Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

tmbs.exe


  • Please log in to reply
16 replies to this topic

#1 TaraBelle

TaraBelle

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 21 February 2009 - 06:53 PM

Hey everyone,

I was just wondering why when I start up my pc that a window pops up in "dos like" form and then says that it cannot run due to some reason and asks me to ignore or close (I think they're the options). Can anyone help me out? Please Please :thumbsup:


Thanks!
TaraBelle

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:10:26 AM

Posted 21 February 2009 - 08:33 PM

Have you recently removed a startup program, used MSCONFIG.EXE, or removed a virus from your system?
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#3 TaraBelle

TaraBelle
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 21 February 2009 - 08:44 PM

not that I can remember.......what is it exactly for? Is it a bad thing?

#4 TaraBelle

TaraBelle
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 21 February 2009 - 11:46 PM

Anyone out there have any ideas?????????? :thumbsup:

#5 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,636 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 AM

Posted 21 February 2009 - 11:58 PM

Hi TaraBelle,

That is a normal symptom of the Midaddle adware parasite--yes it's a bad thing. :thumbsup:
http://spywarefiles.prevx.com/RREHGD004145888/TMBS.EXE.html
http://research.sunbelt-software.com/threa...;threatid=14840
http://www.bleepingcomputer.com/uninstall/810/midADdle.html

Go to your Control Panel, then Add or Remove Programs and look for an icon and entry for Midaddle and uninstall it if present.

What antivirus are you running? Do you have a good anti-spyware/malware program or two installed? If so which ones?--run those as plenty should be found to clean up.

The thing about people

is they change

when they walk away.--Mipso


#6 TaraBelle

TaraBelle
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 22 February 2009 - 12:21 AM

Thanks much! I did run the prevx csi download thing but it found everything to be clean....weird....there is also no Midaddle program installed in the add/remove thing. I am running McAfee security center & some anti-spy thing from Yahoo.....maybe that's what it's from. I have no clue....I'll have to reboot and see what happens and see if it's still there or not!

TaraBelle :thumbsup:


#7 TaraBelle

TaraBelle
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 22 February 2009 - 12:37 AM

OK, I rebooted and this is exactly what it says:

C:\windows\system32\tmbs.exe
The NTVDM CPU has encountered an illegal instruction
CS: 055f IP:0000 OP ff009f00
Chose 'close' to terminate application


Any ideas???? :thumbsup:


TaraBelle :flowers:


#8 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,636 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 AM

Posted 22 February 2009 - 01:33 AM

Sure I have ideas, but it may be tomorrow before I can do the research to back them up. :thumbsup:

I may have spoken too soon that your message is a straightforward indication of the Midaddle adware --it is seldom that easy anymore. But that file does smell of malware. Let's see what we have in the way of malware on your system--rule of thumb is to get rid of it first, then if you are still getting the error usasma will know better than me how to deal with that.

Go here and run a scan with Kaspersky Online:
http://www.kaspersky.com/kos/eng/partner/7...n=1235282972703

Use the extended databases and when the scan is finished, save the results to a text file--if you get an html file copy and paste the text of that into Notepad and save it. Then post it in your next reply to this thread. If any problem, you can make more than one post or attach the file to this post.

From what I hear, Yahoo does not make a very good malwre remover. This way we can get a better idea if there is much to clean up. Is your subscription for McAfee current?

The thing about people

is they change

when they walk away.--Mipso


#9 TaraBelle

TaraBelle
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 22 February 2009 - 05:54 PM

Hi,

OK I did the Kaspersky scan and this is what it said:

Sunday, February 22, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, February 22, 2009 19:38:06
Records in database: 1831354

Scan settings Scan using the following database extended Scan archives yes Scan mail databases yes
Scan area My Computer C:\
D:\
E:\
Scan statistics Files scanned 61518 Threat name 1 Infected objects 1 Suspicious objects 0 Duration of the scan 01:20:39
File name Threat name Threats count C:\WINDOWS\system32\f3PSSavr.scrInfected: not-a-virus:WebToolbar.Win32.MyWebSearch1

The selected area was scanned.

#10 TaraBelle

TaraBelle
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 22 February 2009 - 05:55 PM

p.s.


And yes, my McAfee subscription is current
:thumbsup:

#11 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,636 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 AM

Posted 22 February 2009 - 07:47 PM

OK, well, hmmm. Kaspersky didn't find that file to be on your system or didn't identify it as malware if it is. Before we do anything else let's check to see if you can lay your own eyes on that file. It is in the system folder so will normally be hidden, so please do the following to unhide your files--you can reverse the process to rehide them when we are thru if you like.

How to see hidden files in Windows

Then click on My Computer, hit the Folders button and navigate to the C:\windows\system32 folder. Let me know if the tmbs.exe file is there or not. Don't do anything to it yet--just let me know.

The one file that Kaspersky did find is not very serious at all. But while you are in the System32 folder, and if you aren't using that screensaver, you can delete this file: f3PSSavr.scr

The thing about people

is they change

when they walk away.--Mipso


#12 TaraBelle

TaraBelle
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 23 February 2009 - 01:26 AM

Hey there Papakid,

Yes, I did find the tmbs.exe in the windows 32 folder. I saw the screen saver file also but I do use it. If it's not causing any problems I'll just leave that be. By the way, thanks so much for your help. Now what's next? :flowers:

Thanks,
TaraBelle :thumbsup:


#13 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,636 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:26 AM

Posted 23 February 2009 - 02:13 AM

You're welcome for the help and thank you. :thumbsup:

Right click on the file and choose Properties and post back that data. I'm mostly interested in the date created and file size.

Then we'll see what a compendium of AV scanners thinks about it. Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\windows\system32\tmbs.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

For the screensaver I would urge you to find another one. Most of the MyWay stuff isn't serious but I don't remember them doing screensavers so that might have changed. As a next step I will probably ask you to do some scans that will clean up more--I know one of them targets MyWay stuff so you will probably lose it anyway.

The thing about people

is they change

when they walk away.--Mipso


#14 TaraBelle

TaraBelle
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 24 February 2009 - 01:54 AM

Hey Papakid,

Sorry it's taking me so long to do this but it's been crazy here....3 kids , etc! I looked up the properties of the tmbs.exe it said:

Location:C:\WINDOWS\system32
size: 407 bytes (407 bytes)
size on disk: 4.00 KB (4,096 bytes)

created: Saturday, November 25, 2006, 3:46:17 PM
modified: Saturday, November 25, 2006, 7:24:42 PM

OK that's the info for that part....let me see what else u said to do....


:thumbsup: TaraBelle


#15 TaraBelle

TaraBelle
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 24 February 2009 - 02:01 AM

Ok here's what Jotti said (basically nothing)

Service load: 0% 100% File: tmbs.exe Status: OK MD5: c3066a09ab89fb0b7a3719b75dc4ef34 Packers detected: - window.google_render_ad(); Scanner results Scan taken on 24 Feb 2009 06:56:44 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users