Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Potential Trojan: tcbhn.exe process, Trojan.Avkill?


  • Please log in to reply
7 replies to this topic

#1 PolterGhost

PolterGhost

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 15 June 2012 - 02:43 AM

It's been a while since I last posted here, which involved my computer's filing system going completely bonkers, to the point where I had to reformat the whole drive to get it working again. It was about three wipes later that my laptop finally fell back into working order. So, aside from me knowing better to buy from Toshiba or to get Vista again...

I was surfing through my system processes on whim when I noticed that there was a process that I've never noticed before. A quick Google search nets me a few sites that say "THIS IS A TROJAN, DOWNLOAD OUR PROGRAM TO CURE YOUR COMPUTER." Skeptical, I decided to come here and see what you guys can make of it.

I have exactly what is described in this url: http://www.drwebhk.com/en/virus_techinfo/Trojan.AVKill.17453.html
At least, that one file is located in that folder. The signature behind the file is a company called "Blabbers Communications, Ltd." It was apparently created on March 27, though I can't honestly remember downloading anything from back then aside from a few medical journals for use on a school report.

Personally, my Norton Antivirus doesn't see anything wrong with the file, nor does a quick scan on VirusTotal give me any indication that the file is malicious. Still, I'm pretty sure it's not supposed to be there, and I'd like a second opinion before I start bricking applications willy-nilly.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:59 PM

Posted 15 June 2012 - 06:13 AM

Get a second opinion. Go to one of the following online services that analyzes suspicious files:In the "File to Scan" (Upload or Submit) box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis. If you get a message saying "File has already been analyzed", click Reanalyze or Scan again.
-- Post back with the results of the file analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 PolterGhost

PolterGhost
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 15 June 2012 - 02:56 PM

Get a second opinion. Go to one of the following online services that analyzes suspicious files:

In the "File to Scan" (Upload or Submit) box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis. If you get a message saying "File has already been analyzed", click Reanalyze or Scan again.
-- Post back with the results of the file analysis.

Jotti: No reports of malware
Virustotal: No reports of malware
Virscan: No reports of malware

On a fresh reboot, the program seems to have started on its own. It's running the same command line as on the DrWeb link, and I have noticed that my computer has attempted to refresh my current page when I use my Chrome browser lately, so I'm wondering if I'm getting failed redirects from this program. I can't say that it's a horribly intrusive program, due to its 573k memory usage and not doing much else, but I can't say that I like things sitting around either.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:59 PM

Posted 15 June 2012 - 03:19 PM

I can't say that it's a horribly intrusive program, due to its 573k memory usage and not doing much else, but I can't say that I like things sitting around either.

Then why not just uninstall the program and be done with it?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 PolterGhost

PolterGhost
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 15 June 2012 - 03:36 PM

That's why I figured I'd ask. I'm not sure if I should follow through with the whole spiel that the url gave for instructions, or if I should just dump the file, or what.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:59 PM

Posted 15 June 2012 - 04:26 PM

If it's been on your computer since March and there have been no ill side affects, since its not malicious and you don't have any of the other files, you can just rename it by right-clicking on it and adding .vir after the file's extension (i.e. tcbhn.exe.vir) which will keep it from running. After a few days if no other programs appear to be affected by it's not running, you can then delete it.

Or you can investigate further to see what program (Blabbers Communications, Ltd) is causing it to run.

Windows Task Manager does not provide enough information. These are tools to investigate running processes, services and gather additional information to identify them or resolve problems:These tools will provide information about each process, CPU usage, file description and its path location. Most of them are stand-alone apps in a zip file so no installation is necessary. I use System Explorer Portable and Process Explorer a lot and find them very useful for investigating files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 PolterGhost

PolterGhost
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 15 June 2012 - 05:15 PM

Alright, thanks for the info and links. I think I've narrowed down what program caused the startup process and uninstalled it; it was part of an Internet Explorer package back when I ran it to access a website that refused to support Firefox and Chrome. From what research I've done, it appears to be that the program either does nothing for people, or it acts as adware that redirects them to a website for purchasing malware. Oh well, I'm rid of it now.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:59 PM

Posted 15 June 2012 - 05:24 PM

You're welcome.

I was going to suggest disabling it's startup but that would still leave the file on your system. IMO it's better to neutralize a suspicious file while investigating what it is related to and then either delete it or uninstall the program which created it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users