What is TB_ANIMATED.EXE ?

  • Thread starter Thread starter Boris Mohar
  • Start date Start date
B

Boris Mohar

Hello,

My firewall is advising me that TB_ANIMATED.EXE which resides in C:\Windows\temp
is trying to contact 146.82.109.220. I cannot delete or rename the file.
 
In Message-ID:<[email protected]> posted on
Hello,

My firewall is advising me that TB_ANIMATED.EXE which resides in C:\Windows\temp
is trying to contact 146.82.109.220. I cannot delete or rename the file.
Click to expand...

Go into your autoexec.bat file (open with notepad) and add these lines:
---begin---
@DelTree /Y C:\WINDOWS\Temp
@MD C:\WINDOWS\Temp

---end---
leave the last line blank, reboot and the file should be gone.
take this opportunity to check your startup axis to see if it is trying
to be recreated via the registry, some.ini, etc.
you can use msconfig or any of several startup analysers for this.
Here's a good one:
http://www.tomcoyote.org/hjt/
 
Boris Mohar said:
Hello,

My firewall is advising me that TB_ANIMATED.EXE which resides in C:\Windows\temp
is trying to contact 146.82.109.220. I cannot delete or rename the file.
Click to expand...

I got it too. I was able to rename it so it isn't an executable
anymore. I haven't downloaded anything for a couple of weeks so I
don't know where it came from. I've all the latest security patches
and latest AV update from McAffee so I'm not too worried but I have
blocked it in Zone Alarm.
 
Boris Mohar said:
Hello,

My firewall is advising me that TB_ANIMATED.EXE which resides in C:\Windows\temp
is trying to contact 146.82.109.220. I cannot delete or rename the file.
Click to expand...


It must the calling card be a new virus. Use Task Manager to view
current processes, you'll see tb_animated.exe. running. You can't
nuke the file until you end the process. End the process. This thing
also sets a Registry key in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

called "TB_" something, I forget, sorry, but it's set to
tb_animated.exe - Delete this key!

Okay, should be something on the symantec or macafee websites soon
about this. Let your anti-virus software auto upudate on connect,
these are dangerous times.
 
I got it too. I was able to rename it so it isn't an executable
anymore. I haven't downloaded anything for a couple of weeks so I
don't know where it came from. I've all the latest security patches
and latest AV update from McAffee so I'm not too worried but I have
blocked it in Zone Alarm.
Click to expand...

I just checked the date and showed up when I installed the latest security
patches from:

http://v4.windowsupdate.microsoft.com/en/default.asp

I was able to delete it after I terminated the process. I am still curious why
is it trying to contact 146.82.109.220 which is :

OrgName: Global Crossing
OrgID: GBLX
Address: 14605 South 50th Street
City: Phoenix
StateProv: AZ
PostalCode: 85044-6471
Country: US

NetRange: 146.82.0.0 - 146.82.255.255
CIDR: 146.82.0.0/16
NetName: GBLX-16
NetHandle: NET-146-82-0-0-1
Parent: NET-146-0-0-0-0
NetType: Direct Allocation
NameServer: NAME.ROC.GBLX.NET
NameServer: NAME.PHX.GBLX.NET
NameServer: NAME.JFK1.GBLX.NET
NameServer: NAME.SNV.GBLX.NET
Comment: THESE ADDRESSES ARE NON-PORTABLE
RegDate: 1997-05-20
Updated: 2003-02-25

OrgAbuseHandle: GBLXA-ARIN
OrgAbuseName: GBLX-Abuse
OrgAbusePhone: +1-800-404-7714
OrgAbuseEmail: (e-mail address removed)

OrgNOCHandle: GBLXN-ARIN
OrgNOCName: GBLX-NOC
OrgNOCPhone: +1-800-404-7714
OrgNOCEmail: (e-mail address removed)

OrgTechHandle: IA12-ORG-ARIN
OrgTechName: GBLX-IPADMIN
OrgTechPhone: +1-800-404-7714
OrgTechEmail: (e-mail address removed)
 
I got it too. I was able to rename it so it isn't an executable
anymore. I haven't downloaded anything for a couple of weeks so I
don't know where it came from. I've all the latest security patches
and latest AV update from McAffee so I'm not too worried but I have
blocked it in Zone Alarm.
Click to expand...

Got it here also. It appeared on 2 of our network PC's Yesterday,
Sunday. No one used the computers over the weekend but they were
turned on. Looks like it may be some kind of worm. I submitted the
tb_animated.exe file to Network Associates for analysis. So far they
said it is not a known virus and have sent it to the next level.
 
[ snippedy do-dah ]

I was able to delete it after I terminated the process.
I am still curious why
is it trying to contact 146.82.109.220 [ chomp ]
Click to expand...

Maybe it's a remote access trojan.
What port is it trying to connect to?
 
[ snippedy do-dah ]

I was able to delete it after I terminated the process.
I am still curious why
is it trying to contact 146.82.109.220 [ chomp ]
Click to expand...

Maybe it's a remote access trojan.
What port is it trying to connect to?
Click to expand...

Port 80
 
Here is the analysis result from McAfee for the TB_ANIMATED.EXE file.

Identified: Adware-HuntBar application

AVERT(tm) Labs, Beaverton

Thank you for submitting your suspicious file.

Synopsis -

Attached is a file for extra detection, which will be included in a
future
DAT set.

For other virus-related information, please see the AVERT(tm) homepage
at:
<http://www.networkassociates.com/us/security/resources/home.htm>

Solution -

To ensure that you have the maximum available capability of detecting
and
cleaning this malware on your system, please make sure you have the
latest
engine.

Engine and DAT updates are available at:
http://www.networkassociates.com/us/downloads/updates/

EXTRA.DAT

This should be used with any of the McAfee AV Scanners. The file should
be
copied into the directory where the other DAT files reside.

Using the find/search utility on your computer search for the following
file:

SCAN.DAT

Then copy the Extra.dat we have sent you to the same folder where one of
the
above is located.
Once you have copied the file, reboot the system for the driver to be
loaded

Support -

Virus Research accepts file-samples for analysis and possible inclusion
into
AV signature DAT sets. We are also prepared to answer general virus
questions.

All product-related questions and comments can be addressed through
technical support and customer service, including:

* Product installation and update questions
* Product usage questions
* Specific operating system/version questions
* Assistance with detection and cleaning or removal of viruses or
trojans

Use the following links to reach online technical support for NAI
products.

Corporate Customers:
http://www.networkassociates.com/us/support/

Single User/Home User:
US: http://www.mcafeehelp.com
UK: http://www.mcafeehelp.co.uk
 
Back
Top