dbkey.exe ???????????????

[mechBgon]

My fevered brain coughed up another couple ideas to throw on the pile too. Symantec normally releases virus-definition updates on Wednesdays. You can get today's very latest defs manually from here, run Intelligent Updater and there ya go.

Also go through all of NAV's panels and max out Heuristics, adware/spyware/dialer/hack tools detections, and enable scanning within compressed files, both for real-time and on-demand scans, if they're not all that way already. You can run an NAV scan while in Safe Mode and see if it gets any headway with the update and tweaks.

I really hope Symantec will start releasing updates every day soon

 

[mechBgon]

Originally posted by: Doomer
Thanks, i'll try that too. I've got 35 minutes to go on the backup.

dbkey.exe is coming in spurts. The last one started at 3:09pm est and it tried to reach www.gamehouse.com.

Got any idea what it might be trying to do?

From reading lots of malware descriptions...

1) some malware is pre-programmed to attempt to download file such-and-such from a long list of sites, many of which are intentional "red herring" sites

2) botnet bots are used to extort money. "Give us $10000 and we won't run a denial-of-service attack against your website (www.gamehouse.com) with our 300,000 zombie systems." and the owner of gamehouse.com can choose to get DDoS'ed or pay up. This is where a router with most ports arbitrarily closed might help put the brakes on the botnet bot and keep it from getting its marching orders (which is typically done via an IRC connection on a high-numbered port).

< / more speculation >

edit: as I recall, the port-blocking on the Linksys you've got is pretty miserable, you only get two ranges of ports you can block. If you block everything above 80, that might help as a stopgap measure, plus you can look at the router's logs and get more info on what ports the computer is trying to use in the above-80 range.

 

[xtknight]

Alright, if you feel like getting rid of this nuisance without reinstalling, here's a good start:

Take mechBgon's advice and create a limited user account then log in to it and see if the dbkey.exe still exists/runs under that account. If not, a reinstall isn't necessary. If so, a reinstall is necessary, unless you find some other means to remove it. How are you seeing this dbkey.exe? The firewall is telling you? It doesn't give a path or anything, it just says dbkey.exe?

If dbkey.exe persists in the limited user account, just go back to your normal account for a second. Now close down Outpost (temporarily). Download these tools from SysInternals:

TDImon (to detect network activity)
Handle (to examine the process)
PsList (to dump process info)

Copy all of Handle.zip's contents (exe, etc.) to C:\windows\system32 (your system32 directory) and do the same for PsList.zip so they should be in your path. So handle.exe should be in System32 and pslist.exe should also be in System32.

Open TDImon, and when dbkey.exe appears in the network activity list, do the following. Get the number (PID) after the colon ) next to dbkey.exe. For example, if it says dbkey.exe:525, then do this:

Before we kill the process we're going to dump some information about it.

Go to start menu, run, type these exactly (change 525 to the correct PID), and click OK.

cmd /k pslist -t > c:\pslistT.txt
cmd /k pslist 525 > c:\pslistP.txt
cmd /k handle -a -p 525 > c:\handle.txt
cmd /k taskkill /T /F /PID 525 > c:\taskkill.txt

That should open four command windows and they should all have a blank prompt. If they're not blank they'll probably say the command cannot be found. (If so, reply and I'll tell you how to fix it.) Now open c:\taskkill.txt and paste the results in this thread. You'll also want to post the other txt files somewhere. If they aren't that long, just post them in this thread too.

 

[Doomer]

I'm pretty much a dummy when it comes to routers. This one advertised the fact that it has a built in firewall like it was a major feature. I do know that the firewall is enabled in the setup. Does it not block all ports by default except those used by ie, oe, etc. ?

Thanks

 

[xtknight]

Originally posted by: Doomer
I'm pretty much a dummy when it comes to routers. This one advertised the fact that it has a built in firewall like it was a major feature. I do know that the firewall is enabled in the setup. Does it not block all ports by default except those used by ie, oe, etc. ?

Thanks

(Just make sure you didn't miss my post above.)

The router will block all ports by default. It will stop data from coming in those ports (potentially exploited) unless the data was requested.

 

[Doomer]

How about data going out? don't even know if a port can be blocked only one way.

 

[mechBgon]

Originally posted by: Doomer
I'm pretty much a dummy when it comes to routers. This one advertised the fact that it has a built in firewall like it was a major feature. I do know that the firewall is enabled in the setup. Does it not block all ports by default except those used by ie, oe, etc. ?

Thanks

By default the router would block unwanted traffic from outside. But if your computer is infected, and is initiating traffic from inside, then the router will allow it by default unless you configure it not to. Now's a good time to configure it not to. Block TCP and UDP (and ICMP if possible) on ports 81 on up to 65535 for a while and see what info your router logs show.

To do that on your router... lessee here... go to http://192.168.0.1 and log in with admin and password is probably either password or 1234. I'm going from memory, but I believe you want the Advanced tab and then there's a place where you can block ranges of ports and select what type of traffic the block applies to (TCP + UDP).

If you haven't worked with your router much, then let me also ask do you have the WPA encryption enabled so your neighbors can't mooch off your wireless (and bring their worms into your network while they're at it)?

 

[mechBgon]

Not to distract you from getting the info xtknight needs, but also you might look at NAV2005's Reports and see if it's identified/quarantined/deleted anything lately that might give leads on what's going on.

 

[Doomer]

Just went into the router and can't find the word "block' anywhere. port forwarding seems to be the only option I have concerning the ports and it's under "applications and Gaming".

The firewall is enabled and I have 4 other choices there.

1. Block anonymous internet requests.

2. Filter Multicast.

3. Filter Internet NAT redirection

4. Filter IDENT (Port 113)

 

[mechBgon]

Linksys has extra-specially-crummy .PDF manuals but I'll download a copy and see if I can find the part I'm after. Or maybe it's on my HDD somewhere still...

< / chases stick >

 

[xtknight]

You are in Security->Firewall. Go to Restrict Access at the top and do Add/Edit service. Type in the ports 81~65535 (TCP+UDP) then Apply. Make sure the minimum port is 81 and not 80, or you won't be able to access your router config or web sites ever again unless you reset the thing! It should reload the router config then you can select what to block. Select the one you added and click Apply.

 

[Doomer]

Originally posted by: mechBgon
Not to distract you from getting the info xtknight needs, but also you might look at NAV2005's Reports and see if it's identified/quarantined/deleted anything lately that might give leads on what's going on.

Just looked and there's nothing in quarantine but I did notice something strange. Automatic live update is turned off and I can't turn it on. Dunno if this is related to dbkey.exe.

 

[mechBgon]

Originally posted by: Doomer

Originally posted by: mechBgon
Not to distract you from getting the info xtknight needs, but also you might look at NAV2005's Reports and see if it's identified/quarantined/deleted anything lately that might give leads on what's going on.

Just looked and there's nothing in quarantine but I did notice something strange. Automatic live update is turned off and I can't turn it on. Dunno if this is related to dbkey.exe.

Huh Time to try Intelligent Updater manually, sounds like.

 

[Doomer]

Originally posted by: xtknight
You are in Security->Firewall. Go to Restrict Access at the top and do Add/Edit service. Type in the ports 81~65535 (TCP+UDP) then Apply. Make sure the minimum port is 81 and not 80, or you won't be able to access your router config or web sites ever again unless you reset the thing! It should reload the router config then you can select what to block. Select the one you added and click Apply.

Whew, dug around and found it. The service name is DNS. Is this correct?

 

[Doomer]

OK, all ports above 80 appear to be blocked. Is there any way I can verify this? Reason I ask is the terminology this rounter uses looks like a chinese tranlation and I'm not sure I follow it

 

[Doomer]

Gonna reboot into safe mode and run the McAfee thing. BRB

 

[xtknight]

Report back on the TDImon/PsList/handle results.

 

[Doomer]

OK, the Mcafee scan hung up somewhere along the way but not before finding a couple of trojans, a few corrupt files and strangely enough, a buch of files it said was password protected but obviously were not.

At this point, I'm about ready to throw in the towel and nuke it. I may change my mind after I sleep on it tho. I'll touch base with you guys in the morning. Thanks for all the help. :thumbsup:

 

[mechBgon]

If you feel like indulging my curiosities, you could PM me the report.html output, that would be fascinating to see what it did manage to find Good night for now :moon:

 

[Doomer]

Morning.

The report.html was blank under scan results.

