McAfee > Theat Center > PUP Detail Page

Characteristics

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan. It is detected as a "potentially unwanted program." It is a direct-marketing adware application that generates pop-up advertisements while browsing the web. It may also have the capability to download and install additional components (self-update).

Domains/URLs and search terms are sent to a controlling server at btg.btgrab.com. This server sends back instructions for ads to retrieve from offeroptimizer.com or other locations. The installation is tagged with a unique ID which is stored in a cookie and in the registry, and also transmitted in each communication with the controlling server. Advertisements are displayed in a popup window branded with text "The Best Offers" and a logo.

This application has currently only been observed bundled with other software packages (not as a stand-alone product). A license agreement is displayed when installed. The agreement mentions that advertisements will be displayed to the user and that browsing data will be collected. The full license agreement is available at http://www.bestoffersnetworks.com/eula.php

Privacy

A privacy policy is not displayed during installation, although some sections of the license agreement describe collection of browsing information. The URL to the privacy policy is present in the licence agreement text: http://www.bestoffersnetworks.com/privacy.php

The software transmits URL and search keyword data to 3rd party servers during browsing.

System Changes

General defaults for typical path variables (although they may be different, they usually are not):
%WinDir% = \WINDOWS (Windows 9x/ME/XP), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM32 (Windows 9x/ME/XP), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

Files Added

• c:\program files\tbonbin\uninstall.exe (162 KB)
  MD5: 55E57234FD2D1D97898F52BA8928CBAD
  
• c:\program files\tbonbin\tbon.exe (162 KB)
  MD5: 55E57234FD2D1D97898F52BA8928CBAD
  
• c:\program files\tbonbin\tboninst.cfg (1 KB)
  
• c:\program files\tbonbin\tbonwnd.exe (82 KB)
  MD5: F12BBD5D3FAE28F3209E1D4A489CD1D0
  
• c:\documents and settings\(username)\cookies\
  (username)@offeroptimizer[#].txt (1 KB)
  
• c:\documents and settings\(username)\cookies\
  (username)@btg.btgrab[#].txt (1 KB)
  
• c:\documents and settings\(username)\cookies\
  (username)@abetterinternet[#].txt (1 KB)

Registry

The following registry keys are created:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Uninstall\TBON
  
• HKEY_CURRENT_USER\Software\Classes\tbonac
  
• HKEY_CURRENT_USER\Software\tbon
  
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  "tbon"="C:\Program Files\TBONBin\tbon.exe /r"
• HKEY_CLASSES_ROOT\tbonac
  

Network Impact

Additional overhead in bandwidth due to transmission of browsing data to remote servers and retrival of advertisement data. Additional load could be incurred when performing self-update.

Removal

Aliases

Aliases

N/A