PDA

View Full Version : babe.the-killer.exe - is this spybot s&d???



dajjhman
2007-12-09, 20:44
Ok, I learned the trick of using "netstat -b 5 > activity.txt" and I saw a LOT!!! of "babe.the-killer.exe"... I ran a google search and a lot of places say that this is from Spybot's immunization feature... is this true? I couldn't find anything on this site... Should it be running with: firefox, iTunes, AppleMobileDeviceService???

Yodama
2007-12-10, 08:41
hello,

babe.the-killer.exe is not part of the Immunization by Spybot Search & Destroy.
If you see this in you netstat log file, it means that the named exe is connecting to the internet.
Under remoteaddress you can view where it connects to.

Spybot S&D Immunization enters


babe.the-killer.bz
www.babe.the-killer.bz

as blocked sites.

Please create a complete Spybot S&D log file and attach it to your next post or email it to detections-at-spybot.info (replacing -at- with @).
To get such a log you will need to switch Spybot S&D into advanced mode, then


navigate to Tools - View Report
make sure that all checkboxes are marked
click the green view report button
export your report to a text file

PepiMK
2007-12-10, 11:35
Yep, but reverse lookup of 127.0.0.1 should not reveal the domain of blocked sites, but "localhost" instead.

Please check this post (http://forums.spybot.info/showpost.php?p=137878&postcount=2) and let me know whether your hosts file contains this first localhost entry or not (oh, the hosts file is usually located at c:\windows\system32\drivers\etc\hosts, seems I forgot to mention that in the other post).

dajjhman
2007-12-12, 01:46
it does not have the first localhost line, and here is my log file: I had to make it a zip to meet size requirements.....

Yodama
2007-12-12, 08:50
Your Spybot S&D log does show any traces of an exe named babe.the-killer.exe. This basically means that it does not use the most common ways to get started automatically.
Please attach your netstat log to your next post, if it is too long you can shorten it to a couple of sections where babe.the-killer.exe is listed.

PepiMK
2007-12-12, 19:00
Yodama, I guess you're on the wrong track... that's most probably a broken reverse lookup ;)

dajjhman, could you open the hosts file in a text editor again (first, open its properties in Windows Explorer and uncheck the "readonly" option) and add that line at the top?


Explanation: netstat works with IP addresses; when you specify -a, it does a reverse lookup to see which domain belongs to these IP addresses; 127.0.0.1 means your computer; the immunization feature redirects bad domains to your computer so that they won't get reached; without the standard localhost entry, a reverse lookup for any of the standard local services as well would reveal the first other domain linked to 127.0.0.1.

md usa spybot fan
2007-12-12, 20:27
dajjhman:

You could try restoring Microsoft's sample HOSTS file and then adding Spybot's Hosts file again:
To restore your HOSTS file with Microsoft's sample HOSTS file (which contains a "127.0.0.1 localhost" entry – See Note #1):
Download HostsXpert from the following site:
Funkytoad.com -fast, functional and free - Home
http://www.funkytoad.com/
The page for HostsXpert is:
Funkytoad.com -fast, functional and free - HostsXpert v4.1
http://www.funkytoad.com/content/view/13/31/
The direct download URL for HostsXpert.zip is:
Click Here to download HostsXpert (http://www.funkytoad.com/download/HostsXpert.zip)
After downloading HostsXpert.zip, unzip (extract) the content of the file into a known location.
Execute HostsXpert.
If the first button in the left hand pane is "Make Writeable?", click on the button.
Click on the "Restore MS Hosts File" button.
When you receive the following confirmation dialog click "OK".

Confirm
Press OK to Restore Microsofts original Hosts File
[OK] [Cancel]
Add Spybot's Hosts file as follows:
Spybot 1.3, 1.4 or 1.5:
Go into Spybot – Search & Destroy > Mode > Advanced mode > Tools > Hosts file.
Click the "Add Spybot-S&D hosts list" button.
Spybot 1.5 only:
Go into Spybot > Immunize.
Right click on the right hand pane and select "Deselect all".
Scroll down to the bottom of the right hand pane and under Windows check "Global (Hosts)".
Click the "Immunize" button at the top of the right pane (the button with large green plus sign)?
_______________

Note #1: Microsoft's sample HOSTS file:


# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost

dajjhman
2007-12-13, 00:36
ok, I checked to see if the hosts file was read only, it was not so I added the line. netstat does not show babe.the-killer anymore... kind of funny about the timing of this SINCE I JUST GOT DEFRAUDED BY SEVERAL THOUSAND DOLLARS! what a freaking coincidence... just curius, is there a reason that my hosts file should not have needed that hostxpert to modify it?...and just for reference (not sure it is necessary, but after seeing that local hosts are still popping up in netstat, here is the log before the first line was added and after)... Thanks for all of your help!... now I just gotta get rid of all of the other extraneous processes on my computer ; - )

md usa spybot fan
2007-12-13, 08:21
... just curius, is there a reason that my hosts file should not have needed that hostxpert to modify it? ...
No, updating the HOSTS file manually is fine.

googol
2007-12-19, 19:10
I am not sure if we are having a similar issue but at around the same time I immunized by computer, my network detected "babe.the-killer.bz" and shut off my internet connection. Could this be a false positive?

This has happened to me twice already. Both times were on fresh installs of Windows XP. I haven't really installed anything other than Symantec antivirus, zonealarm firewall, webroot spy sweeper, adaware, Spybot... at the time of detection. Subsequent "sweeping" of my computer using various "anti" softwares detected nothing (NOD32, symantec, spybot, spy sweeper, AVG, trojan hunter, windows malware removal tool, etc). Buffled, I gave up and went on to reformat and reinstall a fresh copy of XP. Second time around, I reinstalled everything mentioned above except Spybot. After 3 days... all was well. So I proceeded to install Spybot and got all the updates but didn't immunized my machine. After another day, I proceeded to immunize my computer... that's when babe.the-killer.bz showed up again! :banghead::banghead::banghead::banghead::banghead::banghead:

his time, babe.the-killer.bz was detected at the same time as when I immuniz


Ok, I learned the trick of using "netstat -b 5 > activity.txt" and I saw a LOT!!! of "babe.the-killer.exe"... I ran a google search and a lot of places say that this is from Spybot's immunization feature... is this true? I couldn't find anything on this site... Should it be running with: firefox, iTunes, AppleMobileDeviceService???

md usa spybot fan
2007-12-19, 19:38
googol:


... my network detected "babe.the-killer.bz" and shut off my internet connection. ...
Please explain. What were the messages you received and from what software?

Is the following entry the first entry in your HOSTS file besides comments (entries beginning with the character #):


127.0.0.1 localhost

googol
2007-12-19, 23:11
Hi. Yes, the first entry in the c:\windows\system32\drivers\etc\hosts file is 127.0.0.1 localhost.

I am in a school network. So I am not sure what software was used for the detection, but i was told that the detection method was by DNS logging / netflow.

Thanks.




googol:


Please explain. What were the messages you received and from what software?

Is the following entry the first entry in your HOSTS file besides comments (entries beginning with the character #):


127.0.0.1 localhost

md usa spybot fan
2007-12-20, 00:38
googol:

I'm sorry, but I can't help you with the information you provided.

Perhaps if you posted the messages you received when your "… network detected "babe.the-killer.bz" and shut off my internet connection. …", perhaps someone could help determine the cause of the problem.

Yodama
2007-12-20, 09:11
googol

it sounds like one of your other security applications falsely detect the Spybot S&D Immunization as a threat.

Please make a screenshot of the message , this may help us determine which application is involved in this issue.

googol
2007-12-20, 22:36
Hi. Sorry if I wasn't clear enough on my last post. My own computer didn't detect any thing wrong. It was the school network (the folks at IT who is in charge of maintaining the integrity of the whole school-wide network) who informed me via email that my computer tried to access babe.the-killer.bz and shutdown my internet access as a precaution.

After looking into this for a bit, I think the cause of the headache was due to having both Spybot and Spy Sweeper installed on my pc. This is the scenario that I have in mind... As part of the immunization, Spybot edits the hosts file to redirect all known nasty ip addresses to 127.0.0.1. Spy Sweeper then thinks that this was the doing of a virus and tries "resolve" what it thinks is a problem by looking up the REAL IP addresses for these harmful sites. I have no idea how to stop spy sweeper from doing this. Maybe let Webroot know?

Thanks.




googol

it sounds like one of your other security applications falsely detect the Spybot S&D Immunization as a threat.

Please make a screenshot of the message , this may help us determine which application is involved in this issue.

Yodama
2007-12-21, 09:23
Thank you for your additional information on this issue.
I just checked and can confirm that Spysweeper makes DNS queries for hosts blocked via the hosts file. Since this feature does not appear to be configurable and your school network already has a list of hosts to be blocked I would recommend to leave out the hosts file immunization.
A query with webroot about this issue may help them improve future versions to avoid looking up known bad hosts.