MoonPoint Support Logo

 

Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals



Advanced Search
September
Sun Mon Tue Wed Thu Fri Sat
       
28  
2005
Months
Sep


Wed, Sep 28, 2005 12:10 am

RB Laptop Infections - Sept 26 2005

I updated the Norton Antivirus 2055 virus definitions on R.B's laptop from ones dated 8/3/2005 to ones dated 9/26/2005 using the latest Intelligent Updater virus definitions to prepare for running a full scan of the system. But before I could run the scan a window opened displaying a virus alert.

Norton AntiVirus
 
Virus Alert
Object NameC:\WINDOWS\system32\hhk.dll
Virus Name Trojan Horse
Action TakenUnable to repair this file.

When I clicked on "OK", I got the message "Access to the file was denied". And when I clicked on "OK" for that message I was back to the original message and was stuck in a circle with clicking on one message bringing up the other over and over again.

Clicking on the Trojan Horse link just brought up a Symantec webpage with generic information on trojans, which was of no help at all. Unfortunately, Symantec seems to provide a generic "trojan" page for many trojans when surely they must have some information on particular trojans.

Sophos links hhk.dll to Troj/Puper-D, which it describes as a "a browser hacking Trojan for the Windows platform." It indicates that the file shnlog.exe is associated with this trojan. I've seen references to shnlog.exe not closing properly when I shut down the system, i.e. messages indicating the application failed to initialize because the system is shutting down.

I ran a complete scan of the system even though the hhk.dll virus alert couldn't be dismissed. That scan found the following:

FilenameTHreat nameActionStatus
hhk.dllTrojan HorseVirus found Infected
hp832A.tmpTrojan HorseVirus found Infected
intmon.exeTrojan HorseVirus found Infected
popuper.exeAdware.popuppersAdware found At risk
shnlog.exeAdware.popuppersAdware found At risk

The files were found in the following locations:

FileLocation
hhk.dllc:\windows\system32
hp832A.tmpc:\windows\system32
intmon.exec:\windows\system32
popuper.exec:\windows
shnlog.exec:\windows\system32

I opted to have Norton AntiVirus attempt to fix the problems. It reported "quarantine failed" for hhk.dll and hp832A.tmp. It then asked if I wanted to delete files. It was still unable to remove everything, reporting "delete failed" for hhk.dll, hp832A.tmp, popuper.exe, and shnlog.exe. It reported intmon.exe as "quarantined".

I started regedit. I noticed that there was still a key under HKLM\Software\Microsoft\WIndows\Current\Version\Run for "PSGuard spware remover" with a value of "C:\Program Files\PSGuard\PSGuard.exe". That malware had previously been removed, so I removed the key.

And since the Sophos webpage states in regard to the Troj/Puper-D trojan that it creates a regisry key under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run named paint.exe, which points to shnlog.exe, in order to run itself on startup, I removed that, as well as one that was named notepad2.exe, which pointed to popuper.exe.

NameTypeData
paint.exeREG_SZshnlog.exe
notepad2.exeREG_SZpopuper.exe

I then rebooted. Norton AntiVirus was then reporting hp8A66.tmp as a Trojan Horse and indicating it couldn't repair it. When I dismissed its warnings for that file, it reported it couldn't repair HHK.DLL again.

I tried deleting shnlog.exe, but couldn't delete the file and when I checked the registry under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run, I found the paint.exe entry was back pointing to shnlog.exe. I deleted it again and within a few moments it was back again.

I then rebooted the system into Safe Mode and ran a scan of the system with Spybot Search & Destroy 1.4 using adware/spyware definitions from 9/23/2005. It found a plethora of malware, including AV-Gold. On a BleepingComputer.Com webpage titled "How to remove AntiVirus Gold or AVGold", I found the following description for it:

Antivirus Gold is a supposed AntiSpyware application that gets installed by Spyware/malware without asking for permission. This infection hijacks your desktop to display an ad stating you need to buy an antispyware program.

There were also removal instructions on that webpage, but I chose to have Spybot remove it. Spybot also found remnants of PSGuard, which also purports to offer you protection for your system, still on the system. It also reported CoolWWWSearch.ToonComics, PSGuard.msmsgs, QuickNavigate, Smitfraud-C, and Zonemap.Ranges. When I chose to have Spybot remove everything it found, it reported that it couldn't fix 14 items and asked if it could run again when the system was rebooted. I indicated "yes" and rebooted. A Spybot scan ran again immediately after I rebooted, but again it couldn't remove everything and suggested it be run immediately after a system restart, so I rebooted again after it completed its second scan. On the next scan, it found 27 registry entries related to Smitfraud-C, which I requested it fix. However, Spybot reported it fixed 0 of the 27 problems it found and again suggested a reboot to fix the problems it couldn't fix. But again it found 27 entries for Smitfraud-C and reported "Some problems couldn't be fixed; the reason cold be that the associated files are still in use (in memory). This could be fixed after a restart." Again it asked "May Spybot S&D run on your next system startup?" This time I answered "no", since it seemed unable to deal with the problem. But it seems to have dealt with HKK.DLL, since it was no longer in the c:\windows\system32 folder and Norton AntiVirus is no longer displaying alerts immediately after the system is rebooted.

