dbkey.exe ???????????????

[Doomer]

This is some sort of spyware, malware, trojan, worm, etc. My firewall is blocking it's outbound activity like crazy but I cannot find a trace of it on my system. I've run every scanner available (including some I didn't know existed) and they cannot detect it.

Will I have to do a reinstall? anybody ever see this before?

 

[Thyme]

Maybe try ProcessMon fro http://www.sysinternals.com/ ?

 

[xtknight]

You have a rootkit.

http://www.f-secure.com/blacklight/
http://www.rootkit.com/vault/fuzen_op/vice.zip

And post your results here.

 

[Doomer]

Originally posted by: xtknight
You have a rootkit.

http://www.f-secure.com/blacklight/
http://www.rootkit.com/vault/fuzen_op/vice.zip

And post your results here.

thanks.

blacklight found nothing

Vice I could make any sense out of. Anywho, "dbkey.exe" didn't show up.

 

[mechBgon]

Would you email me a copy of the file at (edit: please PM me for how to send the file to me, if you want to give me a copy) because I'd like to send it in to McAfee/NAI WebImmune for analysis, and also see what Kaspersky calls it. Who is your antivirus vendor, by the way?

 

[Doomer]

Originally posted by: mechBgon
Would you email me a copy of the file at mechBgon gmail com? I'd like to send it in to McAfee/NAI WebImmune for analysis, and also see what Kaspersky calls it. Who is your antivirus vendor, by the way?

I would if I could but search doesn't find it. The only place it turns up is in my firewall log.

I do have the search options maxed out so it's searching hidden / system files and it still doesn't come up with anything.

 

[Doomer]

The sites is is trying to reach are as follows:

lists.iturf.com

www.livejournal.com

pacsunonline.pacsun.com

images2.pacsun.com

shop.pacsun.com

ax.phobos.apple.com.edgesuite.net


a1.phobos.apple.com.edgesuite.net


I haven't been to any of these sites.

 

[xtknight]

Try Agent Ransack for file searching. If the process is running, use HijackThis's Generate Startup List to get the full path of the process.

 

[Doomer]

Just ran highjackthis and it turned up nothing suspicious.

 

[xtknight]

Originally posted by: Doomer
Just ran highjackthis and it turned up nothing suspicious.

I mean use the generate startup list button and see if you find the dbkey.exe in there.

 

[mechBgon]

Who's your antivirus vendor? If it happens to be McAfee/NAI, then see if your grant includes :evil:CleanBoot:evil:. Or plunk the HDD from an afflicted system into a known clean system as a slave, and see if you can pick out a sample of dbkey.exe now that the rootkit is not filtering your results.

 

[Doomer]

Cool. didn't know it would do this. But it still didn't show up.

On a side note, I did notice some quicktime crap that was picked up from one of those web sites that try to install it without asking. I run startup monitor which I thought was stopping it but I guess it wasn't entirely.

Apple needs to be sued out of existence for doing this.

 

[Doomer]

I'm using NAV 2005. This is a SATA stripped set array so it would be kinda hard to move it into another system. looks like I'm gonna have to nuke it and start fresh. Maybe by this time next year I'll have everything back like it needs to be.

 

[mechBgon]

Originally posted by: Doomer
I'm using NAV 2005. This is a SATA stripped set array so it would be kinda hard to move it into another system. looks like I'm gonna have to nuke it and start fresh. Maybe by this time next year I'll have everything back like it needs to be.

Ohhh, this is a single home system. I thought it was your work fleet. If you want to try something before you bail, right-click & save this text file and proceed as it suggests.

This piece of malware does not appear to be "on the radar" yet. If you wouldn't mind, save this command line and use it instead:

C:\McAfee\scan.exe /adl /all /allole /analyze /move C:\McAfee /dohsm /mailbox /manalyze /mime /html C:\report.html /panalyze /program /streams /unzip /winmem

This will move any identified malware to C:\McAfee so you can heist a copy and send it to me, and I'll submit it to The Powers That Be (McAfee, Kaspersky, Symantec, F-Secure) to get identification going on it. Run the scan in Safe Mode for maximum chance of detection.

 

[Doomer]

Will do but first I'm gonna backup my stuff. Be back shortly.

 

[mechBgon]

If you haven't started yet, I have additional enhancements to suggest.

1) disable System Restore

2) in Safe Mode, bring up Task Manager > Applications tab > New Task button and start a command-line window with cmd.exe.

3) copy that big long command

4) use Task Manager to end explorer.exe. POOF, the taskbar and Start menu go bye-bye.

5) paste the big long command into your command-line window and let it do its scan

6) after the scanner is done, use the New Task button to start explorer.exe again


I was looking at some descriptions of new malware at Symantec and I see that some of it will inject itself into explorer.exe, so this may help. < / speculation >

Any ideas on how this would've gotten hold of your system? Someone in your household open a copy of the email described here, maybe? (Thursday Sept. 1 item)

 

[Doomer]

I'm in the process of copying over 112 gig od data to a network drive so it may take awhile. I have no idea how I got this gremblin. If it wasn't for Outpost, I would even know i had it.

After all the data has been copied over, I'll make one last ditch effort to kill it before i nuke the drive.

Here's what I do to try and protect myself from crap like this :

1. iespyad

2. Hosts file

3. Adaware

4. Spybot S&D

5. A-Squared (free version)

6. Norton AV 2005

7. Outpost Firewall.

If I can find something to block this gremblin, I'll add to the list.

I'll try all your suggestions when I finish copying the date.

I appreciate all your help.

 

[mechBgon]

Is the other computer(s) on your network exhibiting any symptoms too? That would be one route of infection, if your firewall is allowing the local systems to touch eachother and one of them got infected. Might want to raise the firewall against your local network once you're done transferring your stuff.

edit: two other general safeguards I can think of...

(1) run a Limited-class account for browsing, IM'ing and email, since a full exploit of a Limited account still gets the malware very little actual traction on your system

(2) assuming you have a router, lock down all ports except the ones you have actual need to have them open. router lockdown idea explained What brand/model of router do you have, if I may ask?

 

[Doomer]

This is the only computer out of 4 that's running a software firewall. It's the primary internet box. I guess it's possible that it came in on one of the others but it's somewhat unlikely. I'm using a linksys wrt54g wireless router with builtin firewall.

 

[mechBgon]

Doing the usual Google search approach, I did find one person who'd posted a HijackThis logfile that mentioned dbkey.exe and his/hers was located in C:\Windows\INF\dbkey.exe, so you might try looking there while you're in Safe Mode, or even boot to the Repair Console from a WinXP CD and navigate there in command-line mode and delete it that way.

 

[Doomer]

Thanks, I'll try that too. Got 101 minutes left on the data transfer. wish there was a quicker way to move this much data. One day I'll upgrade to 1000mbit network.

 

[mechBgon]

Sure thing What I'm hoping is that McAfee's heuristic detections will find some suspicious files that turn out to be the culprits, so they can be sent in and formally identified.

 

[Doomer]

I hope so too. I'd very much like to avoid doing a reinstall. It's worst than moving to a new house as far as I'm concerned.

 

[xtknight]

 

[Doomer]

Thanks, i'll try that too. I've got 35 minutes to go on the backup.

dbkey.exe is coming in spurts. The last one started at 3:09pm est and it tried to reach www.gamehouse.com.

Got any idea what it might be trying to do?