Went to run regedit and noticed these 3 entries in the drop down, none of which I put there.

qh4mkb9.dll

mediapassx.dll

mediaaaccx.dll

At this point, I think the best course of action is lethal enjection followed by reencarnation. Hopefully this bad karma won't follow her into the next life. BTW: Her name is Daisy and right now she's looking like a crack whore in her last day of life.

Thanks for all the help, I really appreciate it.

... One other thing I forgot to mention was that I haven't been able to run Windows Update for a couple of months now. When I try, I get - Network policy settings prevent you from using this website to get updates for your computer.

 

[mechBgon]

whether 'tis nobler to suffer the slings and arrows of outrageous fortune...

Yeah, I'd nuke it too. I'd also think about the merits of having the drives running independently rather than as a striped set, unless I'd found big-time benefits to RAID0 in my situation. Then you could shuffle stuff over to the other drive and/or pull a drive out for an external scan in a different system.

 

[Underclocked]

Have NO idea if this is related, but the other day I encountered some files that would NOT appear, regardless of my efforts, except in the defrag report. The files were related to appropos and were primarily in C:\Program Files\Cation which was totally invisible except in defrag???

Booted to a UBCD4Win disc, A43 File Management, and there they were. DELETE. Used the find tool to locate the remainder of the fragments that had been listed and got rid of them as well. Realize these were some gross actions but was starting to contemplate massive abuse (and it wasn't my puter).

Puter purred afterwards.

 

[xtknight]

Doomer: Ummmm did you try my instructions above man? The part about the network sniffing and all? If you can do those, you won't have to reinstall.

Here:

Alright, if you feel like getting rid of this nuisance without reinstalling, here's a good start:

Take mechBgon's advice and create a limited user account then log in to it and see if the dbkey.exe still exists/runs under that account. If not, a reinstall isn't necessary. If so, a reinstall is necessary, unless you find some other means to remove it. How are you seeing this dbkey.exe? The firewall is telling you? It doesn't give a path or anything, it just says dbkey.exe?

If dbkey.exe persists in the limited user account, just go back to your normal account for a second. Now close down Outpost (temporarily). Download these tools from SysInternals:

TDImon (to detect network activity)
Handle (to examine the process)
PsList (to dump process info)

Copy all of Handle.zip's contents (exe, etc.) to C:\windows\system32 (your system32 directory) and do the same for PsList.zip so they should be in your path. So handle.exe should be in System32 and pslist.exe should also be in System32.

Open TDImon, and when dbkey.exe appears in the network activity list, do the following. Get the number (PID) after the colon ) next to dbkey.exe. For example, if it says dbkey.exe:525, then do this:

Before we kill the process we're going to dump some information about it.

Go to start menu, run, type these exactly (change 525 to the correct PID), and click OK.

cmd /k pslist -t > c:\pslistT.txt
cmd /k pslist 525 > c:\pslistP.txt
cmd /k handle -a -p 525 > c:\handle.txt
cmd /k taskkill /T /F /PID 525 > c:\taskkill.txt

That should open four command windows and they should all have a blank prompt. If they're not blank they'll probably say the command cannot be found. (If so, reply and I'll tell you how to fix it.) Now open c:\taskkill.txt and paste the results in this thread. You'll also want to post the other txt files somewhere. If they aren't that long, just post them in this thread too.

 

[xtknight]

Don't reinstall yet. Just gotta remove some spyware...it does block Windows Update.
BTW this is the exact trojan you have. Typically one trojan can cause LOTS of trouble.

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453094002
http://labs.paretologic.com/spyware.aspx?remove=Media%20Pass
http://www.sophos.com/virusinfo/analyses/trojdloaderkb.html
http://www.trendmicro.com/vinfo/graywar...ywareDetails.asp?GNAME=ADW%5FWINAD%2EQ

Also called Adware/WUpd.

http://vil.mcafeesecurity.com/vil/content/v_133718.htm#RemovalInstructions
http://www.pandasoftware.com/virus_info...ia/overview.aspx?lst=det&idvirus=50447

This trojan does indeed block Windows update. The site from which it downloads is called windupdates_._com (don't go there).

Delete qh4mkb9.exe too. Actually on that site it says its a DLL but if its an EXE delete it anyway.

 

[Sunner]

dbkey.exe.
Sorry if it's been posted already, didn't see it but I didn't read the entire thread either.

Oh and use your search, it's far down on the page, not much, but a hint.