I noticed SpyCatcher was on the system, though I didn't see any process named "spycatcher" in the Task Manager processes list. When I went to "Start" and "Programs", there was a group under titled "SpyCatcher", but the only entry within it was "Uninstall Spycatcher", though all of the files, including a SpyCatcher.exe, appeared to be present under "C:\Program Files\SpyCatcher". At the Tenebril webpage selling the product, the first feature listed for it is "Allows novice PC users to remove aggressive spyware". The Spyware Warrior Rogue/Suspect Anti-Spyware Products & Web Sites stated it was a lesser-known antispyware product that had been tested but not found to be a rogue/suspect antispyware product. Products purporting to be antispyware programs that "are of unknown, questionable, or dubious value as anti-spyware protection" are placed on the rogue/suspect list maintained at this webpage.

In addition to selling SpyCatcher, the Tenebril website also offers a free online scan for spyware at Free Online Spyware Scan.

Since SpyCatcher wasn't listed as a dubious antispyware program, I started it, but was presented with the message "Before using SpyCatcher, you must register the product with your e-mail address and CD order number." I found a positive review, SpyCatcher Review by Chris Hall at Pocket-lint.co.uk and a four-star rating for it at SpyCatcher - adware and spyware scanner on the SnapFiles website.

Since the price was only $19.95, I decided to try the product to see how it performed. After purchasing it, I was given a serial number, which I entered on the infected system. I couldn't immediately run the software, however. It insisted I must log onto the Internet to unlock SpyCatcher. So, if you had a serious adware/spyware problem that prevented you from accessing the Internet, which I've seen occur on many systems, you wouldn't be able to use the software unless you already had it installed and registed on the infected system.

I updated SpyCatcher and had it scan the system. It appeared to get stuck on the "Loadin fingerprint library" phase. It indicated it loaded 13,336 fingerprints and then appeared to hang. It didn't show any updates to the "running programs scanned", "registry items scanned", nor "files and folders scanned".

After killing the SpyCatcher.exe process and restarting it only to get the same results, I gave up on it and installed Microsoft AntiSpyware Beta1. I ran the default "intelligent quick scan", but it found nothing, so I ran a "full scan" with all options selected. It took twice as long - about 10 minutes versus about 5 minutes for the quick scan, but also found nothing.

I then decided to run another scan with Norton AntiVirus 2005 to see what it is still reporting. While that was running a Norton Personal Firewall alert popped up stating that "tgshell.exe is attempting to connect to a DNS server" asking "what do you want to do?" When I searched for information on tgshell.exe, I found the following at Task List Programs - T on the AnswersThatWork.com site.

Tgmd Tgmd.exe

(Tioga software /
Support.com)
This is the sort of software we classify as spyware.  It is part of Tioga Software.s remote support and management tools (Tioga.com, Support.com, and SupportSoft.com are one and the same company) and is installed by the setup CD of the @Home ISP (@Home and MediaOne are now part of Comcast, with the ComcastSupport software being the main culprit for introducing TGCMD on a PC).  The Tioga/SupportSoft.com software is also included in the Sony Support software that comes with some Sony Vaio.s and HP Pavillion.s.  The original intention of TG CMD is to have your @Home service or systems software automatically updated when you are online, to provide a remote support technician with setup information about your PC, and, in some cases, to allow the remote support technician to connect to your PC and see what you are doing . in short, technical support is indeed the original intention; unfortunately, its features are also very useful to advertisers and so, depending on who supplied it, TGCMD will also collect information from your PC, which web pages you have visited, what you have downloaded, and permission based information about your system, its software, its settings, etc...,  As if that were not enough for us to recommend disabling it, it has additionally also been known to create a WININIT.INI file in the Windows folder, something which straight away prevents Windows ME users from using the extremely valuable System Restore feature of Windows ME.  Finally, many users have also reported : being unable to clear the Internet history files when it is running, Eudora startup problems, SDCSchedulerWindow error messages on shutdown of Windows, and inability to delete video, audio, or graphics files.

Recommendation :
If you are a Comcast customer, de-install "Comcast Support" through the Add/Remove icon in your Control Panel.  Next, look up BJCFD in these Task List pages. If you have a Sony Vaio, de-install the "Vaio Support Agent" through the Add/Remove icon in your Control Panel.  In all cases, if the de-installation of Comcast Support or Vaio Support Agent does not remove TGCMD after a reboot, then Immediately disable TGCMD using  The Ultimate Troubleshooter !
Tgshell TGSHELL.exe

(Tioga Software / Support.com)

Read TGCMD above.

Recommendation :
Absolutely nightmarish software which eats up CPU, drives the hard disk hard, causes boot-up Kernel32 errors, generates illegal operations, invalid page faults, and much more.  De-install as per instructions for TGMD above.

I chose to "Always block connections from this program on all ports" for tgshell.exe.

When the Norton AntiVirus scan completed, it reported "no threats found." I ran a Spybot scan again and it again found the same 27 Smitfraud-C registry entries, under HKEY\USERS\...\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\, which it couldn't fix. It appears to be reporting all of the sites that are listed in Internet Explorer's restricted zone, which is a zone that Internet Explorer uses to restrict access to "Web sites that could potentially damage your computer or data", so appears to be a false positive rather than any real threat.

[/security/viruses] permanent link

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo