Situation:
You installed Norton AntiVirus (NAV) and now, every time you restart the computer you see the following NAV alert:

Norton AntiVirus has detected a potential threat in the displayed Activity...

Object: Windows Script Host Shell Object
Activity: Run
File: Tgcmd.exe
Action: Stop (Recommended)

Solution:
This alert indicates that Tgcmd.exe is running when the computer starts.

Malicious or not?
NAV Script Blocking detects the activity when the Tgcmd.exe file is run and cannot determine whether the activity is malicious. It is possible that the file is a legitimate part of your computer's startup process. Tgcmd.exe can be part of a support program distributed by some computer and software manufacturers. Click the following link for more information on the file:

http://www.support.com/legal/whatwedo.asp

It is also possible that the file is part of a malicious program. It is a common practice to name malicious files after known legitimate files. In either case, do the following in the order listed to make sure that the file is not infected. If it is not infected, then follow the steps to locate the file and submit it to Symantec Security Response so the file can be added to the list of good scripts that are distributed with the virus definitions.


To see if the file is infected

1. Run LiveUpdate. You should run LiveUpdate as many times as needed until you see the message "Thank you for using LiveUpdate. All of the Symantec products installed on your computer are currently up to date. Please check for new updates again in the future." Symantec regularly updates the Script Blocking program to ensure that known good scripts are not detected. These updates are included in the virus definitions that are downloaded through LiveUpdate.
2. Restart the computer to see whether the alert appears.
3. Do one of the following:
   • If you do not see any more alerts, you are done.
   • If you continue to see alerts, go to "To deal with continued alerts."

To deal with continued alerts
You followed the steps in "To see if the file is infected," and you continue to see alerts. Do one or both of the following:

• If you are sure that the file is legitimate, then you can choose to Authorize the script. See What to do when Script Blocking alerts on a script for instructions on how to authorize a script.
• You can also submit the file to Symantec Security Response to add to the exclusion list, which is part of the virus definitions. When that is done, the new exclusion for Tgcmd.exe will be added to the next virus definitions set, and you can get this as part of a normal LiveUpdate download. Read "Submit the file to Symantec Security Response" for instructions.

Submit the file to Symantec Security Response
Follow these steps to configure Windows to show all files, locate the Tgcmd.exe file, make a copy of that file, quarantine the file, and then submit the file to Symantec Security Response.

To configure Windows to show all files and find Tgcmd.exe

1. Start Windows Explorer.
2. Click the View menu (Windows 95/98/NT) or the Tools menu (Windows Me/2000/XP), and then click Options or "Folder options."
3. Click the View tab.
4. Uncheck "Hide file extensions for known file types."
5. Do one of the following:
   • Windows 95/NT. Click "Show all files."
   • Windows 98. In the Advanced settings box, under the "Hidden files" folder, click Show all files.
   • Windows Me/2000/XP. Uncheck "Hide protected operating system files" and under the "Hidden files" folder, click "Show hidden files and folders."
6. Click Yes if you see a Warning dialog box.
7. Click Apply, and then click OK.
8. Do one of the following:
   • For Windows 95/98/NT/2000, go to: "To find Tgcmd.exe for Windows 95/98/NT/2000."
   • For Windows XP go to: "To find Tgcmd.exe for Windows XP."
     

To find Tgcmd.exe for Windows 95/98/NT/2000

1. Click Start, point to Find or Search, and then click Files or Folders.
2. Make sure that "Look in" is set to (C:) and that Include subfolders is checked.
3. In the "Named" or "Search for..." box, type--or copy and paste--the following file names:
   
   tgcmd.exe
   
4. Click Find Now or Search Now.
5. When you have found Tgcmd.exe, go to: "To make a copy of Tgcmd.exe."

To find Tgcmd.exe for Windows XP

1. Click Start, and then click Search.
2. Click All files and folders.
3. In the "All or part of the file name" box, type--or copy and paste--the following file names:
   
   tgcmd.exe
   
4. Verify that "Look in" is set to "Local Hard Drives" or to (C:).
5. Click "More advanced options."
6. Check "Search system files and folders."
7. Check "Search subfolders"
8. Click Search.
9. When you have found Tgcmd.exe, go to: "To make a copy of Tgcmd.exe."

To make a copy of Tgcmd.exe

1. Right-click the Tgcmd.exe file, and then click Copy.
2. Right-click a blank area on the Desktop, and then click Paste. You will see the Tgcmd.exe file icon on your desktop.

To quarantine and submit Tgcmd.exe
Follow the instructions in How to submit a file to Symantec Security Response using Scan and Deliver to quarantine and submit the copy of Tgcmd.exe located on your Desktop. After you submit the file, be sure to run LiveUpdate on a weekly basis.