I then decided to run another scan with Norton AntiVirus 2005 to see what it is still reporting. While that was running a Norton Personal Firewall alert popped up stating that "tgshell.exe is attempting to connect to a DNS server" asking "what do you want to do?" When I searched for information on tgshell.exe, I found the following at Task List Programs - T on the AnswersThatWork.com site.
| Tgmd |
Tgmd.exe (Tioga software / Support.com) |
This is the sort of
software we classify as spyware. It is part of Tioga
Software.s remote support and management tools (Tioga.com,
Support.com, and SupportSoft.com are one and the same company)
and is installed by the setup CD of the @Home ISP
(@Home and MediaOne are now part of Comcast, with the
ComcastSupport software being the main culprit for introducing
TGCMD on a PC). The Tioga/SupportSoft.com software is also
included in the Sony Support software that comes with some
Sony Vaio.s and HP Pavillion.s. The original intention of
TG CMD is to have your @Home service or systems software automatically
updated when you are online, to provide a remote support
technician with setup information about your PC, and, in some
cases, to allow the remote support technician to connect to
your PC and see what you are doing . in short, technical
support is indeed the original intention; unfortunately, its
features are also very useful to advertisers and so, depending
on who supplied it, TGCMD will also
collect information from your PC, which web pages you have
visited, what you have downloaded, and permission based
information about your system, its software, its settings,
etc..., As if that were not enough for us to recommend
disabling it, it has additionally also been known to create a
WININIT.INI file in the Windows folder, something which
straight away prevents Windows ME users from using the
extremely valuable System Restore feature of Windows ME.
Finally, many users have also reported : being unable to clear
the Internet history files when it is running, Eudora startup
problems, SDCSchedulerWindow error messages on shutdown of
Windows, and inability to delete video, audio, or graphics
files. Recommendation : If you are a Comcast customer, de-install "Comcast Support" through the Add/Remove icon in your Control Panel. Next, look up BJCFD in these Task List pages. If you have a Sony Vaio, de-install the "Vaio Support Agent" through the Add/Remove icon in your Control Panel. In all cases, if the de-installation of Comcast Support or Vaio Support Agent does not remove TGCMD after a reboot, then Immediately disable TGCMD using The Ultimate Troubleshooter ! |
| Tgshell |
TGSHELL.exe (Tioga Software / Support.com) |
Read TGCMD above.
Recommendation : Absolutely nightmarish software which eats up CPU, drives the hard disk hard, causes boot-up Kernel32 errors, generates illegal operations, invalid page faults, and much more. De-install as per instructions for TGMD above. |
I chose to "Always block connections from this program on all ports" for tgshell.exe.
When the Norton AntiVirus scan completed, it reported "no threats found." I ran a Spybot scan again and it again found the same 27 Smitfraud-C registry entries, under HKEY\USERS\...\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\, which it couldn't fix. It appears to be reporting all of the sites that are listed in Internet Explorer's restricted zone, which is a zone that Internet Explorer uses to restrict access to "Web sites that could potentially damage your computer or data", so appears to be a false positive rather than any real threat.
