TLHBalloonParent.exe

Ashley

Please excuse the dozen of questions, but this is driving me crazy <img src="smileys/smiley18.gif" border="0" align="middle" />

What exactly is TLHBalloonParent.exe? Why is it started by C2 silently? And why does it need 6 or 7 copies of it running simultanously?

I'd prefer not to have executables started without my permission. On my system I have Balloon Tips disabled, because they are very annoying on XP. Because of the similar name I wonder if C2 tries to start a replacement for it? Or is it some kind of virus hitchhiking C2?

From what I can tell, those executables seem to be started whenever I use the color picker from the image editor. All copies exit when I exit C2.

And last question: How can I prevent TLHBalloonParent.exe from being started by C2?

tulamide

I don't see this, and the only reference from Google is from some russian forums.

Are you sure C2 is the cause?

Are you sure C2 is the cause?That question is more difficult to answer than it seems. I can say for sure that this executable gets started when using the color picker in the image editor and that all copies of it (sometimes it's 2, sometimes 6, depends on how many times I open the image editor) are automatically closed when C2 closes. So they are related to each other, but that doesn't automatically mean, C2 is the cause :)

Btw, the executables don't hide, they even show up in the applications tab of the task manager.

Yep, I did a web search too, and was quite surprised to not find any info (don't understand russian at all). That's why I alerted ASHLEY. He might know the answers or at least can point out, that it has nothing to do with C2 (but why is it then only starting in the context of C2?)

EDIT: It seems, that Chrome is also involved somehow, because all of the above is more likely to happen, when I at least once invoke a preview via Chrome. It seems to not happen when Firefox is used for previewing. But it's hard to tell because it can take quite some time before it happens.

Have you tried using C2 in another computer and checking if this still happens?

You've probably got a virus..

Just a suggestion: Try to find it on your computer and rename it, see what happens. It would also be interesting to know where it's installation path is.

It may not be a virus/trojan, but to be safe, download and run Kaspersky's free trojan killer called tdsskiller.exe.

I tried to find it. It doesn't exist. At least not as a file. As if they are generated on the fly.

I can stop the task and it immediatly closes, no other processes are started then. My AV suite doesn't detect anything. It's running all the time, but I also just made a full scan.

Google translate helped me understand the russian entries. It's about several users having the same problem I have, but unrelated to C2 (though I have no info to what else it is related, maybe Chrome). They also searched and scanned with no result. No file exists. They also have the impression of randomness like I have. Sometimes they show up, sometimes not.

??? ????? ???? ??????

Also what preview method are you using?

In Wirklichkeit erkennen wir nichts; denn die Wahrheit liegt in der Tiefe.

It's a bit over my head. Are there different methods? Might sound like a noob now, but this is what I've done:

Created the project. In the project's settings I chose Chrome for previewing. I hit the preview button to preview. After previewing I closed the tab in Chrome.

I would never had noticed about these executables, if I didn't wonder about the intense RAM usage (about 1 GB) after a few times previewing. So I opened the task manager. But to make this clear: The RAM issue is not related to TLHBalloonParent (each of them just uses a tiny amount of RAM).

In one of my tests, the process was as follows:

Opened the image editor in C2. Everything's fine. Selected a color and drawed a few pixels. Still fine. Previewed in Chrome. Again, all is good. Back to C2, opening the image editor, drawing a few pixel - voil�, TLHBalloonParent.exe shows up.

But it is not reliable. Sometimes it happens, sometimes not. I don't see what is influencing the appearance of the executables. Also stopping the task doesn't harm any functionality. It's like ghosts. While they might do no harm, they definitely frighten you.

Well the reason I asked was because Chrome can have all those instances, and I guess Node-Webkit can as well.

But if it only happens when using the image editor then it would have to either be C2 related, or something specific to your system.

Hard to say which, Ashley hasn't told us much about what libs he uses for the editor, and there is a persistent bug with with C2 not closing properly after using the image editor.

Perhaps this is somehow related.

I've never heard of it, so I'd guess it's not to do with C2. It's strange there's nothing on the web about it. Perhaps it's some kind of system add-on that you've got that hooks in to various programs.

Google says it?s an part of the punto.yandex.ru/win punto switcher

Check the properties of the process in the task manager and look for it's location. The task manager in XP is pretty poor I think - I used to use Process Explorer. It should give you more info.

Check the properties of the process in the task manager and look for it's location. The task manager in XP is pretty poor I think - I used to use Process Explorer. It should give you more info.Good idea. My AV has a pretty good process manager. Will see what it tells me.

I apologize for posting here as if related to C2, should it turn out that it's just a matter of some malware.

For example, I never heard of Punto switcher, nor did I ever install it. The abbreviation TLH has a connection to Microsoft. It stands for "Top-Level Hierarchy" and is used in Exchange Server. But I also never had anything to do with exchange.

Well, the search continues...