I just logged the FOV changer with process monitor.
I think I understand what flags this on most AV software. sh4w1 is just a package for H@tKeysH@@k.DLL, nircmd.exe, sh4wide1.exe, t15717.bat and t15727.exe.
The first of these is a dll for keyloggers. It seems it's only loaded by these executables though, given I opened other processes and none touched it.
The whole thing is quite unorthodox since even after patching (silent hill 4.exe was genuinely sought) it remains in Windows's System32/SysWOW64 folder.
Then there's a second file marked as harmful which should be the actual "loader" of the aforementioned dll.
All of this is possibly legit (ie make some kind of sense) since in the bat file you can read a
key stroke is passed
(albeit for no clear reason).
@echo off
set ztmp=C:\Users\Michele\AppData\Local\Temp\ztmp
set MYFILES=C:\Users\Michele\AppData\Local\Temp\afolder
set bfcec=t15727.exe
attrib +h C:\Users\Michele\AppData\Local\Temp\ztmp
@echo off
%MYFILES%\nircmd.exe exec show sh4wide1.exe
%MYFILES%\nircmd.exe exec show "SILENT HILL 4.exe"
%MYFILES%\nircmd.exe wait 10000
%MYFILES%\nircmd.exe sendkey 0x71 down
%MYFILES%\nircmd.exe waitprocess "SILENT HILL 4.exe"
%MYFILES%\nircmd.exe killprocess sh4wide1.exe
The mystery is even crappier if you think that "t15727" is a 15 byte file with only (I said it) 15 bytes: RCHELICOPTERFTW. Which seems the mark of a "bat to exe" converter.
brainDEAD1986 (its creator) being also a somewhat popular russian repacker of games also does not add to his reputation.
I don't own the game, but Garret doesn't seem to have had anything to